CogniCrypt: Supporting developers in using cryptography

Krüger, Stefan; Nadi, Sarah; Reif, Michael; Ali, Karim; Mezini, Mira; Bodden, Eric; Göpfert, Florian; Günther, Felix; Weinert, Christian; Demmler, Daniel; Kamath, Ram

doi:10.1109/ase.2017.8115707

Cited by 68 publications

(47 citation statements)

References 19 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…They showed that 88% of the applications have at least one cryptographic API misuse. Krüger et al proposed a tool called CogniCrypt, an Eclipse plugin that enables developers to securely use cryptographic API [12]. CogniCrypt also provides developers with secure code templates.…”

Section: Related Workmentioning

confidence: 99%

The Impact of Developer Experience in Using Java Cryptography

Hazhirpasand

Ghafari

Krüger

et al. 2019

2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Self Cite

View full text Add to dashboard Cite

Background: Previous research has shown that crypto APIs are hard for developers to understand and difficult for them to use. They consequently rely on unvalidated boilerplate code from online resources where security vulnerabilities are common.Aims and method: We analyzed 2,324 open-source Java projects that rely on Java Cryptography Architecture (JCA) to understand how crypto APIs are used in practice, and what factors account for the performance of developers in using these APIs.Results: We found that, in general, the experience of developers in using JCA does not correlate with their performance. In particular, none of the factors such as the number or frequency of committed lines of code, the number of JCA APIs developers use, or the number of projects they are involved in correlate with developer performance in this domain.Conclusions: We call for qualitative studies to shed light on the reasons underlying the success of developers who are expert in using cryptography. Also, detailed investigation at API level is necessary to further clarify a developer obstacles in this domain.

show abstract

Section: Related Workmentioning

confidence: 99%

The Impact of Developer Experience in Using Java Cryptography

Hazhirpasand

Ghafari

Krüger

et al. 2019

2019 ACM/IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

Self Cite

View full text Add to dashboard Cite

show abstract

“…Krüger et al presented a tool called CogniCrypt, an Eclipse plugin that empowers developers to identify cryptographic misuses in Java code [8].…”

Section: B Resultsmentioning

confidence: 99%

“…3) Analyse: We currently employ CogniCrypt, a staticanalysis tool tailored to find a wide range of misuses of JCA APIs [8]. It takes a target program and specification rules (e.g., method-call patterns, parameter constraints and secure compositions of cryptography-related classes) as input, and evaluates the program's correctness with respect to these rules.…”

Section: A Workflowmentioning

confidence: 99%

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Hazhirpasand

Ghafari

Nierstrasz

2020

2020 IEEE 27th International Conference on Software Analysis, Evolution and Reengineering (SANER)

View full text Add to dashboard Cite

Research has shown that cryptographic APIs are hard to use. Consequently, developers resort to using code examples available in online information sources that are often not secure.We have developed a web platform, named CryptoExplorer, stocked with numerous real-world secure and insecure examples that developers can explore to learn how to use cryptographic APIs properly. This platform currently provides 3 263 secure uses, and 5 897 insecure uses of Java Cryptography Architecture mined from 2 324 Java projects on GitHub.A preliminary study shows that CryptoExplorer provides developers with secure crypto API use examples instantly, developers can save time compared to searching on the internet for such examples, and they learn to avoid using certain algorithms in APIs by studying misused API examples.We have a pipeline to regularly mine more projects, and, on request, we offer our dataset to researchers.

show abstract

“…We leverage CogniCrypt SAST [20], a static analyzer of the CogniCrypt [21] framework, for detecting JCA API misuses in Java programs. This analyzer was selected as it has been extended to be compatible with Android apps as well [20], a static analyzer of the [22].…”

Section: B Static Api Usage Checkermentioning

confidence: 99%

Negative Results on Mining Crypto-API Usage Rules in Android Apps

Gao

Kong

et al. 2019

2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR)

View full text Add to dashboard Cite

Android app developers recurrently use crypto-APIs to provide data security to app users. Unfortunately, misuse of APIs only creates an illusion of security and even exposes apps to systematic attacks. It is thus necessary to provide developers with a statically-enforceable list of specifications of crypto-API usage rules. On the one hand, such rules cannot be manually written as the process does not scale to all available APIs. On the other hand, a classical mining approach based on common usage patterns is not relevant in Android, given that a large share of usages include mistakes. In this work, building on the assumption that "developers update API usage instances to fix misuses", we propose to mine a large dataset of updates within about 40 000 real-world app lineages to infer API usage rules. Eventually, our investigations yield negative results on our assumption that API usage updates tend to correct misuses. Actually, it appears that updates that fix misuses may be unintentional: the same misuses patterns are quickly re-introduced by subsequent updates.

show abstract

CogniCrypt: Supporting developers in using cryptography

Cited by 68 publications

References 19 publications

The Impact of Developer Experience in Using Java Cryptography

The Impact of Developer Experience in Using Java Cryptography

CryptoExplorer: An Interactive Web Platform Supporting Secure Use of Cryptography APIs

Negative Results on Mining Crypto-API Usage Rules in Android Apps

Contact Info

Product

Resources

About