ABSTRACT
Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
- R. Anderson. Why cryptosystems fail. In Proceedings of the 1st ACM Conference on Computer and Communications Security (CCS), pages 215--227, Fairfax, VA, Nov. 1993. Google ScholarDigital Library
- C. Arnaud and P.-A. Fouque. Timing attack against protected RSA-CRT implementation used in PolarSSL. In Proceedings of the Cryptographer's Track at RSA Conference (CT-RSA), pages 18--33, San Francisco, CA, Feb. 2013. Google ScholarDigital Library
- J. Bengtson, K. Bhargavan, C. Fournet, A. D. Gordon, and S. Maffeis. Refinement types for secure implementations. ACM Transactions on Programming Languages and Systems, 33(2):8, 2011. Google ScholarDigital Library
- D. J. Bernstein, N. Duif, T. Lange, P. Schwabe, and B.-Y. Yang. High-speed high-security signatures. Journal of Cryptographic Engineering, 2(2):77--89, Sept. 2012.Google ScholarCross Ref
- K. Bhargavan, R. Corin, C. Fournet, and E. Zalinescu. Cryptographically verified implementations for TLS. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS), pages 459--468, Alexandria, VA, Oct. 2008. Google ScholarDigital Library
- B. Blanchet. An efficient cryptographic protocol verifier based on Prolog rules. In Proceedings of the 14th IEEE Computer Security Foundations Workshop, pages 82--96, June 2001. Google ScholarDigital Library
- A. Bortz, D. Boneh, and P. Nandy. Exposing private information by timing web applications. In Proceedings of the 16th International Conference on World Wide Web, pages 621--628, May 2007. Google ScholarDigital Library
- D. Cadé and B. Blanchet. From computationally-proved protocol specifications to implementations. In Proceedings of the Seventh International Conference on on Availability, Reliability and Security (ARES), pages 65--74, 2012. Google ScholarDigital Library
- A. Datta, A. Derek, J. C. Mitchell, and A. Roy. Protocol composition logic (PCL). Electronic Notes in Theoretical Computer Science, 172:311--358, Apr. 2007. Google ScholarDigital Library
- A. Dey and S. Weis. Keyczar: A cryptographic toolkit, 2008. http://www.keyczar.org/.Google Scholar
- M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel. An empirical study of cryptographic misuse in Android applications. In Proceedings of the 20th ACM Conference on Computer and Communications Security (CCS), pages 73--84, Berlin, Germany, Nov. 2013. Google ScholarDigital Library
- L. Erkök and J. Matthews. Pragmatic equivalence and safety checking in Cryptol. In Proceedings of the 3rd Workshop on Programming Languages Meets Program Verification, pages 73--82, 2009. Google ScholarDigital Library
- S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith. Why Eve and Mallory love Android: An analysis of Android SSL (in)security. In Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS), pages 50--61, Raleigh, NC, Oct. 2012. Google ScholarDigital Library
- N. Ferguson, B. Schneier, and T. Kohno. Cryptography Engineering: Design Principles and Practical Applications. Wiley, Mar. 2010. Google ScholarDigital Library
- A. Langley. HTTPS: things that bit us, things we fixed and things that are waiting in the grass. Workshop on Real-World Cryptography, Jan. 2013. https://www.imperialviolet.org/2013/01/13/rwc03.html.Google Scholar
- P. Marchenko and B. Karp. Structuring protocol implementations to protect sensitive data. In Proceedings of the 19th USENIX Security Symposium, pages 47--62, Washington, DC, Aug. 2010. Google ScholarDigital Library
- J. C. Mitchell, M. Mitchell, and U. Stern. Automated analysis of cryptographic protocols using Murφ. In Proceedings of the 18th IEEE Symposium on Security and Privacy, pages 141--151, Oakland, CA, May 1997. Google ScholarDigital Library
- M. Morgan. Blowfish can be cracked! (fix included...), July 1996. https://www.schneier.com/blowfish-bug.txt.Google Scholar
- National Institute of Standards and Technology. Cryptographic algorithm validation program. http://csrc.nist.gov/groups/STM/cavp/.Google Scholar
- OpenAFS. Brute force DES attack permits compromise of AFS cell (CVE-2013-4134), July 2013. http://www.openafs.org/pages/security/OPENAFS-SA-2013-003.txt.Google Scholar
- C. Percival. Cryptographic right answers, June 2009. http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html.Google Scholar
- J. Rizzo and T. Duong. The CRIME attack. ekoparty Security Conference, Sept. 2012. http://www.ekoparty.org/archive/2012/CRIME_ekoparty2012.pdf.Google Scholar
- B. Schneier. NSA surveillance: A guide to staying secure, Sept. 2013. https://www.schneier.com/essay-450.html.Google Scholar
- E. W. Smith and D. L. Dill. Automatic formal verification of block cipher implementations. In Proceedings of the 8th International Conference on Formal Methods in Computer-Aided Design (FMCAD), Portland, OR, Nov. 2008. Google ScholarDigital Library
- E. Snowden. NSA whistleblower answers reader questions, June 2013. http://www.theguardian.com/world/2013/jun/17/edward-snowden-nsa-files-whistleblower.Google Scholar
- The MITRE Corporation. Common vulnerabilities and exposures (CVE). http://cve.mitre.org/.Google Scholar
- X. Wang, H. Chen, A. Cheung, Z. Jia, N. Zeldovich, and M. F. Kaashoek. Undefined behavior: What happened to my code? In Proceedings of the 3rd Asia-Pacific Workshop on Systems, Seoul, South Korea, July 2012. Google ScholarDigital Library
- A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the 22nd ACM Symposium on Operating Systems Principles (SOSP), pages 291--304, Big Sky, MT, Oct. 2009. Google ScholarDigital Library
- N. Zeldovich, S. Boyd-Wickizer, E. Kohler, and D. Mazières. Making information flow explicit in HiStar. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI), pages 263--278, Seattle, WA, Nov. 2006. Google ScholarDigital Library
Index Terms
- Why does cryptographic software fail?: a case study and open problems
Recommendations
Fail-Stop Signatures
Fail-stop signatures can briefly be characterized as digital signatures that allow the signer to prove that a given forged signature is indeed a forgery. After such a proof has been published, the system can be stopped. This type of security is strictly ...
Side-Channel Attacks on Cryptographic Software
When it comes to cryptographic software, side channels are an often-overlooked threat. A side channel is any observable side effect of computation that an attacker could measure and possibly influence. In the software world, side-channel attacks have ...
A countermeasure against cryptographic key leakage in cloud: public-key encryption with continuous leakage and tampering resilience
Public-key encryption is an important security mechanism used in cloud environment. To ensure the confidentiality of data encrypted using public-key encryption, countermeasures against cryptographic key leakage by side-channel attacks should be applied ...
Comments