Dazed and Confused: What’s Wrong with Crypto Libraries? — Acknowledgments and References

15 Jun 2024


(1) Mohammadreza Hazhirpasand, University of Bern, Bern, Switzerland;

(2) Oscar Nierstrasz, University of Bern, Bern, Switzerland;

(3) Mohammad Ghafari, University of Auckland, Auckland, New Zealand.


We gratefully acknowledge the financial support of the Swiss National Science Foundation for the project “Agile Software Assistance” (SNSF project No. 200020-181973, Feb. 1, 2019 - April 30, 2022). We also thank CHOOSE, the Swiss Group for Original and Outside-the-box Software Engineering of the Swiss Informatics Society, for its financial contribution to the presentation of this paper.


[1] M. Hazhirpasand, M. Ghafari, S. Krüger, E. Bodden, and O. Nierstrasz, “The impact of developer experience in using Java cryptography,” in 2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). IEEE, 2019, pp. 1–6.

[2] S. Rahaman, Y. Xiao, S. Afrose, F. Shaon, K. Tian, M. Frantz, M. Kantarcioglu, and D. Yao, “Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, 2019, pp. 2455–2472.

[3] M. Green and M. Smith, “Developers are not the enemy!: The need for usable security APIs,” IEEE Security & Privacy, vol. 14, no. 5, pp. 40–46, 2016.

[4] M. Hazhirpasand, O. Nierstrasz, M. Shabani, and M. Ghafari, “Hurdles for developers in cryptography,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021.

[5] D. Lazar, H. Chen, X. Wang, and N. Zeldovich, “Why does cryptographic software fail? a case study and open problems,” in Proceedings of 5th Asia-Pacific Workshop on Systems, 2014, pp. 1–7.

[6] N. Patnaik, J. Hallett, and A. Rashid, “Usability smells: An analysis of developers’ struggle with crypto libraries,” in Fifteenth Symposium on Usable Privacy and Security ({SOUPS} 2019), 2019, pp. 245–257.

[7] K. Cairns, H. Halpin, and G. Steel, “Security analysis of the W3C web cryptography api,” in International Conference on Research in Security Standardisation. Springer, 2016, pp. 112–140.

[8] Y. Yarom, D. Genkin, and N. Heninger, “Cachebleed: a timing attack on OpenSSL constant-time RSA,” Journal of Cryptographic Engineering, vol. 7, no. 2, pp. 99–112, 2017.

[9] J. Somorovsky, “Systematic fuzzing and testing of TLS libraries,” in Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, 2016, pp. 1492–1504.

[10] V. Braun and V. Clarke, “Using thematic analysis in psychology,” Qualitative research in psychology, vol. 3, no. 2, pp. 77–101, 2006.

[11] S. Lewis, “Qualitative inquiry and research design: Choosing among five approaches,” Health promotion practice, vol. 16, no. 4, pp. 473– 475, 2015.

[12] J. Cohen, “A coefficient of agreement for nominal scales,” Educational and psychological measurement, vol. 20, no. 1, pp. 37–46, 1960.

[13] S. Kafader and M. Ghafari, “Fluentcrypto: Cryptography in easy mode,” in 37th International Conference on Software Maintenance and Evolution (ICSME), 2021.

[14] C. Parnin, C. Treude, L. Grammel, and M.-A. Storey, “Crowd documentation: Exploring the coverage and the dynamics of API discussions on stack overflow,” Georgia Institute of Technology, Tech. Rep, vol. 11, 2012.

[15] D. Hou and L. Li, “Obstacles in using frameworks and APIs: An exploratory study of programmers’ newsgroup discussions,” in 2011 IEEE 19th International Conference on Program Comprehension. IEEE, 2011, pp. 91–100.

[16] M. Hazhirpasand, M. Ghafari, and O. Nierstrasz, “Java cryptography uses in the wild,” in Proceedings of the 14th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM), 2020, pp. 1–6.

[17] M. Hazhirpasand, O. Nierstrasz, and M. Ghafari, “Worrisome patterns in developers: A survey in cryptography,” in Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering Workshops, 2021.

This paper is available on arxiv under CC BY 4.0 DEED license.