Visible to the public Biblio

Filters: Author is Mezini, Mira  [Clear All Filters]
2016
Nadi, Sarah, Krüger, Stefan, Mezini, Mira, Bodden, Eric.  2016.  Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs? Proceedings of the 38th International Conference on Software Engineering. :935–946.

To protect sensitive data processed by current applications, developers, whether security experts or not, have to rely on cryptography. While cryptography algorithms have become increasingly advanced, many data breaches occur because developers do not correctly use the corresponding APIs. To guide future research into practical solutions to this problem, we perform an empirical investigation into the obstacles developers face while using the Java cryptography APIs, the tasks they use the APIs for, and the kind of (tool) support they desire. We triangulate data from four separate studies that include the analysis of 100 StackOverflow posts, 100 GitHub repositories, and survey input from 48 developers. We find that while developers find it difficult to use certain cryptographic algorithms correctly, they feel surprisingly confident in selecting the right cryptography concepts (e.g., encryption vs. signatures). We also find that the APIs are generally perceived to be too low-level and that developers prefer more task-based solutions.

Amani, Sven, Nadi, Sarah, Nguyen, Hoan A., Nguyen, Tien N., Mezini, Mira.  2016.  MUBench: A Benchmark for API-misuse Detectors. Proceedings of the 13th International Conference on Mining Software Repositories. :464–467.

Over the last few years, researchers proposed a multitude of automated bug-detection approaches that mine a class of bugs that we call API misuses. Evaluations on a variety of software products show both the omnipresence of such misuses and the ability of the approaches to detect them. This work presents MuBench, a dataset of 89 API misuses that we collected from 33 real-world projects and a survey. With the dataset we empirically analyze the prevalence of API misuses compared to other types of bugs, finding that they are rare, but almost always cause crashes. Furthermore, we discuss how to use it to benchmark and compare API-misuse detectors.