TY - GEN
T1 - Program Analysis of Cryptographic Implementations for Security
AU - Rahaman, Sazzadur
AU - Yao, Danfeng
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/10/20
Y1 - 2017/10/20
N2 - Cryptographic implementation errors in popular open source libraries (e.g., OpenSSL, GnuTLS, BotanTLS, etc.) and the misuses of cryptographic primitives (e.g., as in Juniper Network) have been the major source of vulnerabilities in the wild. These serious problems prompt the need for new compile-time security checking. Such security enforcements demand the study of various cryptographic properties and their mapping into enforceable program analysis rules. We refer to this new security approach as cryptographic program analysis (CPA). In this paper, we show how cryptographic program analysis can be performed effectively andits security applications. Specifically, we systematically investigate different threat categories on various cryptographicimplementations and their usages. Then, we derive varioussecurity rules, which are enforceable by program analysistools during code compilation. We also demonstrate the capabilities of static taint analysis to enforce most of these security rules and provide a prototype implementation. We point out promising future research and development directions in this new area of cryptographic program analysis.
AB - Cryptographic implementation errors in popular open source libraries (e.g., OpenSSL, GnuTLS, BotanTLS, etc.) and the misuses of cryptographic primitives (e.g., as in Juniper Network) have been the major source of vulnerabilities in the wild. These serious problems prompt the need for new compile-time security checking. Such security enforcements demand the study of various cryptographic properties and their mapping into enforceable program analysis rules. We refer to this new security approach as cryptographic program analysis (CPA). In this paper, we show how cryptographic program analysis can be performed effectively andits security applications. Specifically, we systematically investigate different threat categories on various cryptographicimplementations and their usages. Then, we derive varioussecurity rules, which are enforceable by program analysistools during code compilation. We also demonstrate the capabilities of static taint analysis to enforce most of these security rules and provide a prototype implementation. We point out promising future research and development directions in this new area of cryptographic program analysis.
KW - Cryptographic Program Analysis
KW - Cryptography
KW - Program Analysis
KW - Security
UR - http://www.scopus.com/inward/record.url?scp=85035765481&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85035765481&partnerID=8YFLogxK
U2 - 10.1109/SecDev.2017.23
DO - 10.1109/SecDev.2017.23
M3 - Conference contribution
AN - SCOPUS:85035765481
T3 - Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
SP - 61
EP - 68
BT - Proceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
Y2 - 24 September 2017 through 26 September 2017
ER -