Authors:
(1) Simon Kafader, University of Bern, Bern, Switzerland ([email protected]);
(2) Mohammad Ghafari, University of Auckland, Auckland, New Zealand ([email protected]).
Abstract—Research has shown that cryptography concepts are hard to understand for developers, and secure use of cryptography APIs is challenging for mainstream developers. We have developed a fluent API named FluentCrypto to ease the secure and correct adoption of cryptography in the Node.js JavaScript runtime environment. It provides a task-based solution i.e., it hides the low-level complexities that involve using the native Node.js cryptography API, and it relies on the rules that crypto experts specify to determine a secure configuration of the API. We conducted an initial study and found that FluentCrypto is hard to misuse even for developers who lack cryptography knowledge, and compared to the standard Node.js crypto API, it is easier to use for developers and helps them to develop secure solutions in a shorter time
The estimated cost of a data breach in the United States is on average USD 8.64 million [1]. Most software systems rely on cryptography to protect sensitive data, and developers, who often are not security experts, should build these systems.
Despite huge efforts in the field of usable security in general and cryptography in particular, cryptography APIs (in short, crypto APIs) are still difficult to use for mainstream developers [2], resulting in crypto API misuses and exposing otherwise sensitive data in practice. A recent study of 2 324 open-source Java projects on GitHub showed that 72% of the projects suffer from at least one crypto misuse, and that the frequency of using crypto APIs does not change developer performance in this domain [3]. There are a number of reasons for poor adoption of cryptography. Foremost, security caveats are rare in the documentation of crypto APIs [4]. Developers may instead consult online information sources such as the Stack Overflow website to learn about cryptography and adopt online code examples in their programs. Unfortunately, such sources are not reliable either. For instance, a study of 217 818 Stack Overflow posts revealed that 31% of them suffer from API misuses, which has this possibility to leak resources [5]. There exist several tools to detect security issues in general [6], [7], and crypto-related misuses in particular [8], [9]. However, research has shown that these tools are hard to use for mainstream developers [10], [11], and security analysis tools perform differently in practice [12], [13]. Finally, there are dedicated platforms to explore real-world crypto code examples [14], but it is still a developer’s responsibility to adapt these examples in her program, which may be an errorprone task.
Unlike previous work that mostly supported developers to detect crypto misuses, in this paper, we aim to ease the secure adoption of crypto APIs in the first place i.e., during programming. We introduce FluentCrypto, a wrapper around the Node.js crypto API, that bridges the gap between cryptography experts and mainstream developers. It relaxes developers from crypto concerns such as the order of API calls, the choice of a secure algorithm, the right way to generate a secret key, etc. FluentCrypto utilizes the fluent interface design principle to hide such low-level crypto-related complexities i.e., developers only state “what” they need without being concerned about “how” to do it. It relies on the constraints that crypto experts specified to determine a correct and secure configuration of the API, and when something goes wrong, it provides developers with guiding error messages to resolve the issue. In order to understand whether or not FluentCrypto eases secure adoption of cryptography in practice, we asked two research questions:
• RQ1: Does adopting FluentCrypto increase developer efficiency when working on a cryptographic task?
• RQ2: Is FluentCrypto effective in developing secure cryptographic solutions?
To answer these questions, we evaluated FluentCrypto by conducting an initial study with eight participants from the software industry. Each participant had to complete three tasks in cryptography with the help of Node.js cryptography API and FluentCrypto. The results revealed that FluentCrypto is greatly helpful in terms of decreasing the security risks, effort and time required to solve a cryptography task. In particular, more participants were able to complete the given tasks with FluentCrypto compared to the same tasks with the Node.js crypto API. Importantly, less experienced participants finished the tasks much faster when they used FluentCrypto than when they relied on the Node.js crypto API. Notably, all participants provided secure solutions when they used FluentCrypto.
The rest of this paper is organized as follows. We discuss related work in section II. In section III, we demonstrate an example concerning why adopting cryptography can be problematic for an inexperienced developer. In section IV, we present FluentCrypto and a domain-specific language that we developed for crypto experts in order to specify constraints on crypto objects. In section V, we describe the setup of our evaluation, and we present the evaluation result in section VI. We discuss the threats to validity of this work in section VII and conclude the paper in section VIII.