WIXLIB

Tutorial: Principles and Practices ofCryptographic Coding in JavaYa Xiao, Miles Frantz, Sharmin Afrose Daphne YaoPh.D. studentsProfessorVirginia TechVirginia Techhttp://yaogroup.cs.vt.edu/IEEE SecDev 2020Sazzadur RahamanAssistant ProfessorUniversity of ArizonaSaTC-1929701

Software is everywhereFord GT has over 10 million lines of codeF-22 Raptor has 2 million lines of codeBoeing 787 Dreamliner has 7 million lines of codeFord pickup truck F-150 has 150 million lines of /2

Security of Critical Infrastructure & Cyber-physical systems (CPS)Industrial control systems ucture-more/3

Nov 2016MUNI stations displayed:"You Hacked, ALL Data Encrypted.Contact gers-free-ride-san-francisco-muni-ransomeware

To pay or not to pay? That’s the questionSurvey of nearly 1,200 IT security practitioners anddecision makers across 17 e-able-to-recover-their-data/5

Developers’ code is getting closer and closer to your body6

We need both -- developer training & using toolsTop 10 secure coding rules1. Validate input. Validate input from all untrusted data sources.2. Heed compiler warnings [and other warnings].3. Architect and design for security policies.4. Keep it simple.5. Default deny.6. Adhere to the principle of least privilege.7. Sanitize data sent to other systems.8. Practice defense in depth.9. Use effective quality assurance techniques.10. Adopt a secure coding ay/seccode/Top 10 Secure Coding Practices7

Microsoft secure development lifecycle (SDL)Developers need TOOLS and more ycle.aspx8

Who wouldn’t want to write secure code?BudgetTimeFalse positivesResources9

CSRF token in Java -- an example of the gap11

What is cross-site request forgery (CSRF) attack?1. Victim has a validsession with bank.com2. Victim visited amalicious form3. Victim tricked intosubmitting form4. Browser automaticallyattaches session-idFrom C. Jackson5. Money transferredto attacker

Developers need help“Addingcsrf().disable() solved the issue!!! I have no idea why it was enabled by default” – a StackOverflow post[Meng ICSE 2018] Available at: https://arxiv.org/pdf/1709.09970.pdf13

Developers definitely need help“Addingcsrf().disable() solved the issue!!! I haveno idea why it was enabled by default”“adding -Dtrust all cert trueto VM arguments”“I want my client toaccept any certificate(because I'm only everpointing to one server)”14N. Meng, S. Nagy, D. Yao, W. Zhuang, and G. Argoty. ICSE 2018

Influencers -- how much influence does StackOverflow have?Insecure PostsTotal ViewsDisabling CSRFProtection*Trust All CertsObsolete HashTotal Views39,863No. ofPosts5491,56791,492622,9229317Min Views Max ,59430,497As of August 2017Insecure StackOverflow posts seem to have a large influence on developers 15N. Meng, S. Nagy, D. Yao, W. Zhuang, and G. Argoty. ICSE 2018* In Java Spring Security for web applications

Social Dynamics on StackoverflowUser: skanga [0]User: MarsAtomic [6,287]“Do NOT EVER trust allcertificates. That is verydangerous.”“once you have sufficientreputation you will beable to comment”“the "accepted answer" iswrong and INDEED it isDANGEROUS. Others whoblindly copy that codeshould know this.”“If you don't haveenough rep to comment, then participate until you have icate-exception-is-raised16

The paparazzi doesn’t help17

CryptoGuard – Java Crypto Code Scanning withDeployment-quality Accuracy and Scalability98.6% PrecisionOut of 1,295 Apache alerts,only 18 are false alarmsCRYPTOGUARD DEPLOYMENT & IMPACTParfait (an internal Oracle product) usesour approach to scan production codeNominated for NSA Science ofSecurity Paper CompetitionMax, min and avg LoC: 2,571K (Hadoop),1.1K (Commons Crypto), and 402K[Rahaman et al. ACM CCS 2019]CryptoGuard and Benchmark on GitHub

Comm. Of ACM article on CryptoGuard: ing-java-crypto/fulltext

Our tutorial today(In)secure crypto codingexamplesSecure TLS codingstrategiesCryptoGuard intro/demoTool eval benchmark20

Take-home message:know there’re tools/strategies/resources to helpdevelopers secure code21

Related referencesPapers: Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, andDanfeng Yao. "Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Javaprojects." In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security,pp. 2455-2472. 2019. Sharmin Afrose, Sazzadur Rahaman, and Danfeng Yao. "CryptoAPI-Bench: A Comprehensive Benchmark onJava Cryptographic API Misuses." In 2019 IEEE Cybersecurity Development (SecDev), pp. 49-61. IEEE, 2019. Ya Xiao, Yang Zhao, Nicholas Allen, Nathan Keynes, and Cristina Cifuentes. "Industrial Experience of FindingCryptographic Vulnerabilities in Large-scale Codebases." arXiv preprint arXiv:2007.06122 (2020).Online Resources: CryptoGuard. https://github.com/CryptoGuardOSS/cryptoguard CryptoAPI-Bench. https://github.com/CryptoGuardOSS/cryptoapi-bench Secure TLS/SSL code examples. https://github.com/AthenaXiao/SecureTLSCodeExample 20 SecDev Tutorial22

Simple Securevs.Insecure ExamplePresenter:Sharmin Afrose23

Code Examples for URL24

Simple Secure vs. Insecure ExampleSecure or insecure?25

Simple Secure vs. Insecure Example Cryptographic API: URL Vulnerability: Insecure websiteInsecureSecure26

Code Examples for Random Numbers27

Simple Secure vs. Insecure ExampleSecure or insecure?28

Simple Secure vs. Insecure Example Cryptographic API: Random, SecureRandom Vulnerability: Predictable number generationInsecureSecure29

Code Examples for Message Digests30

Simple Secure vs. Insecure ExampleSecure or insecure?31

Simple Secure vs. Insecure Example Cryptographic API: MessageDigest( ) Vulnerability: Insecure cryptographic HashInsecureSecure32

Code Examples for Ciphers33

Simple Secure vs. Insecure ExampleSecure or insecure?34

Simple Secure vs. Insecure Example Cryptographic API: Cipher Vulnerability: Insecure cryptographic cipher algorithmInsecureSecure35

Code Examples for Cryptographic Keys36

Simple Secure vs. Insecure ExampleSecure or insecure?37

Simple Secure vs. Insecure Example Cryptographic API: SecretKeySpec Vulnerability: Constant cryptographic keyInsecureSecure38

TLS/SSL AuthenticationCode in JSSEPresenter:Ya Xiao39

Mis-configuration of TLS/SSL can cause man-in-themiddle attacks.References:[1] Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov. "The mostdangerous code in the world: validating SSL certificates in non-browser software." In Proceedings of the 2012 ACMconference on Computer and communications security (CCS), pp. 38-49. 2012.[2] Na Meng, Stefan Nagy, Danfeng Yao, Wenjie Zhuang, and Gustavo Arango Argoty. "Secure coding practices in java:Challenges and vulnerabilities." In Proceedings of the 40th International Conference on Software Engineering (ICSE),pp. 372-383. 2018.[3] Sascha Fahl, Marian Harbach, Thomas Muders, Lars Baumgärtner, Bernd Freisleben, and Matthew Smith. "WhyEve and Mallory love Android: An analysis of Android SSL (in) security." In Proceedings of the 2012 ACM conferenceon Computer and communications security (CCS), pp. 50-61. 2012.40

TLS/SSL happens implicitly in a code snippetClientServerHTTPS HTTP TLSHello!HandshakeServer natedClient Certificate(optional) 41

Some Exceptions can be fixed by securelycustomizing TrustManager and ates canHostnameHostnameVerifierbe trustedis tion: Customization needs to be done carefully!42

Several examples of customized TrustManagerCertificatesCertificates canHostnameTrustManagerHostnameVerifierbe trustedis correctException!Exception!Success!43

Customization 1: Secure or insecure?44

Customization 1: insecure!no verification happens!It is insecure for doing nothing in the certificate validationmethods (i.e. checkClientTrusted, checkServerTrusted).45

Customization 2: Secure or insecure?46

Customization 2: insecure!no exception will be threw out!Catching the exception without re-throw it is insecure!47

Customization 3: Secure or insecure?48

Customization 3: insecure!Bypassing certificate validationcheckValidity onlychecks whetherthe certificate isexpiredBypassing the certificate validation under certain condition is insecure!49

Next, we show several SECURE customizedTrustManagers.We only show the important parts of the code.Full examples can be found ple)50

Scenario 1: The client wants to visit the internal server(www.our.example.com) with the self-signed certificate (or certificate signedby a unknown CA (certificate authority)).51

Secure Customization 1: specified trust managerCertificateKeyStoreA keystore is primarily a database for storing application secrets.Keystores can also be used for storing “trust certificates” and CAchains.TrustManagerA certificate can be specified as trusted by putting it in KeyStore.52

Secure Customization 1: specified trust manager53

Scenario 2: The client wants to visit both the internal server(www.our.example.com) and external servers as normal.The client has two KeyStores:1. The system default keyStore in {java.home}/lib/security/cacertsThis keystore is pre-populated with many well-known root CAs.2.A specified one as scenario 1.54

Secure Customization 2: backup trust managerFirst, delegate to the default trustmanager. If it cannot handle it, trythe backup trust manager.55

Scenario 3: Sometimes, the system may manage multiple key stores56

Secure Customization 3: composite trust managerComposite trust manager frommultiple trust sources (KeyStore)Pass the validation if anytrust manager trust it.57

Several examples of customized HostnameVerifiersCertificatesCertificates canHostnameHostnameVerifierbe trustedis correctException!Exception!TrustManagerSuccess!58

Customization 1: Secure or insecure?59

Customization 1: Insecure!Allowing all hostnames is insecure!60

Customization 2: Secure or insecure?61

Customization 2: Secure!Specify the expected hostname or define specific verificationlogic is secure!62

TLS/SSL connection built by n can be built fromSSLSocketFactory Interface63

The implicit authentication does not includeHostname Verification!CertificatesCertificates canbe meis correctException!HostnameVerifieris required to be done manually!64

Several examples about usage of SSLSocketFactory65

Example 1: Secure or insecure?66

Example 1: Insecure!Hostname verification is required to perform manually!Handshaking implicitly happens when data isflushed. However, no hostname verificationhappens!67

Connection with raw SSLSocketFactory Secure!Manually calling the HostnameVerifier.verity() ensures thesecure communication.68

Connection with raw SSLSocketFactory Secure!When the algorithm field is“HTTPS”, the handshakingautomatically performshostname verification.Setting the algorithm filed as “HTTPS” is anotherway to secure the communication.69

CryptoGuard DesignPresenter:Sazzadur Rahaman70

Cryptographic Misuse Detection with CryptoGuard- CryptoGuard is a static analysis tool- Dataflow analysis is implemented on Soot

Precise cryptographic misuse detection is hard .CryptoLintFixDroid (Android)SpotBugs (Java)State-of-the-artCoverityScan (Java/C/C )PracticalCrySL (Java/Android)CryptoGuard (our solution)

Goal and ChallengesFP vs. FN vs. ScalabilityHow do you handleFalse Positives?For scalability and reduced FN,we avoidpath-sensitive analysisCryptoGuard (our solution)

Sources of false positives .Implementations of some methods are not available!

Reduce false positives: Programming idioms and languagerestrictions to the rescue!Observation I: A vast majority of them are caused by phantom methods!bytes virtualinvoke key. String: byte[] getBytes(String) ("UTF-8")State indicatorkey staticinvoke PassEncryptor: String getKey(String) ("pass.key")Resource identifierkey interfaceinvoke map. HashMap: String get(String) ("key id")Resource identifier