"Off-The-Shelf Crypto-Detectors Give a False Sense of Data Security"

A team of computer scientists at the College of William & Mary outlined a leading reason behind insecure data and provided suggestions on how to fix the problem. Data security is dependent on the use of appropriate, well-executed cryptography. Cryptography establishes properties such as information confidentiality and integrity. They are founded on rigid mathematical principles. To achieve those properties in applications, software engineers or programmers often rely on Application Programming Interfaces (APIs). Amit Seal Ami, a Ph.D. candidate in William & Mary's Department of Computer Science, and the lead student author of the paper, "Why Crypto-detectors Fail: A Systematic Evaluation of Cryptographic Misuse Detection Techniques," explained that developers' reliance on off-the-shelf, one-size-fits-all APIs, often results in a departure from sound cryptographic principles, exposing confidential data. He also pointed out that crypto-API misuse detectors, which are analysis tools that help find misuse in software, have flaws. We have a false sense of security if we are unaware of these flaws. According to Ami, the current state of crypto-API detectors contains a significantly large number of flaws. Therefore, the team is trying to help people make better detectors that can spot misuse in practice. The team set out to investigate flaws in crypto-API detectors, which are responsible for policing and correcting security flaws caused by crypto-API misuse. Funded in part by grants from the National Science Foundation (NSF), they developed the MASC framework to assess how well various crypto-API detectors perform in practice. The collaborators use MASC to tweak known and established vulnerabilities, resulting in mutations. Then, using the detectors under consideration, they analyze those mutations. Then they test whether the detectors can detect those mutated or altered misuse cases. When they cannot, the researchers know something is wrong. This article continues to discuss the team's evaluation of cryptographic misuse detection techniques. 

W&M News reports "Off-The-Shelf Crypto-Detectors Give a False Sense of Data Security"