TY - GEN
T1 - Cryptoguard
T2 - 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
AU - Rahaman, Sazzadur
AU - Xiao, Ya
AU - Afrose, Sharmin
AU - Shaon, Fahad
AU - Tian, Ke
AU - Frantz, Miles
AU - Kantarcioglu, Murat
AU - Yao, Danfeng
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/11/6
Y1 - 2019/11/6
N2 - Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.
AB - Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.
KW - Accuracy
KW - Benchmark
KW - Cryptographic API misuses
KW - False negative
KW - False positive
KW - Java
KW - Static program analysis
UR - http://www.scopus.com/inward/record.url?scp=85075801594&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85075801594&partnerID=8YFLogxK
U2 - 10.1145/3319535.3345659
DO - 10.1145/3319535.3345659
M3 - Conference contribution
AN - SCOPUS:85075801594
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 2455
EP - 2472
BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 11 November 2019 through 15 November 2019
ER -