Several studies showed that misuses of cryptographic APIs are common in real-world code (e.g., Apache projects and Android apps). There exist several open-sourced and commercial security tools that automatically screen Java programs to detect misuses. To compare their accuracy and security guarantees, we develop two comprehensive benchmarks named CryptoAPI-Bench and ApacheCryptoAPI-Bench. CryptoAPI-Bench consists of 181 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases. The benchmark also includes correct cases for testing false-positive rates. The ApacheCryptoAPI-Bench consists of 121 cryptographic cases from 10 Apache projects. We evaluate four tools, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks. We present their performance and comparative analysis. The ApacheCryptoAPI-Bench also examines the scalability of the tools. Our benchmarks are useful for advancing state-of-the-art solutions in the space of misuse detection.

中文翻译：

---

使用 Java 加密 API 基准评估静态漏洞检测工具


多项研究表明，加密 API 的滥用在现实代码中很常见（例如 Apache 项目和 Android 应用程序）。存在多种开源和商业安全工具，可以自动筛选 Java 程序以检测误用。为了比较它们的准确性和安全保证，我们开发了两个名为 CryptoAPI-Bench 和 ApacheCryptoAPI-Bench 的综合基准测试。 CryptoAPI-Bench由181个单元测试用例组成，涵盖基本用例，以及复杂用例，包括过程间、字段敏感、多类测试用例以及误用用例的路径敏感数据流。该基准还包括测试误报率的正确案例。 ApacheCryptoAPI-Bench 由来自 10 个 Apache 项目的 121 个加密案例组成。我们使用这两个基准评估了四种工具，即 SpotBugs、CryptoGuard、CrySL 和另一个工具（匿名）。我们介绍他们的表现和比较分析。 ApacheCryptoAPI-Bench 还检查了这些工具的可扩展性。我们的基准对于推进误用检测领域最先进的解决方案很有用。