LICMA's Analysis of Crypto API Misuses in Python Apps: Findings and Future Directions

cover
6 May 2024

Authors:

(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

9 CONCLUSION

In this paper, we presented the first empirical study of crypto misuses in Python. To conduct the study, we implemented the first multi-language analysis tool for crypto misuses with rules to detect common misuses of five different Python libraries as well as the standard Java library. We analyzed 895 popular Python apps from GitHub and 51 MicroPython projects to identify misuses. Our analysis revealed that 52.26 % of the projects using a crypto API, misuse the respective library. Furthermore, we observed that only 7 % of the 1,501 misuses are within the application code. The analysis of embedded applications written in MicroPython revealed the importance of hybrid analysis as the only crypto calls were in C code that got shipped with the projects.

To get an impression on the differences between the different domains and languages analyzed in previous studies, we compared our results against the misuses reported for Android apps [4] and C firmware images [13]. Our comparison confirms the impression that an opinionated API design actually helps developers avoiding misuses.

While we concentrated on the impact of a user-friendly API design for Python, future work can verify if these results generalize to other languages, like Rust and Go. Thus, extending LICMA with new languages. Further, it may be interesting to extend the currently implemented rules in LICMA by an in-depth analysis of misuses of Python crypto APIs.

ACKNOWLEDGMENTS

This research work has been co-funded by the Deutsche Forschung gemeinschaft (DFG) – SFB 1119 CROSSING (236615297) and SFB 1053 MAKI (210487104), by the German Federal Ministry of Education and Research and the Hessen State Ministry for Higher Education, Research and the Arts within their joint support of the National Research Center for Applied Cybersecurity ATHENE, by the LOEWE initiative (Hesse, Germany) within the emergenCITY center.

REFERENCES

[1] Yasemin Acar, Michael Backes, Sascha Fahl, Simson Garfinkel, Doowon Kim, Michelle L Mazurek, and Christian Stransky. 2017. Comparing the usability of cryptographic apis. In IEEE Symposium on Security and Privacy (SP). IEEE, 154–171.

[2] Yasemin Acar, Christian Stransky, Dominik Wermke, Michelle L Mazurek, and Sascha Fahl. 2017. Security developer studies with github users: Exploring a convenience sample. In Symposium on Usable Privacy and Security (SOUPS). 81– 95.

[3] Alexia Chatzikonstantinou, Christoforos Ntantogian, Georgios Karopoulos, and Christos Xenakis. 2016. Evaluation of cryptography usage in android applications. In EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS). 83–90.

[4] Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. 2013. An empirical study of cryptographic misuse in android applications. In ACM SIGSAC conference on Computer & communications security (CCS), Ahmad-Reza Sadeghi, Virgil Gligor, and Moti Yung (Eds.). ACM, 73–84.

[5] Pietro Ferrara, Amit Kr Mandal, Agostino Cortesi, and Fausto Spoto. 2019. Crossprogramming language taint analysis for the iot ecosystem. Electronic Communications of the EASST 77 (2019).

[6] Mohammadreza Hazhirpasand, Mohammad Ghafari, and Oscar Nierstrasz. 2020. Java Cryptography Uses in the Wild. In ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM). ACM, Article 40.

[7] Christopher Kane, Bo Lin, Saksham Chand, and Yanhong A. Liu. 2018. Highlevel Cryptographic Abstractions. CoRR abs/1810.09065 (2018). arXiv:1810.09065 http://arxiv.org/abs/1810.09065

[8] Stefan Krüger, Johannes Späth, Karim Ali, Eric Bodden, and Mira Mezini. 2018. CrySL: An Extensible Approach to Validating the Correct Usage of Cryptographic APIs. In European Conference on Object-Oriented Programming (ECOOP) (Leibniz International Proceedings in Informatics (LIPIcs)), Vol. 109. Schloss Dagstuhl– Leibniz-Zentrum fuer Informatik, Dagstuhl, Germany, 10:1–10:27.

[9] David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich. 2014. Why does cryptographic software fail? A case study and open problems. In Asia-Pacific Workshop on Systems. 1–7.

[10] Zaigham Mushtaq, Ghulam Rasool, and Balawal Shehzad. 2017. Multilingual source code analysis: A systematic literature review. IEEE Access 5 (2017), 11307– 11336.

[11] Sarah Nadi, Stefan Krüger, Mira Mezini, and Eric Bodden. 2016. Jumping through hoops: Why do Java developers struggle with cryptography APIs?. In International Conference on Software Engineering (ICSE). 935–946.

[12] Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng Yao. 2019. Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized java projects. In ACM SIGSAC Conference on Computer and Communications Security. 2455–2472.

[13] Li Zhang, Jiongyi Chen, Wenrui Diao, Shanqing Guo, Jian Weng, and Kehuan Zhang. 2019. CryptoREX: Large-scale Analysis of Cryptographic Misuse in IoT Devices. In International Symposium on Research in Attacks, Intrusions and Defenses (RAID). USENIX Association, 151–164.

This paper is available on arxiv under CC BY 4.0 DEED license.