You are looking at a specific version 20220110:230125 of this paper. See the latest version.

Paper 2022/029

CRYScanner: Finding cryptographic libraries misuse

Amit Choudhari and Sylvain Guilley and Khaled Karray

Abstract

Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misusage of well-known libraries such as PKCS #11. We introduced a generic tool CRYScanner, to identify such misuses during and post-development. It works on the similar philosophy of an intrusion detection system for an internal network. This tool provides verification functions needed to check the safety of the code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. CRYScanner includes additional features, preserving the capabilities of both static and dynamic analysis tools. We also show the detection of potential vulnerabilities in the several sample codes found online.

Note: Adding the reference to CWE-1240.

Metadata
Available format(s)
PDF
Category
Cryptographic protocols
Publication info
Published elsewhere. Minor revision. NICS 2021
Keywords
Cryptography librariesmisusedynamic analysisnovel "CRYScanner" toolCWE-1240
Contact author(s)
sylvain guilley @ secure-ic com
History
2022-04-30: last of 4 revisions
2022-01-10: received
See all versions
Short URL
https://ia.cr/2022/029
License
Creative Commons Attribution
CC BY
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.