Detecting Predictable IVs / Constant IVs

[LordAmit]

Hi,

My team is conducting academic research on Java Cryptography API based misuse using your tool. We found that we could not detect some potential cryptographic misuses.

We believe this may be due to underlying implementation or design gaps. Each cryptographic vulnerability was generated as a barebone Java project that only contained a single vulnerability in the main function and used up to two java source files. A jar was made which was then scanned using CryptoGuard.

Additionally, all cryptographic API calls were from Java Cryptographic Architecture (JCA).

Environment

Component	Version
Java Runtime	OpenJDK version 1.8.0_232 64 bit
CG Commit Used	42197b0

Problem

Predictable / Constant IVs should be detected.

Code

String val="";

for(int i = 65; i < 75; i++){
            val += (char) i;
}
IvParameterSpec ivSpec = new IvParameterSpec(val.getBytes());

String val="";
SimpleDateFormat formatter= new SimpleDateFormat("yyyy-MM-dd 'at' HH:mm:ss z");
Date date = new Date(System.currentTimeMillis());
val = formatter.format(date);
IvParameterSpec ivSpec = new IvParameterSpec(val.getBytes());

Please let me know if you need any additional information (e.g., logs from our side) in fixing these issues.

Thanks! :)

[sazzad114]

Hi @LordAmit, thanks for your interest on our tool. Your test cases seem very interesting!

We have a benchmark (here is the link: https://github.com/CryptoGuardOSS/cryptoapi-bench), where we are gathering interesting test cases to test static analysis tools that are capable of detecting cryptographic misuse vulnerabilities. It would be great if you could add these examples (by opening pull requests) as test cases in that repository. That would not only help us organizing our efforts to improve CryptoGuard but also help future tool developers.

Thank you!

[LordAmit]

Thanks for letting me know! Glad to contribute. 😄