A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography

TL;DR

This paper introduces QED, a toolchain designed to automatically detect quantum-vulnerable software executables, facilitating the transition to post-quantum cryptography with high accuracy and efficiency.

Contribution

The paper presents QED, the first semi-automatic toolchain for identifying quantum-vulnerable executables, addressing a critical gap in post-quantum cryptography migration support.

Findings

QED achieves 100% accuracy on synthetic datasets.

QED analyzes executables in less than 4 seconds on average.

QED reduces manual analysis workload by over 90%.

Abstract

Quantum computing poses a significant global threat to today's security mechanisms. As a result, security experts and public sectors have issued guidelines to help organizations migrate their software to post-quantum cryptography (PQC). Despite these efforts, there is a lack of (semi-)automatic tools to support this transition especially when software is used and deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for a tool to detect quantum-vulnerable software executables. Following these requirements, we introduce QED: a toolchain for Quantum-vulnerable Executable Detection. QED uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. We evaluate QED on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results demonstrate that: (1) QED discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; (2) QED is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and (3) QED reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%. We hope that QED can become a crucial tool to facilitate the transition to PQC, particularly for small and medium-sized businesses with limited resources.