ChatGPT's Potential in Cryptography Misuse Detection: A Comparative Analysis with Static Analysis Tools

TL;DR

This paper evaluates ChatGPT's ability to detect cryptography API misuses and finds it can outperform traditional static analysis tools with proper prompt engineering, offering a promising new approach for developers.

Contribution

It demonstrates that ChatGPT, with prompt engineering, can effectively detect cryptography misuses, surpassing existing static analysis tools in performance.

Findings

ChatGPT effectively detects cryptography misuses.

Prompt engineering enhances ChatGPT's detection performance.

ChatGPT can outperform static analysis tools in this task.

Abstract

The correct adoption of cryptography APIs is challenging for mainstream developers, often resulting in widespread API misuse. Meanwhile, cryptography misuse detectors have demonstrated inconsistent performance and remain largely inaccessible to most developers. We investigated the extent to which ChatGPT can detect cryptography misuses and compared its performance with that of the state-of-the-art static analysis tools. Our investigation, mainly based on the CryptoAPI-Bench benchmark, demonstrated that ChatGPT is effective in identifying cryptography API misuses, and with the use of prompt engineering, it can even outperform leading static cryptography misuse detectors.