Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software

Abstract

The use of cryptography is nowadays common in software systems, with cryptographic libraries widely available to software developers. As such, the likely weakest link in sensitive software has moved from cryptographic function implementations to the application code surrounding such functions. Ordinary developers usually lack knowledge in practical cryptography, and support from specialists is rare. Frequently, these difficulties are addressed by running static analysis tools to automatically detect cryptography misuse during coding and reviews. However, the effectiveness of such tools is not yet well understood. This article studies how well programmatic misuse of cryptography is detected by free static code analysis tools. The performance of such tools in detecting misuse is correlated to coding tasks and use cases commonly found in development efforts; also, cryptography misuse is classified in comprehensive categories, easily recognizable by software security practitioners. Our research shows that the coverage of public-key cryptography by static code analysis tools is full of blind spots, because tools prioritize only those misuses related to the most frequent coding tasks and use cases, while neglecting infrequent use cases. We found that, in addition to a relatively low recall in our tests, evaluated tools also have a small overlap regarding the misuses detected by all the evaluated tools, as well as an intersection of false alarms, suggesting lack of discrimination between specific misuses and corresponding good uses of cryptography. In spite of that, well-selected tools can be useful when developing cryptographic software, but support of experts is still required for solving complex cases.