While software engineers are optimistically adopting crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of crypto-detectors’ \textit{effectiveness at finding crypto-API misuses in practice}. This demo paper presents the technical details and usage scenarios of our tool, namely \textbf{M}utation \textbf{A}nalysis for evaluating \textbf{S}tatic \textbf{C}rypto-API misuse detectors (MASC). We developed $12$ generalizable, usage-based mutation operators and three mutation scopes, namely \textit{Main Scope}, \textit{Similarity Scope}, and \textit{Exhaustive Scope}, which can be used to expressively instantiate compilable variants of the crypto-API misuse cases. Using MASC, we evaluated nine major crypto-detectors and discovered $19$ unique, undocumented flaws. We designed MASC to be \textit{configurable} and \textit{user-friendly}; a user can configure the parameters to change the nature of generated mutations. Furthermore, MASC comes with both Command Line Interface and Web-based front-end, making it practical for users of different levels of expertise.

Code: https://github.com/Secure-Platforms-Lab-W-M/MASC

Screencast: https://www.youtube.com/watch?v=XF_qmMaXFXw