| 引用本文: |
-
姚祎璨,李丰,肖扬,袁子牧,霍玮.区块链基础设施的密码学API组合误用检测[J].信息安全学报,已采用 [点击复制]
- yaoyican,lifeng,xiaoyang,yuanzimu,huowei.Cryptographic API Combination Misuse Detection in Blockchain Infrastructure[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 区块链基础设施的安全性是区块链系统安全性的基础,而在区块链基础设施中,密码学安全性至关重要。由于区块链基础设施结构复杂,使得其中密码学API使用场景多样,在开发过程中会不可避免地出现密码学API误用,导致严重的安全后果。其中,由于多个密码学API组合使用不当而产生的误用尚未得到关注。传统的密码学API检测工具主要分为两类:一类基于预定义的规则,通过静态分析的方法进行漏洞检测;另一类通过机器学习的方法从代码变更中推导正确的规则。前者由于缺乏针对密码学API组合使用的检测规则而导致漏报,后者由于难以从代码变更中推导出尚未错误使用的密码学API组合方式而导致漏报。为了解决上述问题,本文提出了一种密码学API组合使用模式的自动化提取技术。该技术首先基于数据流和控制依赖关系分析,提取密码学API序列及关键参数,然后通过序列模式挖掘算法得到频繁序列,作为正确的使用模式,最后结合参数检测规则对密码学API的组合误用进行检测。本文实现了静态检测工具ComboGuard并进行密码学API组合误用检测。对由20个真实程序组成的基准数据集进行实验,本工具能从25个已知密码学API组合误用中检测出18个,误报率为31%,并额外检测出2个未公开的误用。而传统工具CryptoGo无法检测出这25个误用。在对120个区块链基础设施项目进行有效性实验时,本工具可检测出22个密码学API组合误用,包括4个公开的误用和18个未公开的误用。 |
| 关键词: 密码学API误用 误用检测机制 区块链基础设施 静态分析 Go编程语言 |
| DOI: |
| 投稿时间:2024-03-18修订日期:2024-06-26 |
| 基金项目:漏洞自动检测技术研究基金(E11016116) |
|
| Cryptographic API Combination Misuse Detection in Blockchain Infrastructure |
|
yaoyican, lifeng, xiaoyang, yuanzimu, huowei
|
| (Institute of Information Engineering, Chinese Academy of Sciences) |
| Abstract: |
| The security of blockchain infrastructures is the foundation of the security of blockchain systems, and in blockchain infra-structures, cryptographic security is crucial. Due to the complex infrastructure of blockchain, cryptographic APIs are uti-lized in a variety of scenarios, leading to inevitable misuse during development and resulting in severe security conse-quences. Particularly, misuse arising from improper combinations of multiple cryptographic APIs has yet to receive atten-tion. Traditional cryptographic API detection tools fall into two categories: those based on predefined rules identifying vulnerabilities via static analysis, and those inferring correct rules from code changes through machine learning. The for-mer overlooks due to a lack of rules addressing combination use of cryptographic APIs, while the latter fails to derive combinations that have not yet been misused.To address these issues, this paper presents an automated extraction tech-nique for combination usage patterns of cryptographic APIs. It first extracts cryptographic API sequences and key param-eters based on data flow and control dependency analysis. Frequently occurring sequences are then identified as correct usage patterns through sequence pattern mining algorithms. Finally, the detection of combination misuse of cryptographic APIs is conducted in conjunction with parameter detection rules.We implemented a static detection tool, ComboGuard, to detect combination misuse of cryptographic APIs. In tests with a benchmark dataset composed of 20 real programs, our tool detected 18 out of 25 known combination misuses, with a false alarm rate of 31%, and identified an additional two unreported misuses. The traditional tool, CryptoGo, failed to detect these 25 misuses. In effectiveness tests on 120 block-chain infrastructure projects, our tool detected 22 combination misuses of cryptographic APIs, including four publicly re-ported and 18 unreported misuses. |
| Key words: cryptographic API misuse detection mechanism blockchain infrastructure static analysis Go programming language |
