Paper 2022/029

CRYScanner: Finding cryptographic libraries misuse

Amit Choudhari, Sylvain Guilley, and Khaled Karray


Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misusage of well-known libraries such as PKCS #11. We introduced a generic tool CRYScanner, to identify such misuses during and post-development. It works on the similar philosophy of an intrusion detection system for an internal network. This tool provides verification functions needed to check the safety of the code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. CRYScanner includes additional features, preserving the capabilities of both static and dynamic analysis tools. We also show the detection of potential vulnerabilities in the several sample codes found online.

Note: Adding a reference to IV reuse attack on Samsung's TrustZone Keymaster.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. NICS 2021
Cryptography librariesmisusedynamic analysisnovel "CRYScanner" toolCWE-1240
Contact author(s)
sylvain guilley @ secure-ic com
2022-04-30: last of 4 revisions
2022-01-10: received
See all versions
Short URL
Creative Commons Attribution


      author = {Amit Choudhari and Sylvain Guilley and Khaled Karray},
      title = {CRYScanner: Finding cryptographic libraries misuse},
      howpublished = {Cryptology ePrint Archive, Paper 2022/029},
      year = {2022},
      doi = {10.1109/NICS54270.2021.9701469},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.