-
Enhancing CryptoGuards Deployability for Continuous Software Security Scanning
Authors:
Miles Frantz
Abstract:
The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that…
▽ More
The increasing development speed via Agile may introduce overlooked security steps in the process, with an example being the Iowa Caucus application. Verifying the protection of confidential information such as social security numbers requires security at all levels, providing protection through any connected applications. CryptoGuard is a static code analyzer for Java. This program verifies that developers do not leave vulnerabilities in their applications. The program aids the developer by identifying cryptographic misuses such as hard-coded keys, weak program hashes, and using insecure protocols. In my Master's thesis work, I made several important contributions to improving the deployability, accessibility, and usability of CryptoGuard. I extended CryptoGuard to scan source and compiled code, created live documentation, and supported a dual cloud and local tool-suite. I also created build tool plugins and a program aid for CryptoGuard. In addition, I also analyzed several Java-related surveys encompassing more than 50,000 developers and reported interesting current practices of real-world software developers.
△ Less
Submitted 13 December, 2021;
originally announced January 2022.
-
CryptoGuard: High Precision Detection of Cryptographic Vulnerabilities in Massive-sized Java Projects
Authors:
Sazzadur Rahaman,
Ya Xiao,
Sharmin Afrose,
Fahad Shaon,
Ke Tian,
Miles Frantz,
Danfeng,
Yao,
Murat Kantarcioglu
Abstract:
Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) Java programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality,…
▽ More
Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized (e.g., millions of LoC) Java programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. State-of-the-art crypto API screening solutions are not designed to operate on a large scale.
Our technical innovation is a set of fast and highly accurate slicing algorithms. Our algorithms refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CrytoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generate many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made substantial progress towards the science of analysis in this space, including: i) manually analyzing 1,295 Apache alerts and confirming 1,277 true positives (98.61% precision), ii) creating a benchmark with 38-unit basic cases and 74-unit advanced cases, iii) performing an in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity. We are in the process of integrating CryptoGuard with the Software Assurance Marketplace (SWAMP).
△ Less
Submitted 27 March, 2019; v1 submitted 18 June, 2018;
originally announced June 2018.
-
SPEED: the Segmented Pupil Experiment for Exoplanet Detection
Authors:
Martinez Patrice,
Preis Olivier,
Gouvret Carole,
Dejongue Julien,
Daban Jean-Baptiste,
Spang Alain,
Martinache Frantz,
Beaulieu Mathilde,
Janin-Potiron Pierre,
Abe Lyu,
Fantei-Caujolle Yan,
Mattei Damien,
Ottogali Sebastien
Abstract:
Searching for nearby exoplanets with direct imaging is one of the major scientific drivers for both space and ground-based programs. While the second generation of dedicated high-contrast instruments on 8-m class telescopes is about to greatly expand the sample of directly imaged planets, exploring the planetary parameter space to hitherto-unseen regions ideally down to Terrestrial planets is a ma…
▽ More
Searching for nearby exoplanets with direct imaging is one of the major scientific drivers for both space and ground-based programs. While the second generation of dedicated high-contrast instruments on 8-m class telescopes is about to greatly expand the sample of directly imaged planets, exploring the planetary parameter space to hitherto-unseen regions ideally down to Terrestrial planets is a major technological challenge for the forthcoming decades. This requires increasing spatial resolution and significantly improving high contrast imaging capabilities at close angular separations. Segmented telescopes offer a practical path toward dramatically enlarging telescope diameter from the ground (ELTs), or achieving optimal diameter in space. However, translating current technological advances in the domain of high-contrast imaging for monolithic apertures to the case of segmented apertures is far from trivial. SPEED (the segmented pupil experiment for exoplanet detection) is a new instrumental facility in development at the Lagrange laboratory for enabling strategies and technologies for high-contrast instrumentation with segmented telescopes. SPEED combines wavefront control including precision segment phasing architectures, wavefront shaping using two sequential high order deformable mirrors for both phase and amplitude control, and advanced coronagraphy struggled to very close angular separations (PIAACMC). SPEED represents significant investments and technology developments towards the ELT area and future spatial missions, and will offer an ideal cocoon to pave the road of technological progress in both phasing and high-contrast domains with complex/irregular apertures. In this paper, we describe the overall design and philosophy of the SPEED bench.
△ Less
Submitted 25 July, 2014;
originally announced July 2014.
-
Party Game for a 500th Anniversary
Authors:
Fumiko Futamura,
Marc Frantz,
Annalisa Crannell
Abstract:
On the 500th anniversary of Albrecht Dürer's copperplate engraving Melencolia I, we invite readers to join in a time-honored "party game" that has attracted art historians and scientists for many years: guessing the nature and meaning of the composition's enigmatic stone polyhedron. Our main purpose is to demonstrate the usefulness of the cross ratio in the analysis of works in perspective. We sho…
▽ More
On the 500th anniversary of Albrecht Dürer's copperplate engraving Melencolia I, we invite readers to join in a time-honored "party game" that has attracted art historians and scientists for many years: guessing the nature and meaning of the composition's enigmatic stone polyhedron. Our main purpose is to demonstrate the usefulness of the cross ratio in the analysis of works in perspective. We show how the cross ratio works as a projectively invariant "shape parameter" of the polyhedron, and how it can be used in analyzing various theories of this figure.
△ Less
Submitted 26 May, 2014;
originally announced May 2014.
