Name
Title | ||
|---|---|---|
Practical Evaluation of Static Analysis Tools for Cryptography: Benchmarking Method and Case Study |
Abstract | ||
|---|---|---|
The incorrect use of cryptography is a common source of critical software vulnerabilities. As developers lack knowledge in applied cryptography and support from experts is scarce, this situation is frequently addressed by adopting static code analysis tools to automatically detect cryptography misuse during coding and reviews, even if the effectiveness of such tools is far from being well understood. This paper proposes a method for benchmarking static code analysis tools for the detection of cryptography misuse, and evaluates the method in a case study, with the goal of selecting the most adequate tools for specific development contexts. Our method classifies cryptography misuse in nine categories recognized by developers (weak cryptography, poor key management, bad randomness, etc.) and provides the workload, metrics and procedure needed for a fair assessment and comparison of tools. We found that all evaluated tools together detected only 35% of cryptography misuses in our tests. Furthermore, none of the evaluated tools detected insecure elliptic curves, weak parameters in key agreement, and most insecure configurations for RSA and ECDSA. This suggests cryptography misuse is underestimated by tool builders. Despite that, we show that it is possible to benefit from an adequate tool selection during the development of cryptographic software. |
Year | DOI | Venue |
|---|---|---|
2017 | 10.1109/ISSRE.2017.27 | 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE) |
Keywords | Field | DocType |
static analysis tools,cryptography,benchmarking,software security | Key management,Elliptic Curve Digital Signature Algorithm,Static program analysis,Cryptography,Computer science,Software,Elliptic curve cryptography,Benchmarking,Reliability engineering,Benchmark (computing) | Conference |
ISSN | ISBN | Citations |
1071-9458 | 978-1-5386-0942-2 | 1 |
PageRank | References | Authors |
0.35 | 28 | 5 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Alexandre Melo Braga | 1 | 3 | 1.73 |
| Ricardo Dahab | 2 | 988 | 66.38 |
| Nuno Antunes | 3 | 184 | 24.38 |
| Nuno Laranjeiro | 4 | 208 | 26.74 |
| Marco Vieira | 5 | 971 | 112.31 |