The reviewed record of science sign in
Pith

arxiv: 2107.04940 · v1 · pith:E64K5W25 · submitted 2021-07-11 · cs.CR

You Really Shouldn't Roll Your Own Crypto: An Empirical Study of Vulnerabilities in Cryptographic Libraries

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel pith:E64K5W25record.jsonopen to challenge →

classification cs.CR
keywords cryptographiclibrariesvulnerabilitiessecuritycausescomplexityfindingsissues
0
0 comments X
read the original abstract

The security of the Internet rests on a small number of open-source cryptographic libraries: a vulnerability in any one of them threatens to compromise a significant percentage of web traffic. Despite this potential for security impact, the characteristics and causes of vulnerabilities in cryptographic software are not well understood. In this work, we conduct the first comprehensive analysis of cryptographic libraries and the vulnerabilities affecting them. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for eight widely used cryptographic libraries. Among our most interesting findings is that only 27.2% of vulnerabilities in cryptographic libraries are cryptographic issues while 37.2% of vulnerabilities are memory safety issues, indicating that systems-level bugs are a greater security concern than the actual cryptographic procedures. In our investigation of the causes of these vulnerabilities, we find evidence of a strong correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases. We further compare our findings with non-cryptographic systems, observing that these systems are, indeed, more complex than similar counterparts, and that this excess complexity appears to produce significantly more vulnerabilities in cryptographic libraries than in non-cryptographic software.

This paper has not been read by Pith yet.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 1 Pith paper

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. Protecting Cryptographic Libraries against Side-Channel and Code-Reuse Attacks

    cs.CR 2024-12 unverdicted novelty 3.0

    The paper analyzes security measures in popular cryptographic libraries, pinpoints vulnerabilities to side-channel and memory-corruption attacks, and suggests improvements in their development processes.