The second day of the 25th USENIX Security Symposium that is currently taking place in Austin, Texas is now over and we can say that it was an interesting one. Attendees, such as we are, could choose between multiple programs after the daily lightning talks. The papers that were presented on Thursday concerning software security were quite revealing and extremely useful. One of the most interesting ones proved to be the talk regarding APISAN, delivered by authors Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik from the Georgia institute of Technology. The software security program was created in order to make working with APIs, detecting bugs and fixing them a lot easier and faster.
According to the team, APIs are constantly misused, this being the source of the majority of bugs. Even though there are bugs that aren’t exactly a threat to your devices, some of them can prove to be extremely harmful, so it is essential, according to the team, to find and patch them as soon as possible. Unfortunately, the current techniques of finding bugs in APIs is not the most efficient one, given the fact that developers need to identify them through manual work. This is not only slowing down the process, but it also isn’t 100 percent efficient. Human error is still in the cards, so it is possible for developers to miss some of the bugs in the APIs.
The team made up by Insu Yun, Changwoo Min, Xujie Si, Yeongjin Jang, Taesoo Kim, and Mayur Naik from the Georgia institute of Technology, developed the APISAN which is, as the team itself described it, the perfect way of “Sanitizing API Usages through Semantic Cross-Checking“. Basically, the tool developed by the aforementioned team was built to automatically infer correct API usages from source code. This way, the manual work can be excluded from the process, and the rate of success eliminating bugs can be as high as 100 percent. The tool manages to do its job by extracting likely correct usage patterns in four different aspects by considering semantic constraints.
In order to prove the efficiency of their tool, the team already tested it by applying APISAN to 92 million lines of code. Given the fact that they applied their tool to existing codes, which were expected to be clean, the API sanitizing tool discovered 76 bugs that were previously unknown. The great thing about the tool is it doesn’t only discover the bugs left after the manual search of the developers, but it also offers patches for them. With the help of this tool, perfecting APIs will be a lot faster and more efficient.
Even though it is quite hot in Austin, Texas, the talks at the 25th USENIX Security Symposium are even hotter. It’s hard to decide which talks to participate in, given the fact that some of them are held at the same time in different places, but we will try to identify the most interesting ones, and relate all there is to know about them. There is one more day of the Symposium to go, and it’s highly likely that we will discover a great number of new tools and hardware on Friday also. Stay tuned, we will keep you up to date.