CogniCrypt: Supporting developers in using cryptography

Previous research suggests that developers often struggle using low-level cryptographic APIs and, as a result, produce insecure code. When asked, developers desire, among other things, more tool support to help them use such APIs. In this paper, we present CogniCrypt, a tool that supports developers with the use of cryptographic APIs. CogniCrypt assists the developer in two ways. First, for a number of common cryptographic tasks, CogniCrypt generates code that implements the respective task in a secure manner. Currently, CogniCrypt supports tasks such as data encryption, communication over secure channels, and long-term archiving. Second, CogniCrypt continuously runs static analyses in the background to ensure a secure integration of the generated code into the developer's workspace. This video demo showcases the main features of CogniCrypt: youtube.com/watch?v=JUq5mRHfAWY.

[1]  Mira Mezini,et al.  Towards secure integration of cryptographic software , 2015, Onward!.

[2]  Denise Demirel,et al.  MoPS: A Modular Protection Scheme for Long-Term Storage , 2017, AsiaCCS.

[3]  Ying Zou,et al.  Spotting working code examples , 2014, ICSE.

[4]  Sarah Nadi,et al.  Variability Modeling of Cryptographic Components: Clafer Experience Report , 2016, VaMoS.

[5]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[6]  Guo Tao,et al.  Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications , 2014, DASC.

[7]  Westley Weimer,et al.  Synthesizing API usage examples , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[8]  Eric Bodden TS4J: a fluent interface for defining and computing typestate analyses , 2014, SOAP '14.

[9]  Michael Zohner,et al.  ABY - A Framework for Efficient Mixed-Protocol Secure Two-Party Computation , 2015, NDSS.

[10]  V. N. Venkatakrishnan,et al.  Vetting SSL Usage in Applications with SSLINT , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Michal Antkiewicz,et al.  Clafer: unifying class and feature modeling , 2014, Software & Systems Modeling.

[12]  Xi Wang,et al.  Why does cryptographic software fail?: a case study and open problems , 2014, APSys.

[13]  Seung-won Hwang,et al.  Towards an Intelligent Code Search Engine , 2010, AAAI.

[14]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[15]  Laurie J. Hendren,et al.  Optimizing Java Bytecode Using the Soot Framework: Is It Feasible? , 2000, CC.

[16]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[17]  Emiliano De Cristofaro,et al.  Danger is my middle name: experimenting with SSL vulnerabilities in Android apps , 2015, WISEC.

[18]  Robert E. Strom,et al.  Typestate: A programming language concept for enhancing software reliability , 1986, IEEE Transactions on Software Engineering.

[19]  Christoforos Ntantogian,et al.  Evaluation of Cryptography Usage in Android Applications , 2015, EAI Endorsed Trans. Security Safety.

[20]  Gabriele Bavota,et al.  How Can I Use This Method? , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[21]  Mira Mezini,et al.  "Jumping Through Hoops": Why do Java Developers Struggle with Cryptography APIs? , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering (ICSE).

[22]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[23]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.