Cryptography in the Wild: An Empirical Analysis of Vulnerabilities in Cryptographic Libraries
Author(s)
Blessing, Jenny; Specter, Michael A.; Weitzner, Daniel J.
Download3634737.3657012.pdf (1.259Mb)
Publisher with Creative Commons License
Publisher with Creative Commons License
Creative Commons Attribution
Terms of use
Metadata
Show full item recordAbstract
The security of the Internet and numerous other applications rests on a small number of open-source cryptographic libraries: A vulnerability in any one of them threatens to compromise a significant percentage of web traffic. Despite this potential for security impact, the characteristics and causes of vulnerabilities in cryptographic software are not well understood. In this work, we conduct the first systematic, longitudinal analysis of cryptographic libraries and the vulnerabilities they produce. We collect data from the National Vulnerability Database, individual project repositories and mailing lists, and other relevant sources for all widely used cryptographic libraries.
In our investigation of the causes of these vulnerabilities, we find evidence of a correlation between the complexity of these libraries and their (in)security, empirically demonstrating the potential risks of bloated cryptographic codebases. Among our most interesting findings is that 48.4% of vulnerabilities in libraries written in C and C++ are either primarily caused or exacerbated by memory safety issues, indicating that systems-level bugs are a major contributor to security issues in these systems. Cryptographic design and implementation issues make up 27.5% of vulnerabilities across all libraries, with side-channel attacks providing a further 19.4%. We find substantial variation among core library components in both complexity levels and vulnerabilities produced: for instance, over one-third of vulnerabilities are located in implementations of the SSL/TLS protocols, providing actionable evidence for codebase quality and security improvements in these libraries.
Date issued
2024-07Department
Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory; Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
ACM
Citation
Blessing, Jenny, Specter, Michael A. and Weitzner, Daniel J. 2024. "Cryptography in the Wild: An Empirical Analysis of Vulnerabilities in Cryptographic Libraries."
Version: Final published version
ISBN
979-8-4007-0482-6
Collections
The following license files are associated with this item: