Ensuring Correct Cryptographic Algorithm and Provider Usage at Compile Time

被引:0
|
作者
Xing, Weitian [1 ]
Cheng, Yuanhui [1 ]
Dietl, Werner [1 ]
机构
[1] Univ Waterloo, Waterloo, ON, Canada
来源
PROCEEDINGS OF THE 23RD ACM INTERNATIONAL WORKSHOP ON FORMAL TECHNIQUES FOR JAVA-LIKE PROGRAMS (FTFJP '21) | 2021年
基金
加拿大自然科学与工程研究理事会;
关键词
!text type='Java']Java[!/text; cryptography; pluggable type system; static analysis;
D O I
10.1145/3464971.3468418
中图分类号
TP31 [计算机软件];
学科分类号
081202 ; 0835 ;
摘要
Using cryptographic APIs to encrypt and decrypt data, calculate digital signatures, or compute hashes is error prone. Weak or unsupported cryptographic algorithms can cause information leakage and runtime exceptions, such as a NoSuchAlgorithmException in Java. Using the wrong cryptographic service provider can also lead to unsupported cryptographic algorithms. Moreover, for Android developers who want to store their key material in the Android Keystore, misused cryptographic algorithms and providers make the key material unsafe. We present the Crypto Checker, a pluggable type system that detects the use of forbidden algorithms and providers at compile time. For typechecked code, the Crypto Checker guarantees that only trusted algorithms and providers are used, and thereby ensures that the cryptographic APIs never cause runtime exceptions or use weak algorithms or providers. The Crypto Checker is easy-to-use: it allows developers to determine which algorithms and providers are permitted by writing specifications using type qualifiers. We implemented the Crypto Checker for Java and evaluated it with 32 open-source Java applications (over 2 million LOC). We found 2 issues that cause runtime exceptions and 62 violations of security recommendations and best practices. We also used the Crypto Checker to analyze 65 examples from a public benchmark of hard security issues and discuss the differences between our approach and a different static analysis in detail.
引用
收藏
页码:43 / 50
页数:8
相关论文
共 35 条
  • [31] An Efficient Multiple Trust Paths Finding Algorithm for Trustworthy Service Provider Selection in Real-Time Online Social Network Environments
    Liu, Guanfeng
    Liu, An
    Wang, Yan
    Li, Lei
    2014 IEEE 21ST INTERNATIONAL CONFERENCE ON WEB SERVICES (ICWS 2014), 2014, : 121 - 128
  • [32] An Efficient, Scalable Time-Frequency Method for Tracking Energy Usage of Domestic Appliances Using a Two-Step Classification Algorithm
    Meehan, Paula
    McArdle, Conor
    Daniels, Stephen
    ENERGIES, 2014, 7 (11) : 7041 - 7066
  • [33] SZZ Unleashed: An Open Implementation of the SZZ Algorithm - Featuring Example Usage in a Study of Just-in-Time Bug Prediction for the Jenkins Project
    Borg, Markus
    Svensson, Oscar
    Berg, Kristian
    Hansson, Daniel
    PROCEEDINGS OF THE 3RD ACM SIGSOFT INTERNATIONAL WORKSHOP ON MACHINE LEARNING TECHNIQUES FOR SOFTWARE QUALITY EVALUATION (MALTESQUE '19), 2019, : 7 - 12
  • [34] Multi-Train Energy Saving for Maximum Usage of Regenerative Energy by Dwell Time Optimization in Urban Rail Transit Using Genetic Algorithm
    Lin, Fei
    Liu, Shihui
    Yang, Zhihong
    Zhao, Yingying
    Yang, Zhongping
    Sun, Hu
    ENERGIES, 2016, 9 (03):
  • [35] Improvement of recurrent deep neural networks algorithm by feature selection methods and its usage of automatic identification system data evaluated as time series
    Dogan, Yunus
    JOURNAL OF THE FACULTY OF ENGINEERING AND ARCHITECTURE OF GAZI UNIVERSITY, 2020, 35 (04): : 1897 - 1911