Since sensitive data (e.g., user credentials, biometric data, personal data, and digital contents) are typically used in an application, protecting such data is essential to store and manage them in a secure manner. Therefore, misuse of cryptography i...
Since sensitive data (e.g., user credentials, biometric data, personal data, and digital contents) are typically used in an application, protecting such data is essential to store and manage them in a secure manner. Therefore, misuse of cryptography is becoming one of the most common issues in secure software development. However, it is not straightforward to analyze how sensitive data is protected well in a device.
In this paper, we propose a novel approach to track the entire flow of all sensitive data including input data and cryptographically transformed data by only executing binary using dynamic taint analysis.
We have developed a prototype system called CRAY (Crypto-RAY) and demonstrated that CRAY can analyze entire cryptography usages in runtime and detect four types of cryptographic misuses (e.g., Weak algorithm and weak option, Hardcoded key and IV, Insufficient iteration in PBKDF, and Leak without encryption). We also propose a method called tag-merge trace to solve the multi-tag limitation of the existing taint analysis. The performance experiment shows that CRAY can use a large number of taint tags to track a plenty of input data (e.g. binary image, file, socket, and stdin) without any significant runtime overhead, while the state-of-the-art taint tracking tool can only use a small number of taint tags due to memory consumption and performance slowdown.