While software engineers are optimistically adopting crypto-API misuse
detectors (or crypto-detectors) in their software development cycles, this
momentum must be accompanied by a rigorous understanding of crypto-detectors'
effectiveness at finding crypto-API misuses in practice. This demo paper
presents the technical details and usage scenarios of our tool, namely Mutation
Analysis for evaluating Static Crypto-API misuse detectors (MASC). We developed
12 generalizable, usage based mutation operators and three mutation scopes,
namely Main Scope, Similarity Scope, and Exhaustive Scope, which can be used to
expressively instantiate compilable variants of the crypto-API misuse cases.
Using MASC, we evaluated nine major crypto-detectors, and discovered 19
unique, undocumented flaws. We designed MASC to be configurable and
user-friendly; a user can configure the parameters to change the nature of
generated mutations. Furthermore, MASC comes with both Command Line Interface
and Web-based front-end, making it practical for users of different levels of
expertise.Comment: To be published in Proceedings of the 31st ACM Joint European
Software Engineering Conference and Symposium on the Foundations of Software
Engineerin