Annual Computer Security Applications Conference (ACSAC) 2022

Full Program »

CryptoGo: Automatic Detection of Go Cryptographic API Misuses

Cryptographic algorithms act as essential ingredients of all secure systems. However, the expected security guarantee from cryptographic algorithms often falls short in practice due to various cryptographic application programming interfaces (API) misuses. While many research studies target cryptographic API misuses in the cases of Java, C/C++ and python, similar issues within the Go domain are still uncovered. In this work, we design and implement CryptoGo, a static analysis detector leveraging taint analysis technique to automatically identify cryptographic misuse of large-scale Go cryptographic projects. We derive 12 well-targeted cryptographic rules strongly coupled with Go cryptographic APIs and propose the idea of integrating cryptographic algorithmic classification into cryptographic misuse detection for the first time, thus achieving precise detection of Go cryptographic API misuse and practical guidance of selecting appropriate cryptographic algorithms. We conduct five kinds of specific taint analyzers to perform backward or forward taint tracking on the APIs and arguments in the intermediate representation of the Go source codes. Running on 120 open source Go cryptographic projects from GitHub, CryptoGo discovered 84.17% of the Go cryptographic projects have at least one cryptographic misuse. It takes only 86.27 milliseconds per thousand lines of code on average for detection. Our findings highlight the poor implementation and weak protection in the current Go cryptographic projects.

Wenqing Li
The Institute of Information Engineering, Chinese Acadamy of Sciences.

Shijie Jia
The Institute of Information Engineering, Chinese Acadamy of Sciences.

Limin Liu
The Institute of Information Engineering, Chinese Acadamy of Sciences.

Fangyu Zheng
The Institute of Information Engineering, Chinese Acadamy of Sciences.

Yuan Ma
The Institute of Information Engineering, Chinese Acadamy of Sciences.

Jingqiang Lin
School of Cyber Security, University of Science and Technology of China.

Paper (ACM DL)

Slides

 



Powered by OpenConf®
Copyright©2002-2023 Zakon Group LLC