While software engineers are optimistically adopting crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of crypto-detectors' effectiveness at finding crypto-API misuses in practice. This demo paper presents the technical details and usage scenarios of our tool, namely Mutation Analysis for evaluating Static Crypto-API misuse detectors (MASC). We developed $12$ generalizable, usage based mutation operators and three mutation scopes, namely Main Scope, Similarity Scope, and Exhaustive Scope, which can be used to expressively instantiate compilable variants of the crypto-API misuse cases. Using MASC, we evaluated nine major crypto-detectors, and discovered $19$ unique, undocumented flaws. We designed MASC to be configurable and user-friendly; a user can configure the parameters to change the nature of generated mutations. Furthermore, MASC comes with both Command Line Interface and Web-based front-end, making it practical for users of different levels of expertise.

翻译：尽管软件工程师正在乐观地将密码API误用检测器（或密码检测器）纳入其软件开发周期，但这种趋势必须伴随着对密码检测器在实际中发现密码API误用有效性的严谨理解。本演示论文介绍了我们工具的技术细节和使用场景，即用于评估静态密码API误用检测器的变异分析工具（MASC）。我们开发了12个可泛化的、基于使用的变异算子以及三个变异范围，即主范围、相似性范围和穷举范围，可用于表达性地实例化密码API误用案例的可编译变体。利用MASC，我们评估了九个主流密码检测器，并发现了19个独特的、未记录的缺陷。我们将MASC设计为可配置且用户友好的；用户可以配置参数以改变所生成变体的性质。此外，MASC提供了命令行界面和基于Web的前端，使其适用于不同专业水平的用户。