Understanding Crypto API Misuse Patterns: A Comparative Study of Python, Java, and C/C++ Results

6 May 2024


(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

4.2 Comparison with Previous Studies

To understand the differences between crypto misuses for §1 to §6, cf. Table 1, in Python and previous studies in Java, with the analysis CryptoLint, [4] and C/C++, with the analysis CryptoREX, [13], we compared the reported results. As we concentrated on the same rule set, we only need a few adjustments to compare the results. First, for our meta-analysis we exclude §6 since the 5 analyzed Python modules avoid this misuse by design. Second, we merge the results for §1 of Egele et al. [4] as they split their result into two different cases: The explicit use of the block mode ECB on one side and the implicit use of this block mode due to the API design on the other. Third, due to the design of our analysis, we only consider definite findings. CryptoLint and CryptoREX do not distinguish between potential misuses and definite ones. Fourth, to enable a fair comparison, we compare only percentages rather than absolute numbers, as we are interested in the general distribution and the influence of API design on crypto misuses. We choose to compare the studies on the percentage of applications using crypto and having at least one misuse of a respective rule as introduced by Egele et al. [4]. Unfortunately, Zhang et al. [13] only reports details for the successfully unpacked firmware images before filtering for crypto usages.

This paper is available on arxiv under CC BY 4.0 DEED license.