TY - GEN
T1 - Gopher
T2 - 31st ACM SIGSAC Conference on Computer and Communications Security, CCS 2024
AU - Zhang, Yuexi
AU - Li, Bingyu
AU - Lin, Jingqiang
AU - Li, Linghui
AU - Bai, Jiaju
AU - Jia, Shijie
AU - Wu, Qianhong
N1 - Publisher Copyright:
© 2024 Copyright held by the owner/author(s).
PY - 2024/12/9
Y1 - 2024/12/9
N2 - The complexity of cryptographic APIs and developers’ expertise gaps often leads to their improper use, seriously threatening information security. Existing cryptographic API misuse detection tools that rely on black/white-list methods require experts to manually establish detection rules. They struggle to dynamically update rules and scale to cover numerous unofficial cryptographic libraries. Furthermore, as these tools are primarily aimed at non-Go languages, they have limited applicability and accuracy in the Go ecosystem, which is extensively used for security-centric applications. To mitigate these challenges, we present Gopher, a novel cryptographic misuse detection framework, that excels in encapsulated API and cross-library detection. In this framework, we have designed CryDict to convert rules into unified and standardized constraints, capable of deriving new usage rules and elucidating implicit knowledge during scanning. Gopher leverages CryDict to create a logical separation between rule formulation and Detector detection, enabling dynamic updating of constraints and enhancing detection capabilities. This significantly improves the Gopher’s compatibility and scalability. Utilizing Gopher, we have conducted an extensive analysis of the Go ecosystem, examining 19,313 Go projects. In our rigorous testing, Gopher demonstrated a remarkable 98.9% accuracy rate and identified 64.1% of previously undetected misuses. This scrutiny has surfaced numerous hidden security vulnerabilities, and highlighted misuse tendencies across diverse project categories.
AB - The complexity of cryptographic APIs and developers’ expertise gaps often leads to their improper use, seriously threatening information security. Existing cryptographic API misuse detection tools that rely on black/white-list methods require experts to manually establish detection rules. They struggle to dynamically update rules and scale to cover numerous unofficial cryptographic libraries. Furthermore, as these tools are primarily aimed at non-Go languages, they have limited applicability and accuracy in the Go ecosystem, which is extensively used for security-centric applications. To mitigate these challenges, we present Gopher, a novel cryptographic misuse detection framework, that excels in encapsulated API and cross-library detection. In this framework, we have designed CryDict to convert rules into unified and standardized constraints, capable of deriving new usage rules and elucidating implicit knowledge during scanning. Gopher leverages CryDict to create a logical separation between rule formulation and Detector detection, enabling dynamic updating of constraints and enhancing detection capabilities. This significantly improves the Gopher’s compatibility and scalability. Utilizing Gopher, we have conducted an extensive analysis of the Go ecosystem, examining 19,313 Go projects. In our rigorous testing, Gopher demonstrated a remarkable 98.9% accuracy rate and identified 64.1% of previously undetected misuses. This scrutiny has surfaced numerous hidden security vulnerabilities, and highlighted misuse tendencies across diverse project categories.
KW - Cryptographic API Misuses
KW - Golang Ecosystem Measurement
KW - Static Analysis
UR - https://www.scopus.com/pages/publications/85215518780
U2 - 10.1145/3658644.3690276
DO - 10.1145/3658644.3690276
M3 - 会议稿件
AN - SCOPUS:85215518780
T3 - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
SP - 2978
EP - 2992
BT - CCS 2024 - Proceedings of the 2024 ACM SIGSAC Conference on Computer and Communications Security
PB - Association for Computing Machinery, Inc
Y2 - 14 October 2024 through 18 October 2024
ER -