ABSTRACT
Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.
Supplemental Material
- CogniCrypt_SAST for Android.Google Scholar
- Coverity Static Application Security Testing (SAST).Google Scholar
- Spotbugs: Find Bugs in Java Programs.Google Scholar
- Cryptographic Key Length Recommendation. https://www.keylength.com/en/4/,2016. [Online; accessed 29-Jan-2018].Google Scholar
- Google Play Warning: How to fix incorrect implementation of Hostname Verifier? https://stackoverf low.com/questions/41312795/google-play-warning-how-to-fix-incorrect-implementation-of-hostnameverifier, 2016. [Online; accessed29-Jan-2018].Google Scholar
- Change the default Crypt Algo to use stronger cryptographic algo. "https://issues.apache.org/jira/browse/RANGER-1644", 2017. [Online; accessed Jan 26,2018].Google Scholar
- Class Random. https://docs.oracle.com/javase/8/docs/api/java/util/Random.html,2017. [Online; accessed 29-Jan-2018].Google Scholar
- Class Secure Random. https://docs.oracle.com/javase/8/docs/api/java/security/SecureRandom.html, 2017. [Online; accessed 29-Jan-2018].Google Scholar
- Lifetimes of cryptographic hash functions. http://valerieaurora.org/hash.html,2017. [Online; accessed 29-Jan-2018].Google Scholar
- List of Rainbow Tables. http://project-rainbowcrack.com/table.htm, 2017.[Online; accessed 29-Jan-2018].Google Scholar
- Update Doc/Wiki to provide details on using custom encryption key and salt for encryption of credentials. https://issues.apache.org/jira/browse/RANGER-1645,2017. [Online; accessed Jan 26, 2018].Google Scholar
- Google rejected app because of Hostname Verifier issue. "https://stackoverf low.com/questions/48420530/google-rejected-app-because-of-hostnameverifier-issue", 2018. [Online; accessed Jan 26, 2018].Google Scholar
- Y. Acar, M. Backes, S. Fahl, S. Garfinkel, D. Kim, M. L. Mazurek, and C. Stransky. Comparing the Usability of Cryptographic APIs. In IEEE S&P'17, pages 154--171, 2017.Google Scholar
- Y. Acar, M. Backes, S. Fahl, D. Kim, M. L. Mazurek, and C. Stransky. You Get Where You're Looking for: The Impact of Information Sources on Code Security. In IEEE S&P'16, pages 289--305, 2016.Google Scholar
- Y. Acar et al. Developers Need Support, Too: A Survey of Security Advice forSoftware Developers. In IEEE Secure Development Conference SecDev, 2017.Google Scholar
- D. Adrian et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In ACM CCS'15, pages 5--17, 2015.Google ScholarDigital Library
- S. Afrose, S. Rahaman, and D. D. Yao. Crypto API-Bench: A Comprehensive Benchmark on Java Cryptographic API Misuses. In IEEE Secure Development Conference (SecDev), September 2019.Google Scholar
- S. Arzt, S. Rasthofer, C. Fritz, E. Bodden, A. Bartel, J. Klein, Y. L. Traon, D. Octeau, and P. D. McDaniel. FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI '14, pages 259--269, 2014.Google ScholarDigital Library
- M. Backes, S. Bugiel, and E. Derr. Reliable Third-Party Library Detection in Android and its Security Applications. In ACM CCS'16, pages 356--367, 2016.Google ScholarDigital Library
- G. V. Bard. The Vulnerability of SSL to Chosen Plaintext Attack. IACR Cryptologye Print Archive, 2004:111, 2004.Google Scholar
- D. J. Bernstein, Y. Chang, C. Cheng, L. Chou, N. Heninger, T. Lange, and N. van Someren. Factoring RSA Keys from Certified Smart Cards: Coppersmith in the Wild. In ASIACRYPT'13, pages 341--360, 2013.Google ScholarCross Ref
- K. Bhargavan and G. Leurent. On the practical (in-)security of 64-bit blockciphers: Collision attacks on HTTP over TLS and OpenVPN. In ACM CCS'16, pages 456--467, 2016.Google ScholarDigital Library
- K. Bhargavan and G. Leurent. Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH. In NDSS'16, 2016.Google Scholar
- A. Bianchi, Y. Fratantonio, A. Machiry, C. Kruegel, G. Vigna, S. P. H. Chung, and W. Lee. Broken Fingers: On the Usage of the Fingerprint API in Android. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, SanDiego, California, USA, February 18--21, 2018, 2018.Google Scholar
- D. Boneh. Twenty Years of Attacks on the RSA Cryptosystem. NOTICES OF THEAMS, 46(2), 1999.Google Scholar
- A. Bosu, F. Liu, D. D. Yao, and G. Wang. Collusive Data Leak and More: Large-scale Threat Analysis of Inter-app Communications. In ACM AsiaCCS'17, pages 71--85, 2017.Google ScholarDigital Library
- D. Chang, A. Jati, S. Mishra, and S. K. Sanadhya. Cryptanalytic Time-Memory Tradeoff for Password Hashing Schemes. IACR Cryptology ePrint Archive, 2017:603, 2017.Google Scholar
- S. Checkoway, J. Maskiewicz, C. Garman, J. Fried, S. Cohney, M. Green,N. Heninger, R. Weinmann, E. Rescorla, and H. Shacham. A Systematic Analysis of the Juniper Dual EC Incident. In ACM CCS'16, pages 468--479, 2016.Google ScholarDigital Library
- A. Chi, R. A. Cochran, M. Nesfield, M. K. Reiter, and C. Sturton. A System to Verify Network Behavior of Known Cryptographic Clients. In USENIX NSDI'17, pages 177--195, 2017.Google Scholar
- J. Clark and P. C. van Oorschot. SoK: SSL and HTTPS: revisiting past challenges and evaluating certificate trust model enhancements. In 2013 IEEE Symposium on Security and Privacy, SP 2013, Berkeley, CA, USA, May 19--22, 2013, pages 511--525, 2013.Google ScholarDigital Library
- J. de Ruiter and E. Poll. Protocol State Fuzzing of TLS Implementations. In USENIX Security'15, pages 193--206, 2015.Google Scholar
- Welcome to the SWAMP. https://continuousassurance.org, 2018.Google Scholar
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In ACM CCS'13, pages 73--84,2013.Google ScholarDigital Library
- K. O. Elish, X. Shu, D. D. Yao, B. G. Ryder, and X. Jiang. Profiling user-trigger dependence for Android malware detection. Computers & Security, 49:255--273,2015.Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, M. Smith, L. Baumgärtner, and B. Freisleben. Why Eve and Mallory love Android: an analysis of Android SSL (in)Security. In ACM CCS'12, pages 50--61, 2012.Google ScholarDigital Library
- F. Gagnon, M. Ferland, M. Fortier, S. Desloges, J. Ouellet, and C. Boileau. Andro SSL: A Platform to Test Android Applications Connection Security. In FPS'15, pages 294--302, 2015.Google Scholar
- C. P. García, B. B. Brumley, and Y. Yarom. "Make Sure DSA Signing Exponentiations Really are Constant-Time". In ACM CCS'16, pages 1639--1650, 2016.Google ScholarDigital Library
- C. Garman, M. Green, G. Kaptchuk, I. Miers, and M. Rushanan. Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage. In USENIX Security'16, pages 655--672, 2016.Google Scholar
- M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov. The most dangerous code in the world: validating SSL certificates in non-browser software. In ACM CCS'12, 2012.Google ScholarDigital Library
- I. Goldberg and D. Wagner. Randomness and the Netscape browser. Dr Dobb's Journal-Software Tools for the Professional Programmer, 21(1):66--71, 1996.Google Scholar
- B. He, V. Rastogi, Y. Cao, Y. Chen, V. N. Venkatakrishnan, R. Yang, and Z. Zhang. Vetting SSL usage in applications with SSLINT. In 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, May 17--21, 2015, pages 519--534, 2015.Google ScholarDigital Library
- N. Heninger, Z. Durumeric, E. Wustrow, and J. A. Halderman. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In USENIX Security'12, pages 205--220, 2012.Google Scholar
- D. Hovemeyer and W. Pugh. Finding bugs is easy. SIGPLAN Notices, 39(12):92--106,2004.Google ScholarDigital Library
- B. Johnson et al. Why don't software developers use static analysis tools to find bugs? In ICSE'13, pages 672--681, 2013.Google Scholar
- H. Krawczyk. How to Predict Congruential Generators. In CRYPTO'89, pages 138--153, 1989.Google Scholar
- S. Krüger et al. CogniCrypt: supporting developers in using cryptography. In IEEE/ACM ASE'17, pages 931--936, 2017.Google Scholar
- S. Krüger, J. Späth, K. Ali, E. Bodden, and M. Mezini. CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. In ECOOP'18, pages 10:1--10:27, 2018.Google Scholar
- Y. Kwon, B. Saltaformaggio, I. L. Kim, K. H. Lee, X. Zhang, and D. Xu. A2C: Selfdestructing exploit executions via input perturbation. In NDSS'17, 2017.Google Scholar
- D. Lazar, H. Chen, X. Wang, and N. Zeldovich. Why does cryptographic softwarefail?: A case study and open problems. In APSys'14, 2014.Google ScholarDigital Library
- J. Li, Z. Lin, J. Caballero, Y. Zhang, and D. Gu. K-Hunt: Pinpointing Insecure Cryptographic Keys from Execution Traces. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15--19, 2018, pages 412--425, 2018.Google ScholarDigital Library
- R. Lippmann and R. K. Cunningham. Improving intrusion detection performance using keyword selection and neural networks. Computer Networks, 34(4):597--603, 2000.Google ScholarDigital Library
- A. D. Lucia. Program Slicing: Methods and Applications. In IEEE International Workshop on Source Code Analysis and Manipulation SCAM'01, pages 144--151, 2001.Google Scholar
- S. Ma, D. Lo, T. Li, and R. H. Deng. CDRep: Automatic Repair of Cryptographic Misuses in Android Applications. InProceedings of the 11th ACM on Asia Conference on Computer and Communications Security, AsiaCCS 2016, pages 711--722,2016.Google ScholarDigital Library
- S. Ma, F. Thung, D. Lo, C. Sun, and R. H. Deng. VuRLE: Automatic Vulnerability Detection and Repair by Learning from Examples. In Computer Security - ESORICS 2017 - 22nd European Symposium on Research in Computer Security, pages 229--246, 2017.Google ScholarCross Ref
- N. Meng, S. Nagy, D. Yao, W. Zhuang, and G. A. Argoty. Secure Coding Practices in Java: Challenges and Vulnerabilities. In ACM ICSE'18, Gothenburg, Sweden, May 2018.Google ScholarDigital Library
- K. Moriarty, B. Kaliski, and A. Rusch. PKCS# 5: Password-Based Cryptography Specification Version 2.1. 2017.Google ScholarCross Ref
- V. Murali, S. Chaudhuri, and C. Jermaine. Bayesian specification learning for finding API usage errors. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2017, Paderborn, Germany, September 4--8,2017, pages 151--162, 2017.Google ScholarDigital Library
- S. Nadi, S. Krüger, M. Mezini, and E. Bodden. Jumping Through Hoops: Why Do Java Developers Struggle with Cryptography APIs? In ICSE'16, pages 935--946,2016.Google ScholarDigital Library
- Y. Nan, Z. Yang, X. Wang, Y. Zhang, D. Zhu, and M. Yang. Finding Clues for Your Secrets: Semantics-Driven, Learning-Based Privacy Discovery in Mobile Apps. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18--21, 2018, 2018.Google ScholarCross Ref
- D. C. Nguyen et al. A Stitch in Time: Supporting Android Developers in Writing Secure Code. In ACM CCS'17, pages 1065--1077, 2017.Google ScholarDigital Library
- R. Paletov, P. Tsankov, V. Raychev, and M. T. Vechev. Inferring crypto API rulesfrom code changes. In Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, pages 450--464,2018.Google ScholarDigital Library
- X. Pan, X. Wang, Y. Duan, X. Wang, and H. Yin. Dark Hazard: Learning-based, Large-Scale Discovery of Hidden Sensitive Operations in Android Apps. In NDSS'17, 2017.Google Scholar
- N. H. Pham, T. T. Nguyen, H. A. Nguyen, and T. N. Nguyen. Detection of recurring software vulnerabilities. In ASE 2010, 25th IEEE/ACM International Conference on Automated Software Engineering, pages 447--456, 2010.Google ScholarDigital Library
- S. Rahaman and D. Yao. Program Analysis of Cryptographic Implementationsfor Security. In IEEE Secure Development Conference (SecDev), 2017, pages 61--68, 2017.Google Scholar
- N. Rutar, C. B. Almazan, and J. S. Foster. A comparison of bug finding tools for Java. In 15th International Symposium on Software Reliability Engineering (ISSRE 2004), pages 245--256, 2004.Google ScholarDigital Library
- S. Sivakorn, G. Argyros, K. Pei, A. D. Keromytis, and S. Jana. HVLearn: Automated Black-Box Analysis of Hostname Verification in SSL/TLS Implementations. In IEEE S&P'17, pages 521--538, 2017.Google Scholar
- J. Somorovsky. Systematic Fuzzing and Testing of TLS Libraries. In ACM CCS'16, pages 1492--1504, 2016.Google Scholar
- D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan. SMV-Hunter: Large Scale, Automated Detection of SSL/TLS Man-in-the-Middle Vulnerabilities in Android Apps. In NDSS'14, 2014.Google Scholar
- M. Stevens, E. Bursztein, P. Karpman, A. Albertini, and Y. Markov. The First Collision for Full SHA-1. In CRYPTO'17, 2017.Google ScholarCross Ref
- M. Stevens, A. K. Lenstra, and B. de Weger. Chosen-Prefix Collisions for MD5 and Colliding X.509 Certificates for Different Identities. In EUROCRYPT'07, pages 1--22, 2007.Google ScholarDigital Library
- Update to Current Use and Deprecation of TDEA, 2017. https://csrc.nist.gov/news/2017/update-to-current-use-and-deprecation-of-tdea.Google Scholar
- V. van der Veen et al. Drammer: Deterministic Rowhammer Attacks on Mobile Platforms. In ACM CCS'16, pages 1675--1689, 2016.Google ScholarDigital Library
- K. Xu, D. Yao, B. Ryder, and K. Tian. Probabilistic Program Modeling for High-Precision Anomaly Classification. In CSF'15, July 2015.Google Scholar
- H. Y. Yang, E. D. Tempero, and H. Melton. An Empirical Study into Use of Dependency Injection in Java. In Australian Software Engineering Conference ASWEC'08, pages 239--247, 2008.Google ScholarCross Ref
- D. Yao, X. Shu, L. Cheng, and S. J. Stolfo. Anomaly Detection as a Service: Challenges, Advances, and Opportunities. In Information Security, Privacy, and Trust Series. Morgan & Claypool., 2017.Google Scholar
- T. Zhang, G. Upadhyaya, A. Reinhardt, H. Rajan, and M. Kim. Are code exampleson an online Q&A forum reliable?: a study of API misuse on stack overflow. In Proceedings of the 40th International Conference on Software Engineering, ICSE 2018, pages 886--896, 2018.Google ScholarDigital Library
- C. Zuo, Z. Lin, and Y. Zhang. Why Does Your Data Leak? Uncovering the DataLeakage in Cloud from Mobile Apps. In IEEE S&P'16, 2019.Google Scholar
Index Terms
- CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects
Recommendations
A Comprehensive Benchmark on Java Cryptographic API Misuses
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyMisuses of cryptographic APIs are prevalent in existing real-world Java code. Some open-sourced and commercial cryptographic vulnerability detection tools exist that capture misuses in Java program. To analyze their efficiency and coverage, we build a ...
Poster: Deployment-quality and Accessible Solutions for Cryptography Code Development
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications SecurityCryptographic API misuses seriously threaten software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool that ...
Deployment-quality and Accessible Solutions for Cryptography Code Development
CODASPY '20: Proceedings of the Tenth ACM Conference on Data and Application Security and PrivacyCryptographic API misuses seriously threatens software security. Automatic screening of cryptographic misuse vulnerabilities has been a popular and important line of research over the years. However, the vision of producing a scalable detection tool ...
Comments