Enregistré dans:
Détails bibliographiques
Auteurs principaux: Moffie, Micha, Boehm, Omer, Koyfman, Anatoly, Bin, Eyal, Sztokman, Efrayim, Bhattacharjee, Sukanta, Saha, Meghnath, McGugan, James
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2503.19531
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866912293097308160
author Moffie, Micha
Boehm, Omer
Koyfman, Anatoly
Bin, Eyal
Sztokman, Efrayim
Bhattacharjee, Sukanta
Saha, Meghnath
McGugan, James
author_facet Moffie, Micha
Boehm, Omer
Koyfman, Anatoly
Bin, Eyal
Sztokman, Efrayim
Bhattacharjee, Sukanta
Saha, Meghnath
McGugan, James
contents The advent of quantum computing poses a significant challenge as it has the potential to break certain cryptographic algorithms, necessitating a proactive approach to identify and modernize cryptographic code. Identifying these cryptographic elements in existing code is only the first step. It is crucial not only to identify quantum vulnerable algorithms but also to detect vulnerabilities and incorrect crypto usages, to prioritize, report, monitor as well as remediate and modernize code bases. A U.S. government memorandum require agencies to begin their transition to PQC (Post Quantum Cryptograpy) by conducting a prioritized inventory of cryptographic systems including software and hardware systems. In this paper we describe our code scanning tool - Cryptoscope - which leverages cryptographic domain knowledge as well as compiler techniques to statically parse and analyze source code. By analyzing control and data flow the tool is able to build an extendable and querriable inventory of cryptography. Cryptoscope goes beyond identifying disconnected cryptographic APIs and instead provides the user with an inventory of cryptographic assets - containing comprehensive views of the cryptographic operations implemented. We show that for more than 92% of our test cases, these views include the cryptographic operation itself, APIs, as well as the related material such as keys, nonces, random sources etc. Lastly, building on top of this inventory, our tool is able to detect and report all the cryptographic related weaknesses and vulnerabilities (11 out of 15) in CamBench - achieving state-of-the-art performance.
format Preprint
id arxiv_https___arxiv_org_abs_2503_19531
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Cryptoscope: Analyzing cryptographic usages in modern software
Moffie, Micha
Boehm, Omer
Koyfman, Anatoly
Bin, Eyal
Sztokman, Efrayim
Bhattacharjee, Sukanta
Saha, Meghnath
McGugan, James
Cryptography and Security
The advent of quantum computing poses a significant challenge as it has the potential to break certain cryptographic algorithms, necessitating a proactive approach to identify and modernize cryptographic code. Identifying these cryptographic elements in existing code is only the first step. It is crucial not only to identify quantum vulnerable algorithms but also to detect vulnerabilities and incorrect crypto usages, to prioritize, report, monitor as well as remediate and modernize code bases. A U.S. government memorandum require agencies to begin their transition to PQC (Post Quantum Cryptograpy) by conducting a prioritized inventory of cryptographic systems including software and hardware systems. In this paper we describe our code scanning tool - Cryptoscope - which leverages cryptographic domain knowledge as well as compiler techniques to statically parse and analyze source code. By analyzing control and data flow the tool is able to build an extendable and querriable inventory of cryptography. Cryptoscope goes beyond identifying disconnected cryptographic APIs and instead provides the user with an inventory of cryptographic assets - containing comprehensive views of the cryptographic operations implemented. We show that for more than 92% of our test cases, these views include the cryptographic operation itself, APIs, as well as the related material such as keys, nonces, random sources etc. Lastly, building on top of this inventory, our tool is able to detect and report all the cryptographic related weaknesses and vulnerabilities (11 out of 15) in CamBench - achieving state-of-the-art performance.
title Cryptoscope: Analyzing cryptographic usages in modern software
topic Cryptography and Security
url https://arxiv.org/abs/2503.19531