ARBITRAR: User-Guided API Misuse Detection

Citations Over TimeTop 10% of 2021 papers

Abstract

Software APIs exhibit rich diversity and complexity which not only renders them a common source of programming errors but also hinders program analysis tools for checking them. Such tools either expect a precise API specification, which requires program analysis expertise, or presume that correct API usages follow simple idioms that can be automatically mined from code, which suffers from poor accuracy. We propose a new approach that allows regular programmers to find API misuses. Our approach interacts with the user to classify valid and invalid usages of each target API method. It minimizes user burden by employing an active learning algorithm that ranks API usages by their likelihood of being invalid. We implemented our approach in a tool called ARBITRAR for C/C++ programs, and applied it to check the uses of 18 API methods in 21 large real-world programs, including OpenSSL and Linux Kernel. Within just 3 rounds of user interaction on average per API method, ARBITRAR found 40 new bugs, with patches accepted for 18 of them. Moreover, ARBITRAR finds all known bugs reported by a state-of-the-art tool APISAN in a benchmark suite comprising 92 bugs with a false positive rate of only 51.5% compared to APISAN’s 87.9%.

Related Papers

• → 42 variability bugs in the linux kernel(2014)156 cited
• → Experience Report: Fault Triggers in Linux Operating System: from Evolution Perspective(2017)14 cited
• → Empirical Notes on the Interaction Between Continuous Kernel Fuzzing and Development(2019)6 cited
• → One Simple API Can Cause Hundreds of Bugs An Analysis of Refcounting Bugs in All Modern Linux Kernels(2023)3 cited
• A Source-Level Discovery Methodology for Vulnerabilities of Linux Kernel Variables(2005)