What is it about?
This paper is about a tool that can automatically flag common cryptographic misuses and suggest possible repair, and how it can be integrated into programming courses at the college and pre-college level.
Featured Image
Photo by Markus Spiske on Unsplash
Why is it important?
Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers’ privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process.
Perspectives
Cryptographic misuse is a prevalent problem in writing secure code. Our findings from analyzing StackExchange indicate that one-fourth of the posts are about the use of cryptographic libraries. This paper presents Cryptography-Aware Intelligent Tutoring System, CryptoTutor, that automatically detect crypto API misuse violation in secure applications. In lab classes, CryptoTutor helps students (1) identify the locations that cryptographic APIs are insecurely used and (2) move toward a secure solution by comparing CryptoTutor’s repairs with insecure code snippets. While the tool is also useful in cryptography-related courses, it provides the most value in computer science courses where cryptography is not a central topic and instructors lack the expertise to flag incorrect usages.
Larry Singleton
University of Nebraska System
Read the Original
This page is a summary of: CryptoTutor, October 2020, ACM (Association for Computing Machinery),
DOI: 10.1145/3368308.3415419.
You can read the full text:
Resources
Contributors
The following have contributed to this page
