Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM) 2021
DOI: 10.1145/3475716.3484195
|View full text |Cite
|
Sign up to set email alerts
|

Python Crypto Misuses in the Wild

Abstract: Background: Previous studies have shown that up to 99.59 % of the Java apps using crypto APIs misuse the API at least once. However, these studies have been conducted on Java and C, while empirical studies for other languages are missing. For example, a controlled user study with crypto tasks in Python has shown that 68.5 % of the professional developers write a secure solution for a crypto task. Aims: To understand if this observation holds for real-world code, we conducted a study of crypto misuses in Python… Show more

Help me understand this report
View preprint versions

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
2
1

Citation Types

0
7
0

Year Published

2022
2022
2024
2024

Publication Types

Select...
3
3
1

Relationship

1
6

Authors

Journals

citations
Cited by 15 publications
(8 citation statements)
references
References 12 publications
0
7
0
Order By: Relevance
“…Although static analysis is not expected to be perfect, our results suggest that false alarms in detecting cryptographic misuse can occur not only due to classic challenges, but also because of ① overly conservative misuse rules, ② imprecise modeling, and ③ implementation bugs in detectors themselves. The false alarm patterns due to ① likely also apply to other papers (e.g., [4], [6], [7], [9]) and industrial tools not considered by this work, as they share similar misuse rules.…”
Section: Introductionmentioning
confidence: 76%
See 3 more Smart Citations
“…Although static analysis is not expected to be perfect, our results suggest that false alarms in detecting cryptographic misuse can occur not only due to classic challenges, but also because of ① overly conservative misuse rules, ② imprecise modeling, and ③ implementation bugs in detectors themselves. The false alarm patterns due to ① likely also apply to other papers (e.g., [4], [6], [7], [9]) and industrial tools not considered by this work, as they share similar misuse rules.…”
Section: Introductionmentioning
confidence: 76%
“…On the problem of cryptographic API misuse, a recent work used mutators to investigate the problem of false negatives [8]. Concerning false positives, the most relevant works include the manual investigation [26] done on the alarms from CogniCrypt SAST , as well a small-scale user study presented in [27], where developers reportedly rejected some of the pull requests, citing acceptable usage in nonsecurity-critical context. Comparing to these prior work, this paper presents an in-depth technical investigation that covers more detectors, reveals more false alarm patterns, and provides more concrete improvement directions.…”
Section: Related Workmentioning
confidence: 99%
See 2 more Smart Citations
“…Concretely, through crypto, everyone can securely use online banking, purchase a book from the local book shop from their computer, and share sensitive information with their co-workers while working remotely without the fear that the software leaks their data. Unfortunately, previous research results show that developers struggle with the secure usage of crypto APIs and often add vulnerabilities to their code [21,28,33,50]. Most of these vulnerabilities are caused by developers who use a crypto API in a way that is considered insecure by experts, e.g., choosing an outdated crypto hash algorithm like SHA-1 [28].…”
Section: Introductionmentioning
confidence: 99%