A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities
Resumo
Desenvolvedores de software, participantes de comunidades on-line, costumam se beneficiar de soluções rápidas para problemas tecnológicos e, eventualmente, melhoram suas habilidades na resolução de problemas de mau funcionamento da tecnologia. Neste trabalho, investigamos se desenvolvedores de software criptográfico que participam de comunidades on-line se tornam melhores no uso de criptografia com o tempo. Esse é um aspecto de segurança crucial nos dias de hoje, em que "real-world crypto" se tornou um tópico de interesse sério, não só academicamente, mas no gerenciamento de segurança como um todo: programação criptográfica feita por não-especialistas é uma fonte frequente e muitas vezes invisivel de vulnerabilidades [RWC ]. Realizamos um estudo retrospectivo e longitudinal para rastrear as respostas dos desenvolvedores sobre programação de criptografia em duas comunidades on-line. Descobrimos que o uso indevido da criptografia é não apenas comum em comunidades on-line, mas também é recorrente nas discussões, sugerindo que os desenvolvedores aprendem a usar as APIs criptográficas sem realmente aprender criptografia. Não conseguimos identificar melhora alguma na percepção e aprendizado de vulnerabilidades criptográficas, mesmo em tarefas simples como a de evitar o uso de criptografia obsoleta. Concluimos, assim, que os usuários ativos nas comunidades on-line para APIs criptográficas não tem evoluído no seu aprendizado dos detalhes e armadilhas do uso da criptograpfia, um estado de coisas muito preocupante.Referências
Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M. L., and Stransky, C. (2016a). You Get Where You’re Looking For: The Impact Of Information Sources on Code Security. In Security and Privacy (SP), 2016 IEEE Symposium on, pages 289–305. IEEE.
Acar, Y., Fahl, S., and Mazurek, M. L. (2016b). You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., and Others (2015). Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 5–17. ACM.
Alashwali, E. S. (2013). Cryptographic vulnerabilities in real-life web servers. In Third International Conference on Communications and Information Technology (ICCIT), pages 6–11. Ieee.
BC. The Legion of the Bouncy Castle.
Bos, J. W., Halderman, J. A., Heninger, N., Moore, J., Naehrig, M., and Wustrow, E. (2014). Elliptic curve cryptography in practice. In Financial Cryptography and Data Security, pages 157–175. Springer.
Bourque, P. and Fairley, R., editors (2014). Guide to the Software Engineering Body of Knowledge (SWEBOK). IEEE Computer Society, version 3. edition.
Braga, A. and Dahab, R. (2015). Introdução à Criptografia para Programadores: Evitando Maus Usos da Criptografia em Sistemas de Software. In Caderno de minicursos do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais — SBSeg 2015, pages 1–50.
Braga, A. and Dahab, R. (2016). Mining Cryptography Misuse in Online Forums. In 2nd International Workshop on Human and Social Aspect of Software Quality.
Chatzikonstantinou, A., Ntantogian, C., Xenakis, C., and Karopoulos, G. (2015). Evaluation of Cryptography Usage in Android Applications. 9th EAI International Conference on Bio-inspired Information and Communications Technologies.
Chess, B. andWest, J. (2007). Secure programming with static analysis.
CYBSI (2014). Avoiding The Top 10 Software Security Design Flaws.
Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. (2013). An empirical study of cryptographic misuse in android applications. ACM SIGSAC conference on Computer & comm. security (CCS’13), pages 73–84.
Fahl, S., Harbach, M., and Muders, T. (2012). Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM conference on Computer and communications security, pages 50–61.
Friedman, J., Hastie, T., and Tibshirani, R. (2009). The elements of statistical learning, volume 2. Springer-Verlag. GAD. Google Android Developers.
Georgiev, M., Iyengar, S., and Jana, S. (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, pages 38–49.
Howard, M. and LeBlanc, D. (2003). Writing secure code.
Howard, M., LeBlanc, D., and Viega, J. (2009). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill Education.
Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond,WA, USA.
Hutcheson, M. L. (2003). Software testing fundamentals: methods and metrics. JohnWiley & Sons.
Lazar, D., Chen, H.,Wang, X., and Zeldovich, N. (2014). Why Does Cryptographic Software Fail?: A Case Study and Open Problems. In 5th Asia-PacificWorkshop on Systems, APSys ’14, pages 7:1-7:7, New York, NY, USA. ACM.
Mart, V. G. and Hern, L. (2013). Implementing ECC with Java Standard Edition 7. International Journal of Computer Science and Artificial Intelligence, 3(4):134–142.
Murthy, M. R. (2015). Introduction to Data Mining and Soft Computing Techniques. Laxmi Publications.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). “Jumping Through Hoops”: Why do Java Developers StruggleWith Cryptography APIs? The 38th International Conference on Software Engineering.
OJC. Oracle Java Cryptography.
OpenSSL. OpenSSL Cryptography and SSL/TLS toolkit.
Oracle. Java Cryptography Architecture (JCA) Reference Guide.
OWASP. Cryptographic Storage Cheat Sheet.
Pandian, C. R. (2003). Software metrics: A guide to planning, analysis, and application. CRC Press.
RWC. RealWorld Crypto Symposium.
Safecode (2011). Fundamental Practices for Secure Software Development.
Shostack, A. (2014). Threat modeling: Designing for security. JohnWiley & Sons.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), pages 75–80.
Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Wang,W. and Godfrey, M.W. (2013). Detecting API Usage Obstacles : A Study of iOS and Android Developer Questions. pages 61–64.
Wang, W., Malik, H., and Godfrey, M. W. (2015). Recommending posts concerning api issues in developer q&a sites. In Proceedings of the 12th Working Conference on Mining Software Repositories, pages 224–234. IEEE Press.
Acar, Y., Fahl, S., and Mazurek, M. L. (2016b). You Are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users.
Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., and Others (2015). Imperfect forward secrecy: How Diffie-Hellman fails in practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 5–17. ACM.
Alashwali, E. S. (2013). Cryptographic vulnerabilities in real-life web servers. In Third International Conference on Communications and Information Technology (ICCIT), pages 6–11. Ieee.
BC. The Legion of the Bouncy Castle.
Bos, J. W., Halderman, J. A., Heninger, N., Moore, J., Naehrig, M., and Wustrow, E. (2014). Elliptic curve cryptography in practice. In Financial Cryptography and Data Security, pages 157–175. Springer.
Bourque, P. and Fairley, R., editors (2014). Guide to the Software Engineering Body of Knowledge (SWEBOK). IEEE Computer Society, version 3. edition.
Braga, A. and Dahab, R. (2015). Introdução à Criptografia para Programadores: Evitando Maus Usos da Criptografia em Sistemas de Software. In Caderno de minicursos do XV Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais — SBSeg 2015, pages 1–50.
Braga, A. and Dahab, R. (2016). Mining Cryptography Misuse in Online Forums. In 2nd International Workshop on Human and Social Aspect of Software Quality.
Chatzikonstantinou, A., Ntantogian, C., Xenakis, C., and Karopoulos, G. (2015). Evaluation of Cryptography Usage in Android Applications. 9th EAI International Conference on Bio-inspired Information and Communications Technologies.
Chess, B. andWest, J. (2007). Secure programming with static analysis.
CYBSI (2014). Avoiding The Top 10 Software Security Design Flaws.
Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. (2013). An empirical study of cryptographic misuse in android applications. ACM SIGSAC conference on Computer & comm. security (CCS’13), pages 73–84.
Fahl, S., Harbach, M., and Muders, T. (2012). Why Eve and Mallory love Android: An analysis of Android SSL (in) security. In ACM conference on Computer and communications security, pages 50–61.
Friedman, J., Hastie, T., and Tibshirani, R. (2009). The elements of statistical learning, volume 2. Springer-Verlag. GAD. Google Android Developers.
Georgiev, M., Iyengar, S., and Jana, S. (2012). The most dangerous code in the world: validating SSL certificates in non-browser software. In Proceedings of the 2012 ACM conference on Computer and communications security - CCS ’12, pages 38–49.
Howard, M. and LeBlanc, D. (2003). Writing secure code.
Howard, M., LeBlanc, D., and Viega, J. (2009). 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. McGraw-Hill Education.
Howard, M. and Lipner, S. (2006). The Security Development Lifecycle. Microsoft Press, Redmond,WA, USA.
Hutcheson, M. L. (2003). Software testing fundamentals: methods and metrics. JohnWiley & Sons.
Lazar, D., Chen, H.,Wang, X., and Zeldovich, N. (2014). Why Does Cryptographic Software Fail?: A Case Study and Open Problems. In 5th Asia-PacificWorkshop on Systems, APSys ’14, pages 7:1-7:7, New York, NY, USA. ACM.
Mart, V. G. and Hern, L. (2013). Implementing ECC with Java Standard Edition 7. International Journal of Computer Science and Artificial Intelligence, 3(4):134–142.
Murthy, M. R. (2015). Introduction to Data Mining and Soft Computing Techniques. Laxmi Publications.
Nadi, S., Krüger, S., Mezini, M., and Bodden, E. (2016). “Jumping Through Hoops”: Why do Java Developers StruggleWith Cryptography APIs? The 38th International Conference on Software Engineering.
OJC. Oracle Java Cryptography.
OpenSSL. OpenSSL Cryptography and SSL/TLS toolkit.
Oracle. Java Cryptography Architecture (JCA) Reference Guide.
OWASP. Cryptographic Storage Cheat Sheet.
Pandian, C. R. (2003). Software metrics: A guide to planning, analysis, and application. CRC Press.
RWC. RealWorld Crypto Symposium.
Safecode (2011). Fundamental Practices for Secure Software Development.
Shostack, A. (2014). Threat modeling: Designing for security. JohnWiley & Sons.
Shuai, S., Guowei, D., Tao, G., Tianchang, Y., and Chenjie, S. (2014). Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications. In IEEE 12th International Conference on Dependable, Autonomic and Secure Computing (DASC), pages 75–80.
Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Wang,W. and Godfrey, M.W. (2013). Detecting API Usage Obstacles : A Study of iOS and Android Developer Questions. pages 61–64.
Wang, W., Malik, H., and Godfrey, M. W. (2015). Recommending posts concerning api issues in developer q&a sites. In Proceedings of the 12th Working Conference on Mining Software Repositories, pages 224–234. IEEE Press.
Publicado
06/11/2017
Como Citar
BRAGA, Alexandre; DAHAB, Ricardo.
A Longitudinal and Retrospective Study on How Developers Misuse Cryptography in Online Communities. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 28-41.
DOI: https://doi.org/10.5753/sbseg.2017.19488.