High-Level Cryptographic Abstractions

Kane, Christopher J.; Lin, Bo; Chand, Saksham; Stoller, Scott D.; Liu, Yanhong A.

doi:10.1145/3338504.3357343

Cited by 2 publications

(1 citation statement)

References 47 publications

(23 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, without crypto, we would not be able to securely use online banking or do online shopping. Unfortunately, previous research results show that crypto is often used in an insecure way [3,4,7,9,11]. One such problem is the choice of an insecure parameter, like an insecure block mode, for crypto primitives like encryption.…”

Section: Introductionmentioning

confidence: 99%

Python Crypto Misuses in the Wild

Wickert

Baumgärtner

Breitfelder

et al. 2021

Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)

View full text Add to dashboard Cite

Background: Previous studies have shown that up to 99.59 % of the Java apps using crypto APIs misuse the API at least once. However, these studies have been conducted on Java and C, while empirical studies for other languages are missing. For example, a controlled user study with crypto tasks in Python has shown that 68.5 % of the professional developers write a secure solution for a crypto task. Aims: To understand if this observation holds for real-world code, we conducted a study of crypto misuses in Python. Method: We developed a static analysis tool that covers common misuses of 5 different Python crypto APIs. With this analysis, we analyzed 895 popular Python projects from GitHub and 51 MicroPython projects for embedded devices. Further, we compared our results with the findings of previous studies . Results: Our analysis reveals that 52.26 % of the Python projects have at least one misuse. Further, some Python crypto libraries' API design helps developers from misusing crypto functions, which were much more common in studies conducted with Java and C code. Conclusion: We conclude that we can see a positive impact of the good API design on crypto misuses for Python applications. Further, our analysis of MicroPython projects reveals the importance of hybrid analyses. CCS CONCEPTS• Software and its engineering → Software libraries and repositories.

show abstract

Section: Introductionmentioning

confidence: 99%