References & Citations
Computer Science > Cryptography and Security
Title: Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques
(Submitted on 15 Jul 2021 (v1), last revised 24 Jul 2022 (this version, v5))
Abstract: The correct use of cryptography is central to ensuring data security in modern software systems. Hence, several academic and commercial static analysis tools have been developed for detecting and mitigating crypto-API misuse. While developers are optimistically adopting these crypto-API misuse detectors (or crypto-detectors) in their software development cycles, this momentum must be accompanied by a rigorous understanding of their effectiveness at finding crypto-API misuse in practice. This paper presents the MASC framework, which enables a systematic and data-driven evaluation of crypto-detectors using mutation testing. We ground MASC in a comprehensive view of the problem space by developing a data-driven taxonomy of existing crypto-API misuse, containing $105$ misuse cases organized among nine semantic clusters. We develop $12$ generalizable usage-based mutation operators and three mutation scopes that can expressively instantiate thousands of compilable variants of the misuse cases for thoroughly evaluating crypto-detectors. Using MASC, we evaluate nine major crypto-detectors and discover $19$ unique, undocumented flaws that severely impact the ability of crypto-detectors to discover misuses in practice. We conclude with a discussion on the diverse perspectives that influence the design of crypto-detectors and future directions towards building security-focused crypto-detectors by design.
Submission history
From: Amit Seal Ami [view email][v1] Thu, 15 Jul 2021 01:16:27 GMT (3234kb,D)
[v2] Fri, 16 Jul 2021 20:23:24 GMT (3232kb,D)
[v3] Wed, 11 Aug 2021 15:46:04 GMT (1685kb,D)
[v4] Fri, 13 Aug 2021 01:23:53 GMT (1685kb,D)
[v5] Sun, 24 Jul 2022 16:53:41 GMT (1686kb,D)
Link back to: arXiv, form interface, contact.