CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects

Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, Danfeng (Daphne) Yao

Automated program analysis-based system to detect cryptographic API misuses in massive java projects. CryptoGuard efficiently and effectively identifies intended program slices by excluding language-specific non-essential elements, which reduces the rate of false-positive significantly. We helped harden the security of several high-impact apache projects, including Spark, Ranger, and Ofbiz.


Cryptographic API misuses, such as exposed secrets, predictable random numbers, and vulnerable certificate verification, seriously threaten software security. The vision of automatically screening cryptographic API calls in massive-sized ( e.g., millions of LoC) programs is not new. However, hindered by the practical difficulty of reducing false positives without compromising analysis quality, this goal has not been accomplished. CryptoGuard is a set of detection algorithms that refine program slices by identifying language-specific irrelevant elements. The refinements reduce false alerts by 76% to 80% in our experiments. Running our tool, CryptoGuard, on 46 high-impact large-scale Apache projects and 6,181 Android apps generated many security insights. Our findings helped multiple popular Apache projects to harden their code, including Spark, Ranger, and Ofbiz. We also have made progress towards the science of analysis in this space, including manually analyzing 1,295 Apache alerts, confirming 1,277 true positives (98.61% precision), and in-depth comparison with leading solutions including CrySL, SpotBugs, and Coverity.


  title={Cryptoguard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects},
  author={Rahaman, Sazzadur and Xiao, Ya and Afrose, Sharmin and Shaon, Fahad and Tian, Ke and Frantz, Miles and Kantarcioglu, Murat and Yao, Danfeng},
  booktitle={Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security},



Program Analysis, Cryptographic API misuse, Apache Bugs