FluentCrypto: Cryptography in Easy Mode: Related Work

cover
12 Jun 2024

Authors:

(1) Simon Kafader, University of Bern, Bern, Switzerland (simon.kafader@inf.unibe.ch);

(2) Mohammad Ghafari, University of Auckland, Auckland, New Zealand (m.ghafari@auckland.ac.nz).

We discuss related work from two perspectives. Firstly, we discuss an excerpt of literature that investigated why developers struggle with using crypto APIs. Secondly, we discuss previous work that aimed to help developers in circumventing crypto misuses. Nevertheless, to the best of our knowledge, there is no such research on Node.js cryptography.

A. API design

Nadi et al. conducted a survey with 11 developers who posted crypto-related questions on the Stack Overflow website, and 37 developers who had experience with Java’s cryptography APIs [15]. They realized that developers are able to understand crypto concepts but they fail to adopt them in practice. They concluded that the concepts behind crypto APIs are low-level and developers welcome task-based solutions for working with crypto APIs.

Green and Smith found that many misuses of cryptographic libraries originate in the developer having trouble understanding the API [16]. They criticized that while it has become accepted that systems should be user-friendly for the end user, a different attitude where the end-user is expected to be an expert prevails amongst cryptographic libraries. They then proposed a set of characteristics that should lead to more secure cryptographic APIs, including: the API should be easy to use, even without documentation; incorrect use should lead to visible errors; defaults should be safe and never ambiguous; and code that uses the API should be easy to read and update.

Das et al. selected the most popular cryptographic libraries from C, C++, Java, Python and Go and examined them for properties that cause cryptographic misuse by developers [17]. They examined the libraries based on a set of common potential issues such as initialization vector reuse, library defaults or incomplete features. Their work highlighted the disconnect between the actual user of such a library and the user for whom it is designed.

B. Developer support

Several tools have been developed to support developers in using cryptography. For example, Krüger et al. developed the CogniCrypt Eclipse plug-in that generates code snippets for cryptography tasks [18]. Nguyen et al developed FixDroid which helps developers in fixing crypto-related issues in the AndroidStudio IDE [19]. Hazhirpasand et al. developed an interactive web platform named CryptoExplorer that provides developers with real-world examples, specifically 3263 secure and 5897 insecure uses of Java Cryptography Architecture [14]. Singleton et al. developed CryptoTutor, an educational tool that flags common cryptographic misuses and suggests possible repairs [20]. The authors discussed how such a tool can be integrated into programming courses to improve developer knowledge in the cryptography domain.

Several tools also exist to detect crypto misuses. For instance, Rahaman et al. developed CryptoGuard to identify crypto issues statically [9]. Piccolboni et al. proposed CryLogger, an open-source tool to detect crypto misuses dynamically [21]. Gorski surveyed 25 professional software developers to identify what kind of feedback is helpful to them in avoiding crypto misuses during programming [22]. They found that participants appreciate a clear warning message (including title, content, and code location) that is tailored to the context.

This paper is available on arxiv under CC BY 4.0 DEED license.