paint-brush
Implementing LICMA: Python and Java Analysis Components for Crypto Misuse Detectionby@cryptosovereignty
110 reads

Implementing LICMA: Python and Java Analysis Components for Crypto Misuse Detection

tldt arrow

Too Long; Didn't Read

LICMA implements crypto analysis for Python and Java, covering key crypto modules and adhering to JCA rules. Python module selection is based on popularity and task-solving capabilities, with an emphasis on API design and usability. LICMA's implementation details are available on GitHub for exploration.
featured image - Implementing LICMA: Python and Java Analysis Components for Crypto Misuse Detection
Crypto Sovereignty Through Technology, Math & Luck HackerNoon profile picture

Authors:

(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

3.2 Implementation

For our study, we implemented Python and Java analysis components. For Python, we cover 5 different crypto modules: cryptography, M2Crypto, PyCrypto, PyNaCl, ucryptolib. This selection is based


Figure 1: LICMA analysis framework.


Table 2: An overview of the libraries supported in LICMA and the rules of potential misuses.


upon the inspected Python modules by Acar et al. [1] which is based on the libraries’ popularity, their possibility to solve common crypto tasks, and a mix of usability focus, e.g., API-design with ignoring usability up to usability as a main focus. However, we dropped the deprecated module Keyczar, and added the MicroPython library ucryptolib.


As the six rules are defined with the JCA in mind [4], we could not implement all of these rules for Python. For none of the Python modules, a misuse of §6 is possible due to the design of the APIs as there are no secure random number generators present that can be initialized with a static seed.


Further, LICMA supports only §3 and §4 for PyNaCl and only §1, §2 and §3 for ucryptolib. The derivation is due to a different API design which avoids the respective misuses. We present an overview of the implemented APIs and the covered rules in Table 2.


Our implementation of LICMA is available on GitHub[4].


This paper is available on arxiv under CC BY 4.0 DEED license.


[4] https://github.com/stg-tud/licma