CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs (ECOOP 2018 - ECOOP Research Papers)

Sun 15 - Sat 21 July 2018 Amsterdam, Netherlands

co-located with ECOOP and ISSTA 2018

Who

Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, Mira Mezini

Track

ECOOP 2018 ECOOP Research Papers

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Thu 19 Jul 2018 16:25 - 16:50 at Zurich II - Languages Chair(s): Yu David Liu

Abstract

Various studies have empirically shown that the majority of Java and Android apps misuse cryptographic libraries, causing devastating breaches of data security. Therefore, it is crucial to detect such misuses early in the development process. To detect cryptography misuses, one must first define secure uses, a process mastered primarily by cryptography experts, and not by developers.

In this paper, we present CrySL, a definition language for bridging the cognitive gap between cryptography experts and developers. CrySL enables cryptography experts to specify the secure usage of the cryptographic libraries that they provide. We have implemented a compiler that translates such CrySL specification into a context-sensitive and flow-sensitive demand-driven static analysis. The analysis then helps developers by automatically checking a given Java or Android app for compliance with the CrySL-encoded rules.

We have designed an extensive CrySL rule set for the Java Cryptography Architecture (JCA), and empirically evaluated it by analyzing 10,000 current Android apps. Our results show that misuse of cryptographic APIs is still widespread, with 95% of apps containing at least one misuse. Our easily extensible CrySL rule set covers more violations than previous special-purpose tools with hard-coded rules, with our tooling offering a more precise analysis.

DOI

https://doi.org/10.4230/LIPIcs.ECOOP.2018.10

Stefan Krüger

University of Paderborn

Germany

Johannes Späth

Fraunhofer IEM

Germany

Karim Ali

University of Alberta

Canada

Eric Bodden

Heinz Nixdorf Institut, Paderborn University and Fraunhofer IEM

Mira Mezini

TU Darmstadt

Germany

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

Display full programSpecify a time band

Save

Session Program

Thu 19 Jul
Times are displayed in time zone: Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna change

	16:00 - 17:15: LanguagesECOOP Research Papers at Zurich II Chair(s): Yu David LiuState University of New York, Binghamton

	16:00 - 16:25 Research paper		Typed First-Class Traits ECOOP Research Papers Xuan BiThe University of Hong Kong, Bruno C. d. S. OliveiraUniversity of Hong Kong, China DOI
	16:25 - 16:50 Research paper		CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs ECOOP Research Papers Stefan KrügerUniversity of Paderborn, Johannes SpäthFraunhofer IEM, Karim AliUniversity of Alberta, Eric BoddenHeinz Nixdorf Institut, Paderborn University and Fraunhofer IEM, Mira MeziniTU Darmstadt DOI
	16:50 - 17:15 Research paper		Safe Transferable Regions ECOOP Research Papers Gowtham KakiPurdue University, G. RamalingamMicrosoft Research DOI