While software engineers are optimistically adopting crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of crypto-detectors' effectiveness at finding crypto-API misuses in practice. This demo paper presents the technical details and usage scenarios of our tool, namely Mutation Analysis for evaluating Static Crypto-API misuse detectors (MASC). We developed $12$ generalizable, usage based mutation operators and three mutation scopes, namely Main Scope, Similarity Scope, and Exhaustive Scope, which can be used to expressively instantiate compilable variants of the crypto-API misuse cases. Using MASC, we evaluated nine major crypto-detectors, and discovered $19$ unique, undocumented flaws. We designed MASC to be configurable and user-friendly; a user can configure the parameters to change the nature of generated mutations. Furthermore, MASC comes with both Command Line Interface and Web-based front-end, making it practical for users of different levels of expertise.

翻译：尽管软件工程师正乐观地在软件开发周期中采用加密API误用检测器（或称加密检测器），但这一趋势必须伴随对加密检测器在实际中发现加密API误用有效性的严谨理解。本演示论文介绍了我们工具的技术细节和使用场景，即用于评估静态加密API误用检测器的突变分析工具（MASC）。我们开发了12种可泛化的、基于使用的突变算子，以及三种突变范围，即主范围、相似性范围和穷举范围，可用于表达性地实例化可编译的加密API误用例变体。使用MASC，我们评估了九种主流加密检测器，并发现了19种独特且未记录的缺陷。我们将MASC设计为可配置且用户友好的；用户可以配置参数以改变生成突变的性质。此外，MASC配备了命令行界面和基于Web的前端，使其对不同专业水平的用户均具实用性。