Abstract
Various studies have empirically shown that the majority of Java and Android applications misuse cryptographic libraries, causing devastating breaches of data security. It is crucial to detect such misuses early in the development process. To detect cryptography misuses, one must <italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">define</i> secure uses first, a process mastered primarily by cryptography experts but not by developers. In this paper, we present <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> , a specification language for bridging the cognitive gap between cryptography experts and developers. <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> enables cryptography experts to specify the secure usage of the cryptographic libraries they provide. We have implemented a compiler that translates such <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> specification into a context-sensitive and flow-sensitive demand-driven static analysis. The analysis then helps developers by automatically checking a given Java or Android app for compliance with the <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> -encoded rules. We have designed an extensive <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> rule set for the Java Cryptography Architecture (JCA), and empirically evaluated it by analyzing 10,000 current Android apps and all 204,788 current Java software artefacts on Maven Central. Our results show that misuse of cryptographic APIs is still widespread, with 95 percent of apps and 63 percent of Maven artefacts containing at least one misuse. Our easily extensible <sc xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">CrySL</small> rule set covers more violations than previous special-purpose tools that contain hard-coded rules, while still offering a more precise analysis.
Highlights
Digital devices are increasingly storing sensitive data, which is often protected using cryptography
CogniCryptsast is highly efficient: for more than 75% of the apps, the analysis finishes in under 3 minutes per app, where most of the time is spent in Android-specific call graph construction
We present CrySL, a description language for correct usages of cryptographic APIs
Summary
Digital devices are increasingly storing sensitive data, which is often protected using cryptography. Lazar et al [22] examined 269 published cryptography-related vulnerabilities. They found that 223 are caused by developers misusing a security library while only 46 result from faulty library implementations. In 2017, VeraCode listed insecure uses of cryptography as the second-most prevalent applicationsecurity issue right after information leakage [11]. Such pervasive insecure use of Crypto APIs leads to devastating vulnerabilities such as data breaches in a large number of applications. Rasthofer et al [31] showed that virtually all smartphone apps that rely on cloud services use hard-coded keys. A simple decompilation gives adversaries access to those keys and to all data that these apps store in the cloud
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
