Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

@article{Xiao2022IndustrialEO,
  title={Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases},
  author={Ya Xiao and Yang Zhao and Nicholas Allen and Nathan Keynes and Danfeng Daphne Yao and Cristina Garcia Cifuentes},
  journal={Digital Threats: Research and Practice},
  year={2022}
}
Enterprise environment often screens large-scale (millions of lines of code) codebases with static analysis tools to find bugs and vulnerabilities. Parfait is a static code analysis tool used in Oracle to find security vulnerabilities in industrial codebases. Recently, many studies show that there are complicated cryptographic vulnerabilities caused by misusing cryptographic APIs in JavaTM1. In this paper, we describe how we realize a precise and scalable detection of these complicated… 

Figures and Tables from this paper

Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques

TLDR
This paper presents the MASC framework, which enables a systematic and data-driven evaluation of crypto-detectors using mutation testing and discovers 19 unique, undocumented flaws that severely impact the ability of Crypto-detECTors to discover misuses in practice.

Tutorial: Principles and Practices of Secure Cryptographic Coding in Java

TLDR
A 90-minute tutorial to teach participants the principles and practices of Java secure coding, including the SSL/TLS and Spring Security configuration, and introduces a tool that was recently developed to automatically detect API misuse in Java.

Poster: Scientific Comparison on Accuracy and Scalability of Cryptographic API Misuse Detection

TLDR
Two comprehensive benchmarks that enable the in-depth comparison on accuracy and scalability of misuse detection are developed and evaluated, namely, SpotBugs, CryptoGuard, CrySL, and another tool (anonymous) using both benchmarks.

Being the Developers' Friend: Our Experience Developing a High-Precision Tool for Secure Coding

We discuss the needs and challenges of deployable security research by sharing our experience designing CryptoGuard, a high-precision tool for detecting cryptographic application programming

References

SHOWING 1-10 OF 26 REFERENCES

CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects

TLDR
CryptGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements that reduce false alerts by 76% to 80% in experiments, and makes progress towards the science of analysis in this space.

Program Analysis of Cryptographic Implementations for Security

TLDR
This paper systematically investigates different threat categories on various cryptographic implementations and their usages, and derives various security rules, which are enforceable by program analysistools during code compilation and provides a prototype implementation.

CryptoAPI-Bench: A Comprehensive Benchmark on Java Cryptographic API Misuses

TLDR
A comprehensive benchmark for misuse detection of cryptographic APIs, consisting of 171 unit test cases that cover basic cases, as well as complex cases, including interprocedural, field sensitive, multiple class test cases, and path sensitive data flow of misuse cases.

Scalable Static Analysis to Detect Security Vulnerabilities: Challenges and Solutions

TLDR
Some of the challenges the team encountered in extending Parfait to detect security vulnerabilities in applications code are described including some of the differences seen between the applications code being analysed, the solutions that enable it to analyse a variety of applications, and a summary of the challenge that remain.

Why does cryptographic software fail?: a case study and open problems

TLDR
This study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014 and shows that just 17% of the bugs are in cryptographic libraries, and the remaining 83% are misuses of cryptographic libraries by individual applications.

Secure Coding Practices in Java: Challenges and Vulnerabilities

TLDR
An empirical study on StackOverflow posts aiming to understand developers' concerns on Java secure coding, their programming obstacles, and insecure coding practices reveals the insufficiency of secure coding assistance and documentation, as well as the huge gap between security theory and coding practices.

A Stitch in Time: Supporting Android Developers in WritingSecure Code

TLDR
Using the FixDroid IDE plug-in, it is shown that professional and hobby app developers can work with and learn from an in-environment tool without it impacting their normal work and that code delivered with such a tool by developers previously inexperienced in security contains significantly less security problems.

You Get Where You're Looking for: The Impact of Information Sources on Code Security

TLDR
Analyzing how the use of information resources impacts code security confirms that API documentation is secure but hard to use, while informal documentation such as Stack Overflow is more accessible but often leads to insecurity.

Detection of Repackaged Android Malware with Code-Heterogeneity Features

TLDR
This work proposes a new Android repackaged malware detection technique based on code heterogeneity analysis that strategically partitions the code structure of an app into multiple dependence-based regions (subsets of the code).

Comparing the Usability of Cryptographic APIs

TLDR
This paper is the first to examine both how and why the design and resulting usability of different cryptographic libraries affects the security of code written with them, with the goal of understanding how to build effective future libraries.