What We Can Learn From an Examination of the Misapplication of Cryptography
In this post, I present my thoughts and learnings from a research paper focused on cryptography use cases demonstrating misapplication. The authors undertook a study building on some previous work by other authors, going further to study the prevalence of false positives in cryptographic SAST and the overall distribution of severities of findings in the wild.
Three Key Findings From the Cryptography Use Cases Research
The first thing I found interesting about this paper is the taxonomy of cryptographic errors they got from a previous paper. The section of the paper describing the taxonomy is excellent educational material, I feel. I won’t reproduce the list in detail here because that’s exactly what the paper does. It might be worth thinking about the threat model implied by each type of failure, however; placing “the key material was stored in a String type within this method” on the same footing as “the key material was stored in the same file as the ciphertext” is unwise. Both represent substantial threats of adversarial decryption, but one of them is significantly more likely than the other.
Another interesting point the paper raises is the existence of CogniCrypt cryptographic SAST; my knowledge of products within the security space always lags a bit, so I’d never heard of this product before. Based on their description of it, I think I’m likely to investigate using it on future projects.
The last thing to catch my eye in this paper is the data. I’m less interested in their measurement of the false positive rate – that is a problem for SAST developers to solve – though their concept of an effective false positive is intriguing. It is not uncommon to find that developers have used cryptographic functions insecurely while operating on non-sensitive data, and doing so comprises a significant portion of the false positives I find in the wild.
The data on severities is more interesting. The authors suggest that nearly half of all cryptographic misuses result in high-severity findings. While I can’t speak authoritatively on alignment between their rubric and mine, it is not uncommon for me to find badly-encrypted data being stored by an application. One of the device-owner vectors still active in modern Android OS is Android Backup, a utility that extracts the contents of the shared preferences folder (and other folders) from the device.
This functionality only requires developer mode, not root, so it can be enabled on a factory-default device without wiping storage – this functionality means findings on this subject regularly feature the stolen-device scenario as a threat model.
Overall, I picked these two papers to review because I’ve seen material like this in customer applications plenty of times, and it was interesting to see the subject matter expanded upon, particularly with an eye towards the broader mobile ecosystem.