Proof-of-Concept Code Snippets

This section provides several proof-of-concept code snippets which support our claim in the evaluation.

Example 1
Example 2
Example 3
Example 4
Example 5
Example 6
Example 7

Listing 1: Insufficient Iteration Count Misuse in Apache Project A (Anonymity for Ethics).


// Example 1 Code
private SecretKeySpec getSecretKeySpec(String password)
{
    byte[] pwdHash = secureHash(password);
    // Note: utilizing 'secureHash' to derive the secret key from the password.
    // The iteration count for derivation is merely 1, which violates RFC 8018 and OWASP recommendations.
    byte[] key = Arrays.copyOf(pwdHash, 16);
    return new SecretKeySpec(key, "AES");
}
protected byte[] secureHash(String value)
{
    try
    {
        MessageDigest md = MessageDigest.getInstance(HASH_ALGORITHM);
        return md.digest(value.getBytes(UTF_8));
    }
    ...
}

Listing 2: Transformation String Formation in Apache Druid which Uses Vulnerable Configuration.


// Example 2 Code
this.name = name == null ? "AES" : name;
this.mode = mode == null ? "CBC" : mode;
this.pad = pad == null ? "PKCS5Padding" : pad;
this.string = StringUtils.format("%s/%s/%s", this.name, this.mode, this.pad);

Listing 3: Insecure Parameters Passed through Method Chaining Case in MASC Benchmark.


// Example 3 Code
class T {
    String algo="AES/CBC/PKCS5Padding";
    T mthd1(){ algo = "AES"; return this;}
    T mthd2(){ algo="DES"; return this;}
}
Cipher.getInstance(new T().mthd1().mthd2().algo);

Listing 4: Insecure Parameters Replacement Case in MASC Benchmark.


// Example 4 Code
class T {
    MessageDigest.getInstance("SHA-256".replace("SHA-256", "MD5"));
}

Listing 5: Implicit Usage of Insecure Parameters Case in MASC Benchmark.


// Example 5 Code
class T {
    String algo = "DES";
    KeyGenerator keygen = KeyGenerator.getInstance(algo);
    // An implicit parameter by invoking keygen.getAlgorithm().
    Cipher c = Cipher.getInstance(keygen.getAlgorithm());
}

Listing 6: Context-specific Dummy Condition Statement, MASC.


// Example 6 Code
class T {
    void checkServerTrusted(X509Certificate[] certs , String s)
    throws CertificateException
    {
        if (!(null != s || s.equalsIgnoreCase("RSA") || certs.length >= 314))
        {
            throw new CertificateException("Error");
        }
    }
}

Listing 7: Context-specific Secure SHA-1 Usage.


// Example 7 Code
public static MessageDigest startHash()
    throws ManifoldCFException
  {
    try
    {
      return MessageDigest.getInstance("SHA-1");
    }
    catch (Exception e)
    {
      throw new ManifoldCFException("Couldn't encrypt: "+e.getMessage(),e,ManifoldCFException.GENERAL_ERROR);
    }
  }
  //GPT-4: While SHA-1 is generally considered weak for cryptographic hash functions due to vulnerabilities to collision attacks, within the context of this system, the SHA-1 algorithm is only used as a hashing utility for non-cryptographic purposes (e.g., generating unique identifiers or checksums), and not for password storing or digital signatures. Therefore, its usage here doesn't pose the same security risk and would not be considered a misuse.