CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects

TL;DR

CryptoGuard is a highly accurate and scalable tool that detects cryptographic API misuses in large Java projects, significantly reducing false positives and improving software security insights.

Contribution

The paper introduces fast, language-specific slicing algorithms that greatly enhance the precision and scalability of cryptographic vulnerability detection in massive Java codebases.

Findings

Reduced false alerts by 76% to 80% in experiments

Achieved 98.61% precision in manual analysis of alerts

Enabled security improvements in major Apache projects

Abstract

Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) Java programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. State-of-the-art crypto API screening solutions are not designed to operate on a large scale. Our technical innovation is a set of fast and highly accurate slicing algorithms. Our algorithms refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CrytoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generate many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made substantial progress towards the science of analysis in this space, including: i) manually analyzing 1,295 Apache alerts and confirming 1,277 true positives (98.61% precision), ii) creating a benchmark with 38-unit basic cases and 74-unit advanced cases, iii) performing an in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity. We are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP).