We are happy to announce the publication of Stefan Krüger’s Ph.D. Thesis! The thesis gives a comprehensive introduction into CogniCrypt and the research we have been conducting over the past few years in the context of the tool. In the thesis, Krüger motivates the work on CogniCrypt and discusses the approach, comprising of CrySL, CogniCryptSAST, and CogniCryptGEN, in detail. That is not all, however. In the final chapters of the thesis, Krüger also outlines several ideas for further CrySL-based tool support that should help developers use cryptographic APIs and that are already in the works.

If you have followed all research related to CogniCrypt so far, we highly recommend chapter four for an up-to-date discussion of related work, chapter six for an empirical evaluation of CogniCrypt, and chapter nine for the above-mentioned design sketches for alternate forms of tool support on top of CrySL.

If you are interested now, please check out the thesis at the university library of Paderborn University where it was published.

Researchers from the Collaborative Research Center CROSSING and partners are working on crypto assistant for software developers

CogniCrypt supports developers during the integration of cryptographic components into software and checks automatically if they are integrated and configured correctly. After five years of work, CogniCrypt has matured to Version 1.0. For this release, we have extended and thoroughly tested CogniCrypt’s main features: the code generator and the static code analysis. CogniCrypt now supports the code generation for five widely found cryptographic use cases, Data Encryption, Secure Communication, Secure Password Storage, Long-Term Archiving, and Multi-party computation.

We have further expanded CogniCrypt’s analysis support to now five cryptographic APIs: JCA, JSSE, BouncyCastle, BouncyCastle as a JCA provider, and Google Tink.

On top of that, as per requests by CogniCrypt’s users, we have taken several measures to improve both the tool’s usability and configurability over the past few months. Most notably, we have implemented an extra view in Eclipse that presents the results of the latest run of the tool’s code analysis in a structured and clean manner. Also CogniCrypt may now, depending on its configuration, automatically detect which cryptographic library is used in the project under analysis. Finally, in terms of usability, false-positive findings may now be manually suppressed within the IDE, manually marked as secure, and reported to us the maintainers of CogniCrypt such as to avoid their reporting in the future. To improve CogniCrypt’s configurability, we have implemented a preferences menu, through which users may tweak a range of different features to their liking. Users may disable that the code analysis runs automatically when a project is built, enable the display of secure objects in the code, determine the level of severity for the different error types the tool supports, or add support for more cryptographic APIs.

For more details on both CogniCrypt’s core functionality as well as our most recent extensions, please check out our comprehensive documentation.

Thanks to Theofilos Petsios from Amazon Web Services for providing a definition file for syntax highlighting for CrySL in VIM. You can download the definitions here.

We currently have several openings for full-time research staff and software developers who will help us bring CogniCrypt to the next level. The openings are located both at Paderborn and Darmstadt. Please contact Eric Bodden for further information.

CogniCrypt is being presented in a full-day workshop and a conference talk at this year’s Heise devSec!