Industrial Strength Static Detection for Cryptographic API Misuses

被引:0
|
作者
Xiao, Ya [1 ]
Zhao, Yang [2 ]
Allen, Nicholas [2 ]
Keynes, Nathan [2 ]
Yao, Danfeng [1 ]
Cifuentes, Cristina [2 ]
机构
[1] Virginia Tech, Comp Sci Dept, Blacksburg, VA 24061 USA
[2] Oracle Labs, Brisbane, Qld, Australia
来源
2022 IEEE SECURE DEVELOPMENT CONFERENCE (SECDEV 2022) | 2022年
基金
美国国家科学基金会;
关键词
cryptographic vulnerability detection; static analyzer; industrial environment;
D O I
10.1109/SecDev53368.2022.00022
中图分类号
TP [自动化技术、计算机技术];
学科分类号
0812 ;
摘要
We describe our experience of building an industrial-strength cryptographic vulnerability detector, which aims to detect cryptographic API misuses in Java(TM1). Based on the detection algorithms of the academic tool CryptoGuard, we integrated the detection into the Oracle internal code scanning platform Parfait. The goal of the Parfait-based cryptographic vulnerability detection is to provide precise and scalable cryptographic code screening for large-scale industrial projects. We discuss the needs and challenges of the static cryptographic vulnerability screening in the industrial environment.
引用
收藏
页码:61 / 62
页数:2
相关论文
共 50 条
  • [1] CryptoGo: Automatic Detection of Go Cryptographic API Misuses
    Li, Wenqing
    Jia, Shijie
    Liu, Limin
    Zheng, Fangyu
    Ma, Yuan
    Lin, Jingqiang
    [J]. ACM International Conference Proceeding Series, 2022, : 318 - 331
  • [2] CryptoGo: Automatic Detection of Go Cryptographic API Misuses
    Li, Wenqing
    Jia, Shijie
    Liu, Limin
    Zheng, Fangyu
    Ma, Yuan
    Lin, Jingqiang
    [J]. PROCEEDINGS OF THE 38TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE, ACSAC 2022, 2022, : 318 - 331
  • [3] Automatic Detection of Java']Java Cryptographic API Misuses: Are We There Yet?
    Zhang, Ying
    Kabir, Md Mahir Asef
    Xiao, Ya
    Yao, Danfeng
    Meng, Na
    [J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2023, 49 (01) : 288 - 303
  • [4] A Comprehensive Benchmark on Java']Java Cryptographic API Misuses
    Afrose, Sharmin
    Rahaman, Sazzadur
    Yao, Danfeng
    [J]. PROCEEDINGS OF THE TENTH ACM CONFERENCE ON DATA AND APPLICATION SECURITY AND PRIVACY, CODASPY 2020, 2020, : 177 - 178
  • [5] Methods and Benchmark for Detecting Cryptographic API Misuses in Python']Python
    Frantz, Miles
    Xiao, Ya
    Pias, Tanmoy Sarkar
    Meng, Na
    Yao, Danfeng
    [J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2024, 50 (05) : 1118 - 1129
  • [6] Evaluation of Static Vulnerability Detection Tools With Java']Java Cryptographic API Benchmarks
    Afrose, Sharmin
    Xiao, Ya
    Rahaman, Sazzadur
    Miller, Barton P. P.
    Yao, Danfeng
    [J]. IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, 2023, 49 (02) : 485 - 497
  • [7] CRYPTOAPI-BENCH: A Comprehensive Benchmark on Java']Java Cryptographic API Misuses
    Afrose, Sharmin
    Rahaman, Sazzadur
    Yao, Danfeng
    [J]. 2019 IEEE SECURE DEVELOPMENT (SECDEV 2019), 2019, : 49 - 61
  • [8] MAD-API: Detection, Correction and Explanation of API Misuses in Distributed Android Applications
    Luo, Tianyue
    Wu, Jingzheng
    Yang, Mutian
    Zhao, Sizhe
    Wu, Yanjun
    Wang, Yongji
    [J]. ARTIFICIAL INTELLIGENCE AND MOBILE SERVICES - AIMS 2018, 2018, 10970 : 123 - 140
  • [9] Detect, Fix, and Verify TensorFlow API Misuses
    Baker, Wilson
    O'Connor, Michael
    Shahamiri, Seyed Reza
    Terragni, Valerio
    [J]. 2022 IEEE INTERNATIONAL CONFERENCE ON SOFTWARE ANALYSIS, EVOLUTION AND REENGINEERING (SANER 2022), 2022, : 925 - 929
  • [10] Mining API Constraints from Library and Client to Detect API Misuses
    Zcng, Hushuang
    Chen, Jingxin
    Shen, Bcijun
    Zhong, Hao
    [J]. 2021 28TH ASIA-PACIFIC SOFTWARE ENGINEERING CONFERENCE (APSEC 2021), 2021, : 161 - 170
12345