[Review] Python Crypto Misuses in the Wild
The paper conducts a study on Python crypto API misuses. A tool called LICMA is implemented aiming at detecting crypto API misuses in python.
Several conclusions:
- 52.26 % of the Python projects using crypto APIs contain at least a potential misuse.
- Only 14.81 % of the projects directly contain a misuse of a crypto API. The rest is introduced through third-party code.
- Most Python applications are more secure compared with C or Java, and the distribution between the concrete types of misuses differ a lot.
Background:
There has been some tools to detect the crypto API misuses in C and Java, but there is no such tool in Python.
There are some user study of API misuses in Python, but no empirical analysis.
Implementation:
- apply Babelfish to create a Universal Abstract Syntax Tree (UAST).
- with the defined rule, by filtering the AST with XPath, perform the backward analysis.
cover 5 different crypto modules: cryptography, M2Crypto, PyCrypto, PyNaCl, ucryptolib.
Future work:
- apply crypto API misuses detection to other programming languages, like Rust and Go.
- further develop useful tools for AST abstraction and backward analysis.
[Review] Python Crypto Misuses in the Wild