Cryptology ePrint Archive: Report 2022/029

CRYScanner: Finding cryptographic libraries misuse

Amit Choudhari and Sylvain Guilley and Khaled Karray

Abstract: Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misusage of well-known libraries such as PKCS #11. We introduced a generic tool CRYScanner, to identify such misuses during and post-development. It works on the similar philosophy of an intrusion detection system for an internal network. This tool provides verification functions needed to check the safety of the code, such as detecting incorrect call flow and input parameters.

We performed a feature-wise comparison with the existing state of the art solutions. CRYScanner includes additional features, preserving the capabilities of both static and dynamic analysis tools. We also show the detection of potential vulnerabilities in the several sample codes found online.

Category / Keywords: cryptographic protocols / Cryptography libraries, misuse, dynamic analysis, novel "CRYScanner" tool, CWE-1240

Original Publication (with minor differences): NICS 2021

Date: received 9 Jan 2022, last revised 10 Jan 2022

Contact author: sylvain guilley at secure-ic com

Available format(s): PDF | BibTeX Citation

Note: Adding the reference to CWE-1240.

Version: 20220110:230125 (All versions of this report)

Short URL: ia.cr/2022/029


[ Cryptology ePrint archive ]