Implementing LICMA: Python and Java Analysis Components for Crypto Misuse Detection

Table of Links

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

3.2 Implementation

For our study, we implemented Python and Java analysis components. For Python, we cover 5 different crypto modules: cryptography, M2Crypto, PyCrypto, PyNaCl, ucryptolib. This selection is based

upon the inspected Python modules by Acar et al. [1] which is based on the libraries’ popularity, their possibility to solve common crypto tasks, and a mix of usability focus, e.g., API-design with ignoring usability up to usability as a main focus. However, we dropped the deprecated module Keyczar, and added the MicroPython library ucryptolib.

As the six rules are defined with the JCA in mind [4], we could not implement all of these rules for Python. For none of the Python modules, a misuse of §6 is possible due to the design of the APIs as there are no secure random number generators present that can be initialized with a static seed.

Further, LICMA supports only §3 and §4 for PyNaCl and only §1, §2 and §3 for ucryptolib. The derivation is due to a different API design which avoids the respective misuses. We present an overview of the implemented APIs and the covered rules in Table 2.

Our implementation of LICMA is available on GitHub[4].

[4] https://github.com/stg-tud/licma