DescriptionDSRC Seminar Series - Prof. Dr. Eric Bodden
How to Statically Detect Insecure Uses of Cryptography - At Scale and with almost Perfect Precision
For decades, static code analysis has been notorious for being ineffective, due to high false positive rates. Yet, recent algorithmic breakthroughs have now given us the capability to build static analysis tools that not only rapidly analyze code bases with millions of lines of code, but also yield perfect precision in most practical cases. In particular, by engineering novel program abstractions and accompanying algorithmic tricks, we were able to show that context-sensitive and field-sensitive static analysis, although undecidable in theory, is actually computable for all practical purposes - and even efficiently so.
Excitingly, this leap in analysis technology now allows us to build automated analysis tools that can pinpoint devastating security vulnerabilities within seconds, even in large code bases, for the first time giving us the opportunity to draw a precise map of vulnerability distributions on a large scale. As an example, I will demonstrate CogniCrypt, a recent security code analysis tool that precisely identifies insecure uses of cryptography. I will report on a study in which we have applied CogniCrypt to all 2.7 million software artifacts on Maven Central, and hundreds of security-critical Android apps, leading to the coordinated disclosure of vulnerabilities, for instance, in Symantec Norton Identity Safe and the VR-Banking app.
|Period||22 Mar 2022|
|Degree of Recognition||International|