Dazed and Confused: What’s Wrong with Crypto Libraries? — Acknowledgments and References

cover
15 Jun 2024

Authors:

(1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland;

(2) Oscar Nierstrasz, University of Bern, Bern, Switzerland;

(3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand.

VII. ACKNOWLEDGMENTS

We gratefully acknowledge the financial support of the Swiss National Science Foundation for the project “Agile Software Assistance” (SNSF project No. 200020-181973, Feb. 1, 2019 - April 30, 2022). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper.

REFERENCES

[1] M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz, “The impact of developer experience in using Java cryptography,” in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 2019, pp. 1–6.

[2] S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. Yao, “Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2455–2472.

[3] M. Green and M. Smith, “Developers are not the enemy!: The need for usable security APIs,” IEEE Security & Privacy, vol. 14, no. 5, pp. 40–46, 2016.

[4] M. Hazhirpasand, O. Nierstrasz, M. Shabani, and M. Ghafari, “Hurdles for developers in cryptography,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021.

[5] D. Lazar, H. Chen, X. Wang, and N. Zeldovich, “Why does cryptographic software fail? a case study and open problems,” in Proceedings of 5th Asia-Pacific Workshop on Systems, 2014, pp. 1–7.

[6] N. Patnaik, J. Hallett, and A. Rashid, “Usability smells: An analysis of developers’ struggle with crypto libraries,” in Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), 2019, pp. 245–257.

[7] K. Cairns, H. Halpin, and G. Steel, “Security analysis of the W3C web cryptography api,” in International Conference on Research in Security Standardisation. Springer, 2016, pp. 112–140.

[8] Y. Yarom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on OpenSSL constant-time RSA,” Journal of Cryptographic Engineering, vol. 7, no. 2, pp. 99–112, 2017.

[9] J. Somorovsky, “Systematic fuzzing and testing of TLS libraries,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1492–1504.

[10] V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative research in psychology, vol. 3, no. 2, pp. 77–101, 2006.

[11] S. Lewis, “Qualitative inquiry and research design: Choosing among five approaches,” Health promotion practice, vol. 16, no. 4, pp. 473– 475, 2015.

[12] J. Cohen, “A coefficient of agreement for nominal scales,” Educational and psychological measurement, vol. 20, no. 1, pp. 37–46, 1960.

[13] S. Kafader and M. Ghafari, “Fluentcrypto: Cryptography in easy mode,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021.

[14] C. Parnin, C. Treude, L. Grammel, and M.-A. Storey, “Crowd documentation: Exploring the coverage and the dynamics of API discussions on stack overflow,” Georgia Institute of Technology, Tech. Rep, vol. 11, 2012.

[15] D. Hou and L. Li, “Obstacles in using frameworks and APIs: An exploratory study of programmers’ newsgroup discussions,” in 2011 IEEE 19th International Conference on Program Comprehension. IEEE, 2011, pp. 91–100.

[16] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Java cryptography uses in the wild,” in Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2020, pp. 1–6.

[17] M. Hazhirpasand, O. Nierstrasz, and M. Ghafari, “Worrisome patterns in developers: A survey in cryptography,” in Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering Workshops, 2021.

This paper is available on arxiv under CC BY 4.0 DEED license.