TY - GEN
T1 - Deployment-quality and Accessible Solutions for Cryptography Code Development
AU - Rahaman, Sazzadur
AU - Xiao, Ya
AU - Afrose, Sharmin
AU - Tian, Ke
AU - Frantz, Miles
AU - Meng, Na
AU - Miller, Barton P.
AU - Shaon, Fahad
AU - Kantarcioglu, Murat
AU - Yao, Danfeng
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/3/16
Y1 - 2020/3/16
N2 - Cryptographic API misuses seriously threatens software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
AB - Cryptographic API misuses seriously threatens software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
KW - accuracy
KW - benchmark
KW - cryptographic api misuses
KW - false negaative
KW - false positive
KW - java
KW - static program analysis
UR - https://www.scopus.com/pages/publications/85083368338
UR - https://www.scopus.com/pages/publications/85083368338#tab=citedBy
U2 - 10.1145/3374664.3379536
DO - 10.1145/3374664.3379536
M3 - Conference contribution
AN - SCOPUS:85083368338
T3 - CODASPY 2020 - Proceedings of the 10th ACM Conference on Data and Application Security and Privacy
SP - 174
EP - 176
BT - CODASPY 2020 - Proceedings of the 10th ACM Conference on Data and Application Security and Privacy
PB - Association for Computing Machinery, Inc
T2 - 10th ACM Conference on Data and Application Security and Privacy, CODASPY 2020
Y2 - 16 March 2020 through 18 March 2020
ER -