Abstract
Cryptographic vulnerabilities can have a particularly far-reaching impact due to the ubiquity of cryptographic software. In this paper, we describe 30 cryptographic vulnerabilities, classify them according to a taxonomy published in previous work, and compile useful information about this class of vulnerabilities. After discovering that many cryptographic vulnerabilities are caused by the use of functions that are known to be insecure, we investigate the efficacy of a straightforward lexical checker to warn programmers of the most typical errors.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
How to ensure javascript code quality. deepscan. https://deepscan.io/
Welcome to bandit - bandit documentation. https://bandit.readthedocs.io/en/latest/
Blessing, J., Specter, M.A., Weitzner, D.J.: You really shouldn’t roll your own crypto: An empirical study of vulnerabilities in cryptographic libraries. arXiv preprint arXiv:2107.04940 (2021)
Blochberger, M., Petersen, T., Federrath, H.: Mitigating cryptographic mistakes by design. Mensch und Computer 2019-Workshopband (2019)
Checkoway, S., Maskiewicz, J., Garman, C., Fried, J., Cohney, S., Green, M., Heninger, N., Weinmann, R.P., Rescorla, E., Shacham, H.: A systematic analysis of the juniper dual ec incident. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 468-479. Association for Computing Machinery, New York(2016). https://doi.org/10.1145/2976749.2978395, https://doi.org/10.1145/2976749.2978395
Durumeric, Z., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488 (2014)
Fischer, F., et al.: Stack overflow considered harmful? the impact of copy &paste on android application security. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 121–136 (2017). https://doi.org/10.1109/SP.2017.31
Honnef, D.: staticcheck-action: Staticcheck’s official github. https://github.com/dominikh/staticcheck-action
Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersec. 6(1) (2020). https://doi.org/10.1093/cybsec/tyaa015
) Khoury, R., Vignau, B., Hallé, S., Hamou-Lhadj, A., Razgallah, A.: An analysis of the use of CVEs by IoT malware. In: 13th International Symposium -Foundations and Practice of Security, FPS 2020, Montreal, Canada, 1-3 Dec, pp. 47–62 (2020). https://doi.org/10.1007/978-3-030-70881-8_4
Krüger, S., Späth, J., Ali, K., Bodden, E., Mezini, M.: Crysl: an extensible approach to validating the correct usage of cryptographic APIs. IEEE Trans. Software Eng. 47(11), 2382–2400 (2021). https://doi.org/10.1109/TSE.2019.2948910
Nccgroup: Nccgroup/vcg: Visualcodegrepper - code security scanning tool. https://github.com/nccgroup/VCG
Piccolboni, L., Guglielmo, G.D., Carloni, L.P., Sethumadhavan, S.: Crylogger: detecting crypto misuses dynamically. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 1972–1989 (2021). https://doi.org/10.1109/SP40001.2021.00010
Rahaman, S., et al.: Cryptoguard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS 2019, pp. 2455-2472. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3345659, https://doi.org/10.1145/3319535.3345659
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975)
Torres, A., et al.: Runtime verification of crypto apis: an empirical study. IEEE Trans. Softw. Eng. 1–16 (2023). https://doi.org/10.1109/TSE.2023.3301660
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Khoury, R., Bolduc, J., Lafrenière-Nickopoulos, J., Odedele, AG. (2024). Analysis of Cryptographic CVEs: Lessons Learned and Perspectives. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_13
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)