paint-brush
Understanding Crypto API Misuse Patterns: A Comparative Study of Python, Java, and C/C++ Resultsby@cryptosovereignty
137 reads

Understanding Crypto API Misuse Patterns: A Comparative Study of Python, Java, and C/C++ Results

tldt arrow

Too Long; Didn't Read

A meta-analysis compares crypto misuse patterns in Python, Java, and C/C++ based on studies like CryptoLint and CryptoREX, focusing on API impact and programming language trends. Results reveal insights into security vulnerabilities across different languages.
featured image - Understanding Crypto API Misuse Patterns: A Comparative Study of Python, Java, and C/C++ Results
Crypto Sovereignty Through Technology, Math & Luck HackerNoon profile picture

Authors:

(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

4.2 Comparison with Previous Studies

To understand the differences between crypto misuses for §1 to §6, cf. Table 1, in Python and previous studies in Java, with the analysis CryptoLint, [4] and C/C++, with the analysis CryptoREX, [13], we compared the reported results. As we concentrated on the same rule set, we only need a few adjustments to compare the results. First, for our meta-analysis we exclude §6 since the 5 analyzed Python modules avoid this misuse by design. Second, we merge the results for §1 of Egele et al. [4] as they split their result into two different cases: The explicit use of the block mode ECB on one side and the implicit use of this block mode due to the API design on the other. Third, due to the design of our analysis, we only consider definite findings. CryptoLint and CryptoREX do not distinguish between potential misuses and definite ones. Fourth, to enable a fair comparison, we compare only percentages rather than absolute numbers, as we are interested in the general distribution and the influence of API design on crypto misuses. We choose to compare the studies on the percentage of applications using crypto and having at least one misuse of a respective rule as introduced by Egele et al. [4]. Unfortunately, Zhang et al. [13] only reports details for the successfully unpacked firmware images before filtering for crypto usages.


This paper is available on arxiv under CC BY 4.0 DEED license.