Paper 2022/029
CRYScanner: Finding cryptographic libraries misuse
Amit Choudhari, Sylvain Guilley, and Khaled Karray
Abstract
Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misusage of well-known libraries such as PKCS #11. We introduced a generic tool CRYScanner, to identify such misuses during and post-development. It works on the similar philosophy of an intrusion detection system for an internal network. This tool provides verification functions needed to check the safety of the code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. CRYScanner includes additional features, preserving the capabilities of both static and dynamic analysis tools. We also show the detection of potential vulnerabilities in the several sample codes found online.
Note: Adding a reference to IV reuse attack on Samsung's TrustZone Keymaster.
Metadata
- Available format(s)
-
PDF
- Category
- Cryptographic protocols
- Publication info
- Published elsewhere. Minor revision. NICS 2021
- DOI
- 10.1109/NICS54270.2021.9701469
- Keywords
- Cryptography librariesmisusedynamic analysisnovel "CRYScanner" toolCWE-1240
- Contact author(s)
- sylvain guilley @ secure-ic com
- History
- 2022-04-30: last of 4 revisions
- 2022-01-10: received
- See all versions
- Short URL
- https://ia.cr/2022/029
- License
-
CC BY
BibTeX
@misc{cryptoeprint:2022/029,
author = {Amit Choudhari and Sylvain Guilley and Khaled Karray},
title = {{CRYScanner}: Finding cryptographic libraries misuse},
howpublished = {Cryptology {ePrint} Archive, Paper 2022/029},
year = {2022},
doi = {10.1109/NICS54270.2021.9701469},
url = {https://eprint.iacr.org/2022/029}
}
