CogniCrypt - Secure Integration of Cryptographic Software
A large number of recent studies have shown that most software applications that use cryptographic procedures misuse them in an unsafe manner. The VeraCode Report State of the Software Security 2017 lists the unsafe use of cryptography as the second most common cause of software vulnerabilities, right after data leakage.
Eclipse CogniCrypt was developed within the collaborative research center CROSSING of Technische Universität Darmstadt. It allows developers to quickly identify and fix security-critical misuses of crytographic libraries.
The plugin Eclipse CogniCrypt ships in two main components: A wizard for code generation that supports a developer in generating secure code for common cryptorgaphic tasks and a static code analysis that continuosly checks the (generated and non-generated) code of the developer directly within Eclipse.
The Code Generation Feature of CogniCrypt is designed as a wizard that guides developers to select the correct cryptographic algorithms for their cryptographic task at hand. The wizard asks high level questions regarding the task and the data formats the developer needs to encrypt. The user documentation discusses the wizard in more detail.
Static Code Analysis
The static code analysis feature of CogniCrypt continously checks the developer’s code for correct implementations. Upon saving the code in the editor, a static analysis is triggered in the background and reports warning when a cryptographic API is used incorrectly.
The video below shows a minimal example demonstrating the static code analysis within Eclipse.
In the Example, the developer creates a
Cipherobject and supplies the
String "AES"as argument to configure using the encryption algorithm
AES. They save their code and are warned instantaniously by CogniCrypt. By default, the algorithm
AESencrypts with the insecure block mode
ECBand does not use any padding. The developer changes the
Cipherobject to be cofigures in a secure way (using the
String "AES/CBC/PKCS5Padding"which tells to use a secure block mode
"CBC"and a correct padding mode). CogniCrrypt’s error message disappears. For a more in-depth explanation, please check out the user documentation.