RIGORITYJ: Deployment-quality Detection of Java Cryptographic Vulnerabilities
share
Cryptographic API misuses threaten software security. Examples include exposed secrets, predictable random numbers, and vulnerable certificate verification. Our goal in this work is to produce deployment-quality program analysis tools for automatically inspecting various cryptographic API uses in complex Java programs. The main challenge is how to reduce false positives (FP) without compromising analysis quality. Unfortunately, state-of-the-art solutions in this space were not designed to be deployment-grade and did not address this issue. Our main technical innovation is a set of algorithms for systematically removing irrelevant elements (from program slices) to reduce false alerts. We evaluated our tool, RIGORITYJ, on 46 high-impact large-scale Apache projects and 240 Android apps, which generates many security insights. We observed violations for most of our 16 rules. 86 from the libraries. There is a widespread insecure practice of storing plaintext passwords. We manually went through the 2,009 Apache alerts and confirmed 1,961 true positives (2.39 security findings. This helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also discuss the pragmatic constraints that hinder secure coding.
READ FULL TEXT