Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases

Enterprise environments need to screen large-scale (millions of lines of code) codebases for vulnerability detection, resulting in high requirements for precision and scalability of a static analysis tool. At Oracle, Parfait is one such bug checker, providing precision and scalability of results, including inter-procedural analyses. CryptoGuard is a precise static analyzer for detecting cryptographic vulnerabilities in Java code built on Soot. In this paper, we describe how to integrate CryptoGuard into Parfait, with changing intermediate representation and relying on a demand-driven IFDS framework in Parfait, resulting in a precise and scalable tool for cryptographic vulnerabilities detection. We evaluate our tool on several large real-world applications and a comprehensive Java cryptographic vulnerability benchmark, CryptoAPI-Bench. Initial results show that the new cryptographic vulnerability detection in Parfait can detect real-world cryptographic vulnerabilities in large-scale codebases with few false positives and low runtime.