LICMA is a multi-language analysis tool to identify incorrect initialization of crypto functions. The current rule set is based on the six rules defined by Egele et al. 1. We provide an overview of the rules and Python examples below.
It is possible to create own rules for individual analyses or support additional languages.
We included all further requirements such as babelfish into the docker container.
- Clone this repository (git clone https://github.com/stg-tud/licma.git).
- Set the environment variable DATA in the file .env. This variable defines the directory were the data is located that should by analysed. By starting the docker container this diretory is linked to /usr/data of the docker container licma.
- Start a terminal and change to the directory were the file docker-compose.yml is located.
- Start the docker containers by entering:
$ docker-compose up
Now the docker containers licma and bblfsh are started. You can see them witch $ docker ps -a
.
- Verify that the docker containers licma and bblfsh are running.
- Start a terminal and change to the directory were the file docker-compose.yml is located.
- Execute the licma.py script with the following command:
$ docker-compose exec licma python3 run_licma.py -i /usr/data/path of file or directory that should be analysed --lc
- [--lo] output log file (defalut: '../log')
- [--ll] log level: CRITICAL = 50 ERROR = 40 WARNING = 30 INFO = 20 DEBUG = 10 NOTSET = 0 (default=10)
- [--lc] print logging on cli
- [--la] source file type ('java' or 'py' default='java')
- [--lib] select cryptographic library ONLY FOR PYTHON ('pycrypto' or 'm2crypto' or 'pynacl' or 'ucryptolib' or 'cryptography' or '', default='')
- [--num] select a specific rule (type=int, default=None: that means, all rules are considered for the analysis)
- [-i] input directory or file]
- [-o] output directory (default='../output')
ID | Rule | Python: Violation Example |
---|---|---|
§1 | Do not use electronic code book (ECB) mode for encryption. | aes = AES.new(key, AES.MODE_ECB) |
§2 | Do not use a non-random initiliazation vector (IV) for ciphertext block chaining (CBC) encryption. | aes = AES.new(key, AES.MODE_CBC, b'\0' * 16) |
§3 | Do not use constant encryption keys. | aes = AES.new(b'\0' * 32, AES.MODE_CBC, iv) |
§4 | Do not use constant salts for password-based encryption (PBE). | kdf = PBKDF2HMAC(hashes.SHA256(), 32, b'\0' * 32, 10000) |
§5 | Do not use fewer than 1,000 iterations for PBE. | kdf = PBKDF2HMAC(hashes.SHA256(), 32, salt, 1) |
§6 | Do not use static seeds to initialize secure random generator. | Due to API design only possible in Java 1 and C/C++ 2 |
We evaluated the Java component of LICMA upon the benchmark CryptoAPIBench and the Python component in a in-the-wild study. You can find more details in our results GitHub project or respectively on figshare.
LICMA was used in the publication Python Crypto Misuses in the Wild. This are the evaluation and scripts for out paper: Python Crypto Misuses in the Wild by Anna-Katharina Wickert, Lars Baumgärtner, Florian Breitfelder, and Mira Mezini. Technische Universität Darmstadt, D-64289 Darmstadt, Germany.
Footnotes
-
Manuel Egele, David Brumley, Yanick Fratantonio, and Christopher Kruegel. An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13, New York, USA, 2013. ACM Press. ↩ ↩2
-
Zhang, Li, Jiongyi Chen, Wenrui Diao, Shanqing Guo, Jian Weng, and Kehuan Zhang. ‘CryptoREX: Large-Scale Analysis of Cryptographic Misuse in IoT Devices’. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019), Chaoyang District, Beijing: USENIX Association, 2019. ↩