Fraunhofer-Gesellschaft

Publica

Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

CogniCryptgen: Generating code for the secure usage of crypto APIs

 
: Krüger, S.; Ali, K.; Bodden, E.

:

Mars, J. ; Association for Computing Machinery -ACM-; Association for Computing Machinery -ACM-, Special Interest Group on Programming Languages -SIGPLAN-; IEEE Computer Society:
CGO 2020, 18th ACM/IEEE International Symposium on Code Generation and Optimization. Proceedings : February 22-26, 2020, San Diego, CA, USA
New York: ACM, 2020
ISBN: 978-1-4503-7047-9
pp.185-198
International Symposium on Code Generation and Optimization (CGO) <18, 2020, San Diego/Calif.>
English
Conference Paper
Fraunhofer IEM ()

Abstract
Many software applications are insecure because they misuse cryptographic APIs. Prior attempts to address misuses focused on detecting them after the fact. However, avoiding such misuses in the first place would significantly reduce development cost. In this paper,we present CogniCryptgen, a code generator that proactively assists developers in using Java crypto APIs correctly. CogniCryptgen accepts as input a code template and API-usage rules defined in the specification language CrySL. The code templates in CogniCryptgen are minimal, only comprising simple glue code. All security-sensitive code is generated fully automatically from the CrySL rules that the templates merely refer to. That way, generated code is provably correct and secure with respect to the CrySL definitions. CogniCryptgen supports the implementation of the most common cryptographic use cases, ranging from password-based encryption to digital signatures. We have empirically evaluated CogniCryptgen from the perspectives of both crypto-API developers and application developers. Our results show that CogniCryptgen is fast enough to be used during development. Compared to a state-of-the-art template-based solution, implementing use cases with CogniCryptgen requires only a fourth of development effort, without any additional language skills. Real-world developers see CogniCryptgen as significantly simpler to use than the same template-based solution.

: http://publica.fraunhofer.de/documents/N-596022.html