Evaluating Cryptographic API Misuse Detectors for Go
Vivi Andersson, Martin Monperrus
TL;DR
This paper conducts the first comprehensive evaluation of cryptographic API misuse detectors in Go, analyzing 4 tools across 328 projects and identifying over 7,400 misuses to inform security practices.
Contribution
It introduces a taxonomy of misuse classes, compares tool effectiveness, and provides insights into misuse prevalence in Go security-critical software.
Findings
Identified 7,473 cryptographic API misuses in open-source Go projects.
Compared 4 misuse detection tools and revealed coverage gaps.
Provided practical recommendations for security engineers.
Abstract
Cryptographic API misuse represents a critical vulnerability class that undermines the security foundations of modern software. Yet, it remains largely unexplored in Go despite its dominance in security-critical infrastructure. This paper presents the first comprehensive study of cryptographic API misuse detection in Go, identifying and analyzing 4 state-of-the-art tools (CodeQL, Gopher, Gosec, and Snyk Code) and establishing a consolidated taxonomy of 14 relevant misuse classes. Through an experimental evaluation of 328 security-critical open-source Go projects, we discovered 7,473 cryptographic API misuses, providing insights into the prevalence and distribution of these vulnerabilities. Our systematic comparison reveals significant variations in misuse coverage, with immediate practical implications for security engineers and long-term implications for research in this domain.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.