RIGORITYJ: Deployment-quality Detection of Java Cryptographic Vulnerabilities

by   Sazzadur Rahaman, et al.

Cryptographic API misuses threaten software security. Examples include exposed secrets, predictable random numbers, and vulnerable certificate verification. Our goal in this work is to produce deployment-quality program analysis tools for automatically inspecting various cryptographic API uses in complex Java programs. The main challenge is how to reduce false positives (FP) without compromising analysis quality. Unfortunately, state-of-the-art solutions in this space were not designed to be deployment-grade and did not address this issue. Our main technical innovation is a set of algorithms for systematically removing irrelevant elements (from program slices) to reduce false alerts. We evaluated our tool, RIGORITYJ, on 46 high-impact large-scale Apache projects and 240 Android apps, which generates many security insights. We observed violations for most of our 16 rules. 86 from the libraries. There is a widespread insecure practice of storing plaintext passwords. We manually went through the 2,009 Apache alerts and confirmed 1,961 true positives (2.39 security findings. This helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also discuss the pragmatic constraints that hinder secure coding.


page 1

page 2

page 3

page 4


CHIRON: Deployment-quality Detection of Java Cryptographic Vulnerabilities

Cryptographic API misuses threaten software security. Examples include e...

Evaluation of Static Vulnerability Detection Tools with Java Cryptographic API Benchmarks

Several studies showed that misuses of cryptographic APIs are common in ...

To Fix or Not to Fix: A Critical Study of Crypto-misuses in the Wild

Recent studies have revealed that 87 cryptographic APIs have a misuse w...

Example-Based Vulnerability Detection and Repair in Java Code

The Java libraries JCA and JSSE offer cryptographic APIs to facilitate s...

CrySL: Validating Correct Usage of Cryptographic APIs

Various studies have empirically shown that the majority of Java and And...

Dealing with Variability in API Misuse Specification

APIs are the primary mechanism for developers to gain access to external...

Please sign up or login with your details

Forgot password? Click here to reset