Automated Hotfixes for Misuses of Crypto APIs

  • Author / Creator
    Newbury, Kristen L
  • Cryptographic (crypto) Application Programming Interfaces (APIs) play an important role in application security; unfortunately crypto APIs are difficult to use, which may lead to security vulnerabilities. Prior work have looked at detecting and fixing crypto APIs misuses at development time and in the setting of software patching. However, software patching for security vulnerabilities is not ideal for addressing vulnerability windows in servers in a timely manner. An alternative approach to software patching is hotfixing. In this paper, we present Hotfixer, a tool that performs automatic crypto API misuse hotfixing at Java application runtime. To apply its fixes, Hotfixer automatically transforms hand-crafted software patches into hotfixes that are valid to use by Java agents. We have evaluated Hotfixer on a set of 103 microbenchmarks, and a set of 27 crypto API misuses found across 7 real- world Java applications. Hotfixer detects and fixes all misuses in 95% of all benchmarks, in an identical manner compared to applying a develop-time patch. Additionally, we have empirically validated that Hotfixer preserves identical application behaviour compared to software patching in 98% of all benchmarks. Compared to software patching, the performance overhead that Hotfixer induces for all benchmarks is at most 17%.

  • Subjects / Keywords
  • Graduation date
    Fall 2020
  • Type of Item
  • Degree
    Master of Science
  • DOI
  • License
    Permission is hereby granted to the University of Alberta Libraries to reproduce single copies of this thesis and to lend or sell such copies for private, scholarly or scientific research purposes only. Where the thesis is converted to, or otherwise made available in digital form, the University of Alberta will advise potential users of the thesis of these terms. The author reserves all other publication and other rights in association with the copyright in the thesis and, except as herein before provided, neither the thesis nor any substantial portion thereof may be printed or otherwise reproduced in any material form whatsoever without the author's prior written permission.