![[Review] Evaluation of Static Vulnerability Detection Tools with Java Cryptographic API Benchmarks](/blog/images/31/cover.png)
[Review] Evaluation of Static Vulnerability Detection Tools with Java Cryptographic API Benchmarks
The paper assesses the performance of the current static vulnerability detection tools in the era of Java cryptographic API misuse.
Main contributions:
- provide two benchmarks: CryptoAPI-Bench, ApacheCryptoAPI-Bench.
- CryptoAPI-Bench consists of 181 test cases covering 16 types of Cryptographic and SSL/TLS API misuse vulnerabilities, with basic level and advanced level.
- ApacheCryptoAPI-Bench documents the API misuse vulnerabilities from 10 real-world Apache projects. This benchmark is for checking the scalability(the ability to induce low computational overhead to analyze large code-bases) of the detection tool.
- evaluate four static analysis tools based on the two proposed benchmarks: specialized tools(CryptoGuard, CrySL), general purpose tools(SpotBugs, Coverity).
![[Review] Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?](/blog/images/29/cover.png)
![[Review] GPTScan: Detecting Logic Vulnerabilities in Smart Contracts by Combining GPT with Program Analysis](/blog/images/40/cover.png)
![[Review] MoonShine: Optimizing OS Fuzzer Seed Selection with Trace Distillation](/blog/images/39/cover.png)
![[Review] One Simple API Can Cause Hundreds of Bugs: An Analysis of Refcounting Bugs in All Modern Linux Kernels](/blog/images/38/cover.png)
![[Review] HEALER: Relation Learning Guided Kernel Fuzzing](/blog/images/37/cover.png)
![[Review] Towards Precise Reporting of Cryptographic Misuses](/blog/images/36/cover.png)