How Usable are Rust Cryptography APIs?
This addresses security vulnerabilities caused by poor API usability for Rust developers, though it is incremental as it builds on existing usability research in other languages.
The researchers investigated the usability of Rust cryptography APIs through systematic library analysis and experiments with 28 participants, finding that only half of major libraries focus on usability and participants performed better with a library initially considered less usable.
Context: Poor usability of cryptographic APIs is a severe source of vulnerabilities. Aim: We wanted to find out what kind of cryptographic libraries are present in Rust and how usable they are. Method: We explored Rust's cryptographic libraries through a systematic search, conducted an exploratory study on the major libraries and a controlled experiment on two of these libraries with 28 student participants. Results: Only half of the major libraries explicitly focus on usability and misuse resistance, which is reflected in their current APIs. We found that participants were more successful using rust-crypto which we considered less usable than ring before the experiment. Conclusion: We discuss API design insights and make recommendations for the design of crypto libraries in Rust regarding the detail and structure of the documentation, higher-level APIs as wrappers for the existing low-level libraries, and selected, good-quality example code to improve the emerging cryptographic libraries of Rust.