Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

What's in a Package? Getting Visibility Into Dependencies Using Security-Sensitive API Calls

Imranur Rahman, Ranidya Paramitha, Henrik Plate, Dominik Wermke, Laurie Williams

TL;DR

The paper addresses the need for deeper visibility into dependencies beyond metadata by introducing security-sensitive APIs as a concrete risk signal and applying call-graph analysis to the Java/Maven ecosystem. It presents a novel three-pronged method to construct a 219-API list linked to CWEs, builds intra- and inter-package call graphs, and compares usage across 1,210 packages, complemented by a developer survey of 110 participants. Key findings show substantial presence of security-sensitive API calls, significant increases due to transitive dependencies, and varying patterns across package groups, with half of developers indicating a willingness to consider this information in dependency choices. The work advocates integrating security-sensitive API data into dependency management tools and CI/CD pipelines to improve supply-chain security and informs future research on broader ecosystem applicability and longitudinal analyses.

Abstract

Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.

What's in a Package? Getting Visibility Into Dependencies Using Security-Sensitive API Calls

TL;DR

The paper addresses the need for deeper visibility into dependencies beyond metadata by introducing security-sensitive APIs as a concrete risk signal and applying call-graph analysis to the Java/Maven ecosystem. It presents a novel three-pronged method to construct a 219-API list linked to CWEs, builds intra- and inter-package call graphs, and compares usage across 1,210 packages, complemented by a developer survey of 110 participants. Key findings show substantial presence of security-sensitive API calls, significant increases due to transitive dependencies, and varying patterns across package groups, with half of developers indicating a willingness to consider this information in dependency choices. The work advocates integrating security-sensitive API data into dependency management tools and CI/CD pipelines to improve supply-chain security and informs future research on broader ecosystem applicability and longitudinal analyses.

Abstract

Knowing what sensitive resources a dependency could potentially access would help developers assess the risk of a dependency before selection. One way to get an understanding of the potential sensitive resource usage by a dependency is using security-sensitive APIs, i.e., the APIs that provide access to security-sensitive resources in a system, e.g., the filesystem or network resources. However, the lack of tools or research providing visibility into potential sensitive resource usage of dependencies makes it hard for developers to use this as a factor in their dependency selection process. The goal of this study is to aid developers in assessing the security risks of their dependencies by identifying security-sensitive APIs in packages through call graph analysis. In this study, we present a novel methodology to construct a security-sensitive API list for an ecosystem to better understand and assess packages before selecting them as a dependency. We implement the methodology in Java. We then compare the prevalence of security-sensitive APIs in functionally similar package groups to understand how different functionally similar packages could be in terms of security-sensitive APIs. We also conducted a developer survey (with 110 respondents) to understand developers' perceptions towards using security-sensitive API information in the dependency selection process. More than half of the developers would use security-sensitive API information in the dependency selection process if available. Finally, we advocate for incorporating security-sensitive API information into dependency management tools for easier access to the developers in the dependency selection process.
Paper Structure (18 sections, 1 equation, 6 figures, 3 tables)

This paper contains 18 sections, 1 equation, 6 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Terminology
  3. Methodology
  4. Package Selection
  5. Call Graph Generation and Analysis (RQ\ref{['rq:sen-api-usage-pattern']})
  6. Experimental Design of User Study (RQ\ref{['rq:usefulness-of-sen-api']})
  7. Results
  8. RQ\ref{['rq:sec-sen-api-and-roles']}: Security-Sensitive API List Construction and Categorization
  9. RQ\ref{['rq:sen-api-usage-pattern']} Prevalence in 1,210 open-source packages
  10. API Prevalence in 1,210 Packages
  11. Root Causes of Differences of security-sensitive APIs in Package Groups
  12. Comparison Across Package Groups.
  13. RQ\ref{['rq:usefulness-of-sen-api']} Developer Impression: Survey
  14. Discussions and Implications
  15. Ethical Considerations
  16. ...and 3 more sections

Figures (6)

  • Figure 1: API List Construction Process
  • Figure 2: Security-sensitive API category usage in vulnerable functions from 4,183 package versions of 45 core packages.
  • Figure 3: Sensitive API usage in 1,210 open-source packages.
  • Figure 4: Sensitive API category usage in 30,772 open-source package versions.
  • Figure 5: Security-sensitive API call increase in 3641 open-source package versions without vs. with dependencies.
  • ...and 1 more figures

Theorems & Definitions (2)

  • Definition 1: Security-Sensitive API
  • Definition 2: Intra-Package and Inter-Package Call Graph