Title | CRYLOGGER: Detecting Crypto Misuses Dynamically |
Publication Type | Conference Paper |
Year of Publication | 2021 |
Authors | Piccolboni, Luca, Guglielmo, Giuseppe Di, Carloni, Luca P., Sethumadhavan, Simha |
Conference Name | 2021 IEEE Symposium on Security and Privacy (SP) |
Date Published | may |
Keywords | android, API, APIs, Application program interface, application program interfaces, Application Programming Interface (API), composability, compositionality, cryptography, Encryption, Hash functions, Heuristic algorithms, Internet, Misuses, privacy, pubcrawl, resilience, Resiliency, security, Tools |
Abstract | Cryptographic (crypto) algorithms are the essential ingredients of all secure systems: crypto hash functions and encryption algorithms, for example, can guarantee properties such as integrity and confidentiality. Developers, however, can misuse the application programming interfaces (API) of such algorithms by using constant keys and weak passwords. This paper presents CRYLOGGER, the first open-source tool to detect crypto misuses dynamically. CRYLOGGER logs the parameters that are passed to the crypto APIs during the execution and checks their legitimacy offline by using a list of crypto rules. We compared CRYLOGGER with CryptoGuard, one of the most effective static tools to detect crypto misuses. We show that our tool complements the results of CryptoGuard, making the case for combining static and dynamic approaches. We analyzed 1780 popular Android apps downloaded from the Google Play Store to show that CRYLOGGER can detect crypto misuses on thousands of apps dynamically and automatically. We reverse-engineered 28 Android apps and confirmed the issues flagged by CRYLOGGER. We also disclosed the most critical vulnerabilities to app developers and collected their feedback. |
DOI | 10.1109/SP40001.2021.00010 |
Citation Key | piccolboni_crylogger_2021 |