[Review] Evaluation of Static Vulnerability Detection Tools with Java Cryptographic API Benchmarks
Posted Updated Research2 minutes read (About 313 words)

[Review] Evaluation of Static Vulnerability Detection Tools with Java Cryptographic API Benchmarks

Link here

The paper assesses the performance of the current static vulnerability detection tools in the era of Java cryptographic API misuse.

Main contributions:

  • provide two benchmarks: CryptoAPI-Bench, ApacheCryptoAPI-Bench.
    • CryptoAPI-Bench consists of 181 test cases covering 16 types of Cryptographic and SSL/TLS API misuse vulnerabilities, with basic level and advanced level.
    • ApacheCryptoAPI-Bench documents the API misuse vulnerabilities from 10 real-world Apache projects. This benchmark is for checking the scalability(the ability to induce low computational overhead to analyze large code-bases) of the detection tool.
  • evaluate four static analysis tools based on the two proposed benchmarks: specialized tools(CryptoGuard, CrySL), general purpose tools(SpotBugs, Coverity).
Read more
[Review] Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?
Posted Updated Research3 minutes read (About 398 words)

[Review] Automatic Detection of Java Cryptographic API Misuses: Are We There Yet?

Link here

A large study of Java cryptographic API misuse.

Two main contributions are made:

  1. evaluate the effectiveness of existing cryptographic API misuse detection tools.
  2. conduct a study with the developers, measuring the real-world performance of detectors.

Introduction:

JCA (Java Cryptography Architecture), JSSE (Java Secure Socket Extension).

Java cryptographic API misuses are common, which may cause a extensive security problems.

13 Java types frequently mentioned in the API-misuse patterns.

Read more
[Review] A Large-Scale Empirical Analysis of the Vulnerabilities Introduced by Third-Party Components in IoT Firmware
Posted Updated Researcha minute read (About 190 words)

[Review] A Large-Scale Empirical Analysis of the Vulnerabilities Introduced by Third-Party Components in IoT Firmware

Link here

This paper doesn’t propose anything new, but creates a system called FirmSec that can detect the TPCs(third-part components) at version-level in firmware, and then recognizes the corresponding vulnerabilities. FirmSec takes IoT firmware images as input and output the vulnerabilities of TPCs contained in the firmware image.

Also, their work creates a database consisting of 34, 136 firmware images. FirmSecDataset

Implementation:

  • Preprocess the database, gathering various firmware images both public and private.

  • Preprocess the database, gathering various TPCs and their vulnerabilities.

  • Take in the firmware image, identify its characters and determines the TPCs(at version level) contained in the firmware.

  • Generate the vulnerability report of the firmware.

Read more
Follow

Links

Recents

Categories

Archives

Tags

20071
20121
20131
20161
20181
20191
20202
20213
20223
20239
20245
ASE2
ASE 20161
ASE 20241
Binary Search1
CCS3
CCS 20191
CCS 20201
CCS 20231
CHI1
CHI 20211
Dynamic Programming1
ESEM1
ESEM 20211
ICSE5
ICSE 20071
ICSE 20121
ICSE 20231
ICSE 20242
IEEE S&P3
IEEE S&P 20232
IEEE S&P 20241
ISSTA2
ISSTA 20221
ISSTA 20231
Jottings2
LeetCode2
NDSS1
NDSS 20241
OSDI1
OSDI 20201
Paper Review28
SOSP2
SOSP 20211
SOSP 20231
TSE3
TSE 20131
TSE 20222
USENIX Security4
USENIX Security 20181
USENIX Security 20233
汇编1
算法2
自学笔记5
计算机系统3

Subscribe for updates

×