Visible to the public CRYLOGGER: Detecting Crypto Misuses Dynamically

TitleCRYLOGGER: Detecting Crypto Misuses Dynamically
Publication TypeConference Paper
Year of Publication2021
AuthorsPiccolboni, Luca, Guglielmo, Giuseppe Di, Carloni, Luca P., Sethumadhavan, Simha
Conference Name2021 IEEE Symposium on Security and Privacy (SP)
Date Publishedmay
Keywordsandroid, API, APIs, Application program interface, application program interfaces, Application Programming Interface (API), composability, compositionality, cryptography, Encryption, Hash functions, Heuristic algorithms, Internet, Misuses, privacy, pubcrawl, resilience, Resiliency, security, Tools
AbstractCryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-source tool to detect crypto misuses dynamically. CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. We compared CRYLOGGER with CryptoGuard, one of the most effective static tools to detect crypto misuses. We show that our tool complements the results of CryptoGuard, making the case for combining static and dynamic approaches. We analyzed 1780 popular Android apps downloaded from the Google Play Store to show that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically. We reverse-engineered 28 Android apps and confirmed the issues flagged by CRYLOGGER. We also disclosed the most critical vulnerabilities to app developers and collected their feedback.
DOI10.1109/SP40001.2021.00010
Citation Keypiccolboni_crylogger_2021