Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

Ya Xiao, Yang Zhao, Nicholas Allen, Danfeng Yao, Cristina Cifuentes

28 February 2022

Enterprise environment often screens large-scale (millions of lines of code) codebases with static analysis tools to find bugs and vulnerabilities. Parfait is a static code analysis tool used in Oracle to find security vulnerabilities in industrial codebases. Recently, many studies show that there are complicated cryptographic vulnerabilities caused by misusing cryptographic APIs in JavaTM1 . In this paper, we describe how we realize a precise and scalable detection of these complicated cryptographic vulnerabilities based on Parfait framework. The key challenge in the detection of cryptographic vulnerabilities is the high false alarm rate caused by pseudo-influences. Pseudo-influences happen if security-irrelevant constants are used in constructing security-critical values. Static analysis is usually unable to distinguish them from hard-coded constants that expose sensitive information. We tackle this problem by specializing the backward dataflow analysis used in Parfait with refinement insights, an idea from the tool CryptoGuard [20]. We evaluate our analyzer on a comprehensive Java cryptographic vulnerability benchmark and eleven large real-world applications. The results show that the Parfait-based cryptographic vulnerability detector can find real-world cryptographic vulnerabilities in large-scale codebases with high true-positive rates and low runtime cost.


Venue : The Journal of ACM Digital Threats: Research and Practice (DTRAP) https://dl.acm.org/journal/dtrap

File Name : Parfait_crypto_detection_v5.pdf