You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
My team is conducting academic research on Java Cryptography API based misuse using your tool. We found that we could not detect some potential cryptographic misuses.
We believe this may be due to underlying implementation or design gaps. Each cryptographic vulnerability was generated as a barebone Java project that only contained a single vulnerability in the main function and used up to two java source files. A jar was made which was then scanned.
Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).
Problem
Replacing a Secure Parameter with an Insecure Parameter:
I understand that the current release snapshot is version 2.7. However, when we started using it - the recommended release was 2.0 in readme.md file. I hope this report will be useful for making your tool (including the current combined version) even better.
Please let me know if you need any additional information (e.g., logs from our side) for fixing these issues.
Thanks again!
The text was updated successfully, but these errors were encountered:
Those transformation are indeed not yet handled by CryptoAnalysis. We have not found such transformation to appear in practice (we did not analyze malware!), and we did not further spend time on it.
Do you have concrete use cases that require such transformation?
I am happy to provide you pointers in the implementation to where one has to model the transformation.
Thanks for getting back. These transformations can happen in several, non-malicious scenarios. For example, a string can be converted to a different case by a novice developer who is trying to follow naming conventions. Or a developer can replace characters that he added for his own convenience before passing it on as parameter.
Here is an example from a github repository that shows such behavior:
Hi,
My team is conducting academic research on Java Cryptography API based misuse using your tool. We found that we could not detect some potential cryptographic misuses.
We believe this may be due to underlying implementation or design gaps. Each cryptographic vulnerability was generated as a barebone Java project that only contained a single vulnerability in the main function and used up to two java source files. A jar was made which was then scanned.
Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).
Problem
Replacing a Secure Parameter with an Insecure Parameter:
Replacing an Insecure Parameter with an Insecure Parameter:
where "AES" by itself is insecure as it defaults to using ECB.
Transforming string case, e.g., from lower to upper case:
Replacing a noisy version of insecure parameters:
Environment
I understand that the current release snapshot is version 2.7. However, when we started using it - the recommended release was 2.0 in readme.md file. I hope this report will be useful for making your tool (including the current combined version) even better.
Please let me know if you need any additional information (e.g., logs from our side) for fixing these issues.
Thanks again!
The text was updated successfully, but these errors were encountered: