TY - GEN
T1 - Poster
T2 - 26th ACM SIGSAC Conference on Computer and Communications Security, CCS 2019
AU - Rahaman, Sazzadur
AU - Xiao, Ya
AU - Afrose, Sharmin
AU - Tian, Ke
AU - Frantz, Miles
AU - Meng, Na
AU - Miller, Barton P.
AU - Shaon, Fahad
AU - Kantarcioglu, Murat
AU - Yao, Danfeng
N1 - Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/11/6
Y1 - 2019/11/6
N2 - Cryptographic API misuses seriously threaten software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
AB - Cryptographic API misuses seriously threaten software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that developers can routinely use to screen millions of line of code has not been achieved yet. Our main technical goal is to attain a high precision and high throughput approach based on specialized program analysis. Specifically, we design inter-procedural program slicing on top of a new on-demand flow-, context- and field- sensitive data flow analysis. Our current prototype named CryptoGuard can detect a wide range of Java cryptographic API misuses with a precision of 98.61%, when evaluated on 46 complex Apache Software Foundation projects (including, Spark, Ranger, and Ofbiz). Our evaluation on 6,181 Android apps also generated many security insights. We created a comprehensive benchmark named CryptoApi-Bench with 40-unit basic cases and 131-unit advanced cases for in-depth comparison with leading solutions (e.g., SpotBugs, CrySL, Coverity). To make CryptoGuard widely accessible, we are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP). SWAMP is a popular no-cost service for continuous software assurance and static code analysis.
KW - Accuracy
KW - Benchmark
KW - Cryptographic API Misuses
KW - False Negative
KW - False Positive
KW - Java
KW - Static Program Analysis
UR - https://www.scopus.com/pages/publications/85075940630
UR - https://www.scopus.com/inward/citedby.url?scp=85075940630&partnerID=8YFLogxK
U2 - 10.1145/3319535.3363252
DO - 10.1145/3319535.3363252
M3 - Conference contribution
AN - SCOPUS:85075940630
T3 - Proceedings of the ACM Conference on Computer and Communications Security
SP - 2545
EP - 2547
BT - CCS 2019 - Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery
Y2 - 11 November 2019 through 15 November 2019
ER -