Deployment-quality and Accessible Solutions for Cryptography Code Development

Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Ke Tian, Miles Frantz, Na Meng, Barton P. Miller, Fahad Shaon, Murat Kantarcioglu, Danfeng Yao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Cryptographic API misuses seriously threatens software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.

Original languageEnglish (US)
Title of host publicationCODASPY 2020 - Proceedings of the 10th ACM Conference on Data and Application Security and Privacy
PublisherAssociation for Computing Machinery, Inc
Pages174-176
Number of pages3
ISBN (Electronic)9781450371070
DOIs
StatePublished - Mar 16 2020
Externally publishedYes
Event10th ACM Conference on Data and Application Security and Privacy, CODASPY 2020 - New Orleans, United States
Duration: Mar 16 2020Mar 18 2020

Publication series

NameCODASPY 2020 - Proceedings of the 10th ACM Conference on Data and Application Security and Privacy

Conference

Conference10th ACM Conference on Data and Application Security and Privacy, CODASPY 2020
Country/TerritoryUnited States
CityNew Orleans
Period3/16/203/18/20

Keywords

  • accuracy
  • benchmark
  • cryptographic api misuses
  • false negaative
  • false positive
  • java
  • static program analysis

ASJC Scopus subject areas

  • Software
  • Computer Science Applications

Fingerprint

Dive into the research topics of 'Deployment-quality and Accessible Solutions for Cryptography Code Development'. Together they form a unique fingerprint.

Cite this