ECOOP 2018
Sun 15 - Sat 21 July 2018 Amsterdam, Netherlands
co-located with ECOOP and ISSTA 2018
Thu 19 Jul 2018 16:25 - 16:50 at Zurich II - Languages Chair(s): Yu David Liu

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. Therefore, it is crucial to detect such misuses early in the development process. To detect cryptography misuses, one must first define secure uses, a process mastered primarily by cryptography experts, and not by developers.

In this paper, we present CrySL, a definition language for bridging the cognitive gap between cryptography experts and developers. CrySL enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. We have implemented a compiler that translates such CrySL specification into a context-sensitive and flow-sensitive demand-driven static analysis. The analysis then helps developers by automatically checking a given Java or Android app for compliance with the CrySL-encoded rules.

We have designed an extensive CrySL rule set for the Java Cryptography Architecture (JCA), and empirically evaluated it by analyzing 10,000 current Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 95% of apps containing at least one misuse. Our easily extensible CrySL rule set covers more violations than previous special-purpose tools with hard-coded rules, with our tooling offering a more precise analysis.

Thu 19 Jul

Displayed time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

16:00 - 17:15
LanguagesECOOP Research Papers at Zurich II
Chair(s): Yu David Liu State University of New York, Binghamton
16:00
25m
Research paper
Typed First-Class Traits
ECOOP Research Papers
Xuan Bi The University of Hong Kong, Bruno C. d. S. Oliveira University of Hong Kong, China
DOI
16:25
25m
Research paper
CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs
ECOOP Research Papers
Stefan Krüger University of Paderborn, Johannes Späth Fraunhofer IEM, Karim Ali University of Alberta, Eric Bodden Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Mira Mezini TU Darmstadt
DOI
16:50
25m
Research paper
Safe Transferable Regions
ECOOP Research Papers
Gowtham Kaki Purdue University, G. Ramalingam Microsoft Research
DOI