Project Group SICS - Secure Integration of Cryptographic Software

Multiple studies have shown that Java Crypto APIs are often misused by application developers. Such misuses are caused by an interplay of inappropriate API Design and developers’ lack of domain knowledge. These Crypto APIs are generally low-level, for example, they do not provide developers who want to include a file encryption in their application with a convenient method such as encryptFile(). Instead, the developers have to implement the encryption themselves by using cryptographic algorithms directly. Developers with only little or no experience in cryptography struggle with that level of abstraction. Often, they do not know which algorithms are secure under which circumstances and make easy mistakes, causing their implementation to be insecure.

Tool support for existing cryptographic APIs may help developers integrating cryptography securely into their application. We aim at lifting the level of abstraction to a more convenient level by generating task-based wrapper code for the APIs. Additionally, the tool may run static analyses on the code to alert the application developers when they are using an insecure algorithm or misuse the API.

To build such a tool, knowledge in variability modelling, code generation and analysis is required. In the first phase of the project group, you will familiarize yourself with said topics and prepare a first design of how to combine these techniques in order to provide effective tool support.

In the second phase, the group will split into several sub groups that work on smaller components of the tool. At the end of the year, all components must be integrated with each other to build a stable prototype.

• Good understanding of the Java language
• Knowledge of good software design and efficient programming
• Experience in Eclipse plugin development is beneficial
• Knowledge of cryptography, static analysis, variability modelling are a plus

To attend the course, you have to register in the PAUL system as a participant.

Stefan Krüger (stefan.krueger@upb.de)

Lisa Nguyen (lisa.nguyen@iem.fraunhofer.de)