| Cryptographic techniques are quite significant to the security and privacy of widely deployed IoT devices.However,if cryptographic APIs are not invoked correctly,it may bring fatal security risks.Cryptographic misuse is a common security problem,such as using constant cryptographic keys,using ECB mode in symmetric ciphers,and using insufficiently sized keys in asymmetric ciphers.The problem of cryptographic misuse is very common on multiple platforms.For example,according to previous research,88%of Android applications using cryptography API have at least one cryptographic misuse.85%of Apache projects have at least one cryptographic misuse.To detect cryptographic misuse bugs,previous works have made many efforts.However,these existing tools still have some limitations on analyzing multi-architecture IoT firmware images.First,most existing tools are platform-specific or language-specific,which means they are not suitable for cross-architecture analysis.Second,previous work on the analysis of IoT firmware suffers from the accuracy and efficiency issues,and only supports few cryptographic misuses.In this work,we propose CryptoMagnifier,a static analysis tool to detect cryptographic misuse bugs in IoT firmware images.It achieves the cross-architecture analysis in the whole detection process.Also,CryptoMagnifier deployed more well-designed detection strategies to reduce the cases of false positives and false negatives,including accurate parameter tracing,flexible customized rule checking,dynamic rule generation,and comprehensive strategies for cross-file analysis.CryptoMagnifier supports the analysis of 16 types of cryptographic misuse,and models 336 APIs from 7 common standard cryptographic libraries.To demonstrate the effectiveness of CryptoMagnifier,we performed a large-scale experiment on 5,324 firmware images from 35 vendors.Our evaluation shows that 94%of the firmware images exist at least one cryptographic misuse issue.We summarize the common cryptographic mistakes of IoT developers.We performed the first similarity analysis to identify the cryptographic misuses bugs with high impacts.We identified 124 misuses affecting multiple firmware and 33 misuses affecting multiple vendors.We reported some of the errors we found to the corresponding vendors and got the vendors'confirmation.To facilitate the future research of IoT security,we build the first IoT-specific cryptographic misuse testing benchmark for public usage.It contains 74 unit-test cases,covering a variety of cryptographic misuse scenarios.It contains 12 types of cryptographic misuses.It provides both source code and multi-architecture binary code for detection. |
PDF Full Text Request