Specifiable automated detection of API misuse in CI pipelines

The correct use of APIs is crucial to avoid erroneous and insecure code. Cryptographic APIs are particularly important for data security, but general (all other) APIs must be used correctly to develop secure, high-quality software. To check the secure and correct use of APIs, static analysis tools are used in practice.

The "Secure Software Engineering" research group has been part of the Collaborative Research Center SFB 1119 CROSSING from the very beginning, in which cryptographic solutions for the future are being researched. One successful development of this research is the static analysis tool CogniCrypt, which detects misuse of cryptographic APIs. For this purpose, CogniCrypt uses the so-called allow-listing approach, in which the secure use of cryptographic APIs is specified in the form of rules. CogniCrypt configures its analysis according to the selected rule set and reports a warning for each non-compliance. In this way, developers using CogniCrypt are made aware of security-relevant errors and can correct them.

This successful approach is now being further investigated and led to the launch of a new project in March 2023 as part of the BMBF-funded Software Campus. A Software Campus project aims to conduct practical research in collaboration with industry. The project is led by a doctoral student, so that practical project experience is gained, which is supported by intensifying further training.

The project idea to generalize CogniCrypt's approach originates from research to better understand API misuse, its origin and classification, as well as the accompanying classification framework "FUM".

This research has shown that CogniCrypt is very well suited for cryptography, but that many other language features of APIs in programming languages are not yet covered. In order to be able to specify rules for the correct use of many other APIs in addition to cryptographic APIs in the future and to configure an analysis from this, a new static analysis tool is being developed in this Software Campus project, which offers the configuration and analysis features required for general APIs.

The resulting generalization of the allow-listing approach offers many new possibilities. Specifying rule sets for general APIs enables a more flexible use of the new static analysis tool. Rule sets can be compiled and adapted for specific projects or specified for company-internal as well as external APIs. In addition, the rule sets for cryptography that already exist in CogniCrypt can continue to be used. This means that the new, general static analysis tool can provide the security analysis for cryptographic APIs already known from CogniCrypt together with custom defined analyses.