K. Mindermann, P. Keck, and S. Wagner. Proceedings of the International Conference Software on Quality, Reliability, and Security, IEEE, (2018)
Abstract
Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.
%0 Conference Paper
%1 mindermann2018usable
%A Mindermann, Kai
%A Keck, Philipp
%A Wagner, Stefan
%B Proceedings of the International Conference Software on Quality, Reliability, and Security
%D 2018
%I IEEE
%K iste-se myown security
%T How Usable are Rust Cryptography APIs?
%U https://arxiv.org/abs/1806.04929
%X Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.
@inproceedings{mindermann2018usable,
abstract = {Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.},
added-at = {2018-07-12T17:42:16.000+0200},
author = {Mindermann, Kai and Keck, Philipp and Wagner, Stefan},
biburl = {https://puma.ub.uni-stuttgart.de/bibtex/2496b93bdc59af72d48dd6663a70d6505/wagnerst},
booktitle = {Proceedings of the International Conference Software on Quality, Reliability, and Security},
description = {post-print, author version},
interhash = {297999fd0396c59b44b42c2d2ff0bf24},
intrahash = {496b93bdc59af72d48dd6663a70d6505},
keywords = {iste-se myown security},
publisher = {IEEE},
timestamp = {2021-02-19T09:05:37.000+0100},
title = {How Usable are Rust Cryptography APIs?},
url = {https://arxiv.org/abs/1806.04929},
venue = {Lisbon},
year = 2018
}