cryptography

Securing Your Crypto-API Usage Through Tool Support - A Usability Study

Our user study shows that the Eclipse plugin CogniCrypt reduces misuses and speeds development, enhancing security and efficiency for cryptographic API usage. Through a controlled experiment with 24 Java developers, we found that CogniCrypt significantly improves code security and development speed for cryptography-related tasks. Developers appreciate CogniCrypt’s code generation and static analysis, though integrating the generated code remains a challenge.

Last slide of the talk and an overview of the work.

To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild

Empirial study of cryptographic misuses on enterprise-driven applications that identified several potential effective false positives, such as the use of hash algorithms in a non-security context. Further, we introduced a theoretical model of vulnerabilities caused by API misuses.

CamBench - Cryptographic API Misuse Detection Tool Benchmark Suite

So far, benchmarks for cryptographic API misuses only focused on a subset of issues or tools. To drive future development in this domain, we will openly generate a benchmark. We will derive the generation of this novel benchmark from best practices.

Python crypto misuses in the wild

Our study analyzes cryptographic API misuses in over 900 Python and MicroPython projects, revealing that 52% of the projects have at least one misuse. The findings indicate a positive impact of good API design in reducing misuses compared to Java and C.

A Dataset of Parametric Cryptographic Misuses

Cryptographic APIs are often misused. Our dataset of 201 real-world misuses aids research & tool evaluation that aim to mitigate cryptographic API misuses.