paint-brush
MicroPython Analysis: Exploring Crypto API Usage and Custom Implementationsby@cryptosovereignty
115 reads

MicroPython Analysis: Exploring Crypto API Usage and Custom Implementations

tldt arrow

Too Long; Didn't Read

LICMA's analysis of MicroPython reveals no crypto misuses but highlights the prevalence of custom AES implementations written in Python and C. This reflects common practices in embedded code, emphasizing the need for hybrid analysis approaches to understand crypto patterns in performance-critical environments.
featured image - MicroPython Analysis: Exploring Crypto API Usage and Custom Implementations
Crypto Sovereignty Through Technology, Math & Luck HackerNoon profile picture

Authors:

(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany ([email protected]).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

5.2 MicroPython

When we applied LICMA upon the 5 source files containing crypto API usages of the MicroPython data set, we identified no misuse. For this reason, we inspected the MicroPython repositories for usages of other crypto functions not covered by LICMA and identified 5 additional files. We notice that the crypto module ucryptolib which is provided by MicroPython, is only used by tests in 2 projects. For the remaining 3 findings, the crypto functions are written in C rather than Python. Thus, these files were removed due to our filter steps described in Section 4.1.2.


Our small analysis of MicroPython projects shows that for further exploration of MicroPython applications, we need to consider custom implementations of AES in Python and C. This seems to be a common pattern for embedded code where performance is important and low-level code is often shipped as custom C blobs. Thus, we can observe the importance of hybrid analysis approaches [5, 10].


Figure 4: Comparison of our evaluation results with the results of CryptoLint [4] and CryptoREX [13].


This paper is available on arxiv under CC BY 4.0 DEED license.