Program Analysis of Cryptographic Implementations for Security

Sazzadur Rahaman, Danfeng Yao

Research output: Chapter in Book/Report/Conference proceedingConference contribution

10 Scopus citations


Cryptographic implementation errors in popular open source libraries (e.g., OpenSSL, GnuTLS, BotanTLS, etc.) and the misuses of cryptographic primitives (e.g., as in Juniper Network) have been the major source of vulnerabilities in the wild. These serious problems prompt the need for new compile-time security checking. Such security enforcements demand the study of various cryptographic properties and their mapping into enforceable program analysis rules. We refer to this new security approach as cryptographic program analysis (CPA). In this paper, we show how cryptographic program analysis can be performed effectively andits security applications. Specifically, we systematically investigate different threat categories on various cryptographicimplementations and their usages. Then, we derive varioussecurity rules, which are enforceable by program analysistools during code compilation. We also demonstrate the capabilities of static taint analysis to enforce most of these security rules and provide a prototype implementation. We point out promising future research and development directions in this new area of cryptographic program analysis.

Original languageEnglish (US)
Title of host publicationProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages8
ISBN (Electronic)9781538634677
StatePublished - Oct 20 2017
Externally publishedYes
Event2017 IEEE Cybersecurity Development Conference, SecDev 2017 - Cambridge, United States
Duration: Sep 24 2017Sep 26 2017

Publication series

NameProceedings - 2017 IEEE Cybersecurity Development Conference, SecDev 2017


Conference2017 IEEE Cybersecurity Development Conference, SecDev 2017
Country/TerritoryUnited States


  • Cryptographic Program Analysis
  • Cryptography
  • Program Analysis
  • Security

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Program Analysis of Cryptographic Implementations for Security'. Together they form a unique fingerprint.

Cite this