Skip to main content
SpringerLink
Log in

Analysis of Cryptographic CVEs: Lessons Learned and Perspectives

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14551))

Included in the following conference series:

  • 65 Accesses

Abstract

Cryptographic vulnerabilities can have a particularly far-reaching impact due to the ubiquity of cryptographic software. In this paper, we describe 30 cryptographic vulnerabilities, classify them according to a taxonomy published in previous work, and compile useful information about this class of vulnerabilities. After discovering that many cryptographic vulnerabilities are caused by the use of functions that are known to be insecure, we investigate the efficacy of a straightforward lexical checker to warn programmers of the most typical errors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 59.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 79.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://github.com/RaphaelKhoury/CryptographicVulnerabilities.

  2. 2.

    Low=.35, med=.61. high=.71.

  3. 3.

    https://www.cisa.gov/known-exploited-vulnerabilities-catalog.

  4. 4.

    https://www.exploit-db.com/.

  5. 5.

    https://viz.greynoise.io/.

  6. 6.

    https://github.com/RaphaelKhoury/VCG-config-files.

References

  1. How to ensure javascript code quality. deepscan. https://deepscan.io/

  2. Welcome to bandit - bandit documentation. https://bandit.readthedocs.io/en/latest/

  3. Blessing, J., Specter, M.A., Weitzner, D.J.: You really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries. arXiv preprint arXiv:2107.04940 (2021)

  4. Blochberger, M., Petersen, T., Federrath, H.: Mitigating cryptographic mistakes by design. Mensch und Computer 2019-Workshopband (2019)

    Google Scholar 

  5. Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual ec incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 468-479. Association for Computing Machinery, New York(2016). https://doi.org/10.1145/2976749.2978395, https://doi.org/10.1145/2976749.2978395

  6. Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488 (2014)

    Google Scholar 

  7. Fischer, F., et al.: Stack overflow considered harmful? the impact of copy &paste on android application security. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 121–136 (2017). https://doi.org/10.1109/SP.2017.31

  8. Honnef, D.: staticcheck-action: Staticcheck’s official github. https://github.com/dominikh/staticcheck-action

  9. Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersec. 6(1) (2020). https://doi.org/10.1093/cybsec/tyaa015

  10. ) Khoury, R., Vignau, B., Hallé, S., Hamou-Lhadj, A., Razgallah, A.: An analysis of the use of CVEs by IoT malware. In: 13th International Symposium -Foundations and Practice of Security, FPS 2020, Montreal, Canada, 1-3 Dec, pp. 47–62 (2020). https://doi.org/10.1007/978-3-030-70881-8_4

  11. Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: Crysl: an extensible approach to validating the correct usage of cryptographic APIs. IEEE Trans. Software Eng. 47(11), 2382–2400 (2021). https://doi.org/10.1109/TSE.2019.2948910

    Article  Google Scholar 

  12. Nccgroup: Nccgroup/vcg: Visualcodegrepper - code security scanning tool. https://github.com/nccgroup/VCG

  13. Piccolboni, L., Guglielmo, G.D., Carloni, L.P., Sethumadhavan, S.: Crylogger: detecting crypto misuses dynamically. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1972–1989 (2021). https://doi.org/10.1109/SP40001.2021.00010

  14. Rahaman, S., et al.: Cryptoguard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 2455-2472. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3345659, https://doi.org/10.1145/3319535.3345659

  15. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)

    Article  Google Scholar 

  16. Torres, A., et al.: Runtime verification of crypto apis: an empirical study. IEEE Trans. Softw. Eng. 1–16 (2023). https://doi.org/10.1109/TSE.2023.3301660

Download references

Author information

Authors and Affiliations

  1. Université du Québec en Outaouais, Gatineau, QC, Canada

    Raphaël Khoury, Jérémy Bolduc, Jason Lafrenière-Nickopoulos & Abdel-Gany Odedele

Authors
  1. Raphaël Khoury
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jérémy Bolduc
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jason Lafrenière-Nickopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Abdel-Gany Odedele
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Raphaël Khoury .

Editor information

Editors and Affiliations

  1. University of Bordeaux, Bordeaux, France

    Mohamed Mosbah

  2. Toulouse III - Paul Sabatier University, Toulouse, France

    Florence Sèdes

  3. Université Laval, Québec, QC, Canada

    Nadia Tawbi

  4. University of Bordeaux, Bordeaux, France

    Toufik Ahmed

  5. Polytechnique Montréal, Montreal, QC, Canada

    Nora Boulahia-Cuppens

  6. Telecom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Khoury, R., Bolduc, J., Lafrenière-Nickopoulos, J., Odedele, AG. (2024). Analysis of Cryptographic CVEs: Lessons Learned and Perspectives. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-57537-2_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-57536-5

  • Online ISBN: 978-3-031-57537-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation