How usable are rust cryptography APIS?

Kai Mindermann; Philipp Keck; Stefan Wagner

doi:10.1109/QRS.2018.00028

How usable are rust cryptography APIS?

Kai Mindermann, Philipp Keck, Stefan Wagner

Universität Stuttgart

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

23 Scopus citations

Abstract

Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rustcrypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.

Original language	English
Title of host publication	Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	143-154
Number of pages	12
ISBN (Print)	9781538677575
DOIs	https://doi.org/10.1109/QRS.2018.00028
State	Published - 2 Aug 2018
Externally published	Yes
Event	18th IEEE International Conference on Software Quality, Reliability, and Security, QRS 2018 - Lisbon, Portugal Duration: 16 Jul 2018 → 20 Jul 2018

Publication series

Name	Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018

Conference

Conference	18th IEEE International Conference on Software Quality, Reliability, and Security, QRS 2018
Country/Territory	Portugal
City	Lisbon
Period	16/07/18 → 20/07/18

Access to Document

10.1109/QRS.2018.00028

Cite this

Mindermann, K., Keck, P., & Wagner, S. (2018). How usable are rust cryptography APIS? In Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018 (pp. 143-154). Article 8424966 (Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/QRS.2018.00028

Mindermann, Kai ; Keck, Philipp ; Wagner, Stefan. / How usable are rust cryptography APIS?. Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018. Institute of Electrical and Electronics Engineers Inc., 2018. pp. 143-154 (Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018).

@inproceedings{323dfeb244db4508bb35651d9a0ac39a,

title = "How usable are rust cryptography APIS?",

abstract = "Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rustcrypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.",

author = "Kai Mindermann and Philipp Keck and Stefan Wagner",

note = "Publisher Copyright: {\textcopyright} 2018 IEEE.; 18th IEEE International Conference on Software Quality, Reliability, and Security, QRS 2018 ; Conference date: 16-07-2018 Through 20-07-2018",

year = "2018",

month = aug,

day = "2",

doi = "10.1109/QRS.2018.00028",

language = "English",

isbn = "9781538677575",

series = "Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "143--154",

booktitle = "Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018",

}

Mindermann, K, Keck, P & Wagner, S 2018, How usable are rust cryptography APIS? in Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018., 8424966, Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018, Institute of Electrical and Electronics Engineers Inc., pp. 143-154, 18th IEEE International Conference on Software Quality, Reliability, and Security, QRS 2018, Lisbon, Portugal, 16/07/18. https://doi.org/10.1109/QRS.2018.00028

How usable are rust cryptography APIS? / Mindermann, Kai; Keck, Philipp; Wagner, Stefan.
Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018. Institute of Electrical and Electronics Engineers Inc., 2018. p. 143-154 8424966 (Proceedings - 2018 IEEE 18th International Conference on Software Quality, Reliability, and Security, QRS 2018).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review