{"title":"主题演讲#1:Cryscanner:查找加密库误用","authors":"S. Guilley","doi":"10.1109/NICS54270.2021.9701578","DOIUrl":null,"url":null,"abstract":"Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misuse of well-known libraries such as PKCS #11. We introduce a generic tool CRYScanner, which is designed to identify such misuses during and post development. It works on the similar philosophy of an intrusion detection system for an internal network. The tool provides verification functions needed to check the safety of code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. Our tool aimed to add more features, keeping all the capabilities of both static and dynamic analysis. We also show the detection of potential vulnerabilities in the several sample codes found online.","PeriodicalId":296963,"journal":{"name":"2021 8th NAFOSTED Conference on Information and Computer Science (NICS)","volume":"2016 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Keynote Talk #1 : Cryscanner: Finding Cryptographic Libraries Misuse\",\"authors\":\"S. Guilley\",\"doi\":\"10.1109/NICS54270.2021.9701578\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misuse of well-known libraries such as PKCS #11. We introduce a generic tool CRYScanner, which is designed to identify such misuses during and post development. It works on the similar philosophy of an intrusion detection system for an internal network. The tool provides verification functions needed to check the safety of code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. Our tool aimed to add more features, keeping all the capabilities of both static and dynamic analysis. We also show the detection of potential vulnerabilities in the several sample codes found online.\",\"PeriodicalId\":296963,\"journal\":{\"name\":\"2021 8th NAFOSTED Conference on Information and Computer Science (NICS)\",\"volume\":\"2016 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-21\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2021 8th NAFOSTED Conference on Information and Computer Science (NICS)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/NICS54270.2021.9701578\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2021 8th NAFOSTED Conference on Information and Computer Science (NICS)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NICS54270.2021.9701578","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Cryptographic libraries have become an integral part of every digital device. Studies have shown that these systems are not only vulnerable due to bugs in cryptographic libraries, but also due to misuse of these libraries. In this paper, we focus on vulnerabilities introduced by the application developer. We performed a survey on the potential misuse of well-known libraries such as PKCS #11. We introduce a generic tool CRYScanner, which is designed to identify such misuses during and post development. It works on the similar philosophy of an intrusion detection system for an internal network. The tool provides verification functions needed to check the safety of code, such as detecting incorrect call flow and input parameters. We performed a feature-wise comparison with the existing state of the art solutions. Our tool aimed to add more features, keeping all the capabilities of both static and dynamic analysis. We also show the detection of potential vulnerabilities in the several sample codes found online.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
