[Review] Python Crypto Misuses in the Wild

[Review] Python Crypto Misuses in the Wild

Link here

The paper conducts a study on Python crypto API misuses. A tool called LICMA is implemented aiming at detecting crypto API misuses in python.

Several conclusions:

  1. 52.26 % of the Python projects using crypto APIs contain at least a potential misuse.
  2. Only 14.81 % of the projects directly contain a misuse of a crypto API. The rest is introduced through third-party code.
  3. Most Python applications are more secure compared with C or Java, and the distribution between the concrete types of misuses differ a lot.

Background:

There has been some tools to detect the crypto API misuses in C and Java, but there is no such tool in Python.

There are some user study of API misuses in Python, but no empirical analysis.

Implementation:

  1. apply Babelfish to create a Universal Abstract Syntax Tree (UAST).
  2. with the defined rule, by filtering the AST with XPath, perform the backward analysis.

  • cover 5 different crypto modules: cryptography, M2Crypto, PyCrypto, PyNaCl, ucryptolib.

Future work:

  • apply crypto API misuses detection to other programming languages, like Rust and Go.
  • further develop useful tools for AST abstraction and backward analysis.



[Review] Python Crypto Misuses in the Wild

https://gax-c.github.io/blog/2023/12/22/32_paper_review_22/

Author

Gax

Posted on

2023-12-22

Updated on

2023-12-22

Licensed under

Comments