1 research outputs found
CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects
Cryptographic API misuses, such as exposed secrets, predictable random
numbers, and vulnerable certificate verification, seriously threaten software
security. The vision of automatically screening cryptographic API calls in
massive-sized (e.g., millions of LoC) Java programs is not new. However,
hindered by the practical difficulty of reducing false positives without
compromising analysis quality, this goal has not been accomplished.
State-of-the-art crypto API screening solutions are not designed to operate on
a large scale.
Our technical innovation is a set of fast and highly accurate slicing
algorithms. Our algorithms refine program slices by identifying
language-specific irrelevant elements. The refinements reduce false alerts by
76% to 80% in our experiments. Running our tool, CrytoGuard, on 46 high-impact
large-scale Apache projects and 6,181 Android apps generate many security
insights. Our findings helped multiple popular Apache projects to harden their
code, including Spark, Ranger, and Ofbiz. We also have made substantial
progress towards the science of analysis in this space, including: i) manually
analyzing 1,295 Apache alerts and confirming 1,277 true positives (98.61%
precision), ii) creating a benchmark with 38-unit basic cases and 74-unit
advanced cases, iii) performing an in-depth comparison with leading solutions
including CrySL, SpotBugs, and Coverity. We are in the process of integrating
CryptoGuard with the Software Assurance Marketplace (SWAMP)