Name
Abstract | ||
|---|---|---|
Cryptographic API misuses threaten software security. Examples include exposed secrets, predictable random numbers, and vulnerable certificate verification. goal in this work is to produce deployment-quality program analysis tools for automatically inspecting various cryptographic API uses in complex Java programs. The main challenge is how to reduce false positives (FP) without compromising analysis quality. Unfortunately, state-of-the-art solutions in this space were not designed to be deployment-grade and did not address this issue. Our main technical innovation is a set of algorithms for systematically removing irrelevant elements (from program slices) to reduce false alerts. We evaluated our tool, CHIRON, on 46 high-impact large-scale Apache projects and 240 Android apps, which generates many security insights. We observed violations for most of our 16 rules. 86% of the Android vulnerabilities come from the libraries. There is a widespread insecure practice of storing plaintext passwords. We manually went through the 2,009 Apache alerts and confirmed 1,961 true positives (2.39% FP rate). We contacted Apache with our security findings. This helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also discuss the pragmatic constraints that hinder secure coding. |
Year | Venue | Field |
|---|---|---|
2018 | arXiv: Cryptography and Security | Android (operating system),Computer security,Computer science,Cryptography,Software security assurance,Password,Program analysis,Secure coding,Java,Plaintext |
DocType | Volume | Citations |
Journal | abs/1806.06881 | 0 |
PageRank | References | Authors |
0.34 | 26 | 6 |
Name | Order | Citations | PageRank |
|---|---|---|---|
| Sazzadur Rahaman | 1 | 19 | 4.54 |
| Ya Xiao | 2 | 16 | 5.53 |
| Ke Tian | 3 | 51 | 6.38 |
| Fahad Shaon | 4 | 16 | 3.00 |
| Murat Kantarcioglu | 5 | 2470 | 168.03 |
| Danfeng Yao | 6 | 965 | 74.85 |