Gopher: High-Precision and Deep-Dive Detection of Cryptographic API Misuse in the Go Ecosystem

Gopher: High-Precision and Deep-Dive Detection of Cryptographic API Misuse in the Go Ecosystem

연구 분야: Cryptography

학회: CCS '24: Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security

The complexity of cryptographic APIs and developers' expertise gaps often leads to their improper use, seriously threatening information security. Existing cryptographic API misuse detection tools that rely on black/white-list methods require experts to manually establish detection rules. They struggle to dynamically update rules and scale to cover numerous unofficial cryptographic libraries. Furthermore, as these tools are primarily aimed at non-Go languages, they have limited applicability and accuracy in the Go ecosystem, which is extensively used for security-centric applications. To mitigate these challenges, we present Gopher, a novel cryptographic misuse detection framework, that excels in encapsulated API and cross-library detection. In this framework, we have designed CryDict to convert rules into unified and standardized constraints, capable of deriving new usage rules and elucidating implicit knowledge during scanning. Gopher leverages CryDict to create a logical separation between rule formulation and Detector detection, enabling dynamic updating of constraints and enhancing detection capabilities. This significantly improves the Gopher 's compatibility and scalability. Utilizing Gopher, we have conducted an extensive analysis of the Go ecosystem, examining 19,313 Go projects. In our rigorous testing, Gopher demonstrated a remarkable 98.9% accuracy rate and identified 64.1% of previously undetected misuses. This scrutiny has surfaced numerous hidden security vulnerabilities, and highlighted misuse tendencies across diverse project categories.