CrySL: An extensible approach to validating the correct usage of cryptographic APIs

Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, Mira Mezini

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. It is crucial to detect such misuses early in the development process. To detect cryptography misuses, one must first define secure uses, a process mastered primarily by cryptography experts, and not by developers. In this paper, we present CrySL, a definition language for bridging the cognitive gap between cryptography experts and developers. CrySL enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. We have implemented a compiler that translates such CrySL specification into a context-sensitive and flow-sensitive demand-driven static analysis. The analysis then helps developers by automatically checking a given Java or Android app for compliance with the CrySL-encoded rules. We have designed an extensive CrySL rule set for the Java Cryptography Architecture (JCA), and empirically evaluated it by analyzing 10,000 current Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 95% of apps containing at least one misuse. Our easily extensible CrySL rule set covers more violations than previous special-purpose tools with hard-coded rules, with our tooling offering a more precise analysis.

Original languageEnglish (US)
Title of host publication32nd European Conference on Object-Oriented Programming, ECOOP 2018
EditorsTodd Millstein
PublisherSchloss Dagstuhl- Leibniz-Zentrum fur Informatik GmbH, Dagstuhl Publishing
ISBN (Electronic)9783959770798
DOIs
StatePublished - Jul 1 2018
Event32nd European Conference on Object-Oriented Programming, ECOOP 2018 - Amsterdam, Netherlands
Duration: Jul 16 2018Jul 21 2018

Publication series

NameLeibniz International Proceedings in Informatics, LIPIcs
Volume109
ISSN (Print)1868-8969

Conference

Conference32nd European Conference on Object-Oriented Programming, ECOOP 2018
Country/TerritoryNetherlands
CityAmsterdam
Period7/16/187/21/18

Keywords

  • Cryptography
  • Domain-specific language
  • Static analysis

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'CrySL: An extensible approach to validating the correct usage of cryptographic APIs'. Together they form a unique fingerprint.

Cite this