{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T04:14:59Z","timestamp":1750220099665,"version":"3.41.0"},"reference-count":24,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2023,3,7]],"date-time":"2023-03-07T00:00:00Z","timestamp":1678147200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"National Science Foundation","award":["CNS-1929701"],"award-info":[{"award-number":["CNS-1929701"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2023,3,31]]},"abstract":"<jats:p>\n            Enterprise environment often screens large-scale (millions of lines of code) codebases with static analysis tools to find bugs and vulnerabilities. Parfait is a static code analysis tool used in Oracle to find security vulnerabilities in industrial codebases. Recently, many studies show that there are complicated cryptographic vulnerabilities caused by misusing cryptographic APIs in Java\n            <jats:sup>TM<\/jats:sup>\n            <jats:xref ref-type=\"fn\">\n              <jats:sup>1<\/jats:sup>\n            <\/jats:xref>\n            In this paper, we describe how we realize a precise and scalable detection of these complicated cryptographic vulnerabilities based on Parfait framework. The key challenge in the detection of cryptographic vulnerabilities is the high false alarm rate caused by pseudo-influences. Pseudo-influences happen if security-irrelevant constants are used in constructing security-critical values. Static analysis is usually unable to distinguish them from hard-coded constants that expose sensitive information. We tackle this problem by specializing the backward dataflow analysis used in Parfait with refinement insights, an idea from the tool CryptoGuard\u00a0[\n            <jats:xref ref-type=\"bibr\">20<\/jats:xref>\n            ]. We evaluate our analyzer on a comprehensive Java cryptographic vulnerability benchmark and eleven large real-world applications. The results show that the Parfait-based cryptographic vulnerability detector can find real-world cryptographic vulnerabilities in large-scale codebases with high true-positive rates and low runtime cost.\n          <\/jats:p>","DOI":"10.1145\/3507682","type":"journal-article","created":{"date-parts":[[2022,3,23]],"date-time":"2022-03-23T14:38:43Z","timestamp":1648046323000},"page":"1-18","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Industrial Experience of Finding Cryptographic Vulnerabilities in Large-scale Codebases"],"prefix":"10.1145","volume":"4","author":[{"given":"Ya","family":"Xiao","sequence":"first","affiliation":[{"name":"Virginia Tech, Blacksburg, VA, USA"}]},{"given":"Yang","family":"Zhao","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, QLD, Australia"}]},{"given":"Nicholas","family":"Allen","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, QLD, Australia"}]},{"given":"Nathan","family":"Keynes","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, QLD, Australia"}]},{"given":"Danfeng (Daphne)","family":"Yao","sequence":"additional","affiliation":[{"name":"Virginia Tech, Blacksburg, VA, USA"}]},{"given":"Cristina","family":"Cifuentes","sequence":"additional","affiliation":[{"name":"Oracle Labs, Brisbane, QLD, Australia"}]}],"member":"320","published-online":{"date-parts":[[2023,3,7]]},"reference":[{"unstructured":"2017. Class Random. https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/util\/Random.html. (2017). [Online; accessed 29-Jan-2018].","key":"e_1_3_3_2_2"},{"unstructured":"2017. Class SecureRandom. https:\/\/docs.oracle.com\/javase\/8\/docs\/api\/java\/security\/SecureRandom.html. (2017). [Online; accessed 29-Jan-2018].","key":"e_1_3_3_3_2"},{"unstructured":"2019. NVD: CVE-2019-3795 Detail. https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2019-3795. (2019). [online; Last modified: 05\/20\/2019].","key":"e_1_3_3_4_2"},{"unstructured":"2020. CWE Top 25 Most Dangerous Software Errors . https:\/\/cwe.mitre.org\/top25\/archive\/2020\/2020_cwe_top25.html.","key":"e_1_3_3_5_2"},{"unstructured":"2021. OWASP Top Ten . https:\/\/owasp.org\/www-project-top-ten\/.","key":"e_1_3_3_6_2"},{"doi-asserted-by":"publisher","key":"e_1_3_3_7_2","DOI":"10.1109\/SP.2017.52"},{"key":"e_1_3_3_8_2","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1109\/SP.2016.25","volume-title":"2016 IEEE Symposium on Security and Privacy (SP)","author":"Acar Yasemin","year":"2016","unstructured":"Yasemin Acar, Michael Backes, Sascha Fahl, Doowon Kim, Michelle L. Mazurek, and Christian Stransky. 2016. You get where you\u2019re looking for: The impact of information sources on code security. In 2016 IEEE Symposium on Security and Privacy (SP). IEEE, 289\u2013305."},{"key":"e_1_3_3_9_2","doi-asserted-by":"crossref","first-page":"49","DOI":"10.1109\/SecDev.2019.00017","volume-title":"2019 IEEE Cybersecurity Development (SecDev)","author":"Afrose Sharmin","year":"2019","unstructured":"Sharmin Afrose, Sazzadur Rahaman, and Danfeng Yao. 2019. CryptoAPI-Bench: A comprehensive benchmark on Java cryptographic API misuses. In 2019 IEEE Cybersecurity Development (SecDev). IEEE, 49\u201361."},{"doi-asserted-by":"publisher","key":"e_1_3_3_10_2","DOI":"10.1145\/2259051.2259052"},{"doi-asserted-by":"publisher","key":"e_1_3_3_11_2","DOI":"10.1145\/3052973.3053004"},{"key":"e_1_3_3_12_2","doi-asserted-by":"crossref","first-page":"4","DOI":"10.1145\/1394504.1394505","volume-title":"Proceedings of the 2008 Workshop on Static Analysis","author":"Cifuentes Cristina","year":"2008","unstructured":"Cristina Cifuentes and Bernhard Scholz. 2008. Parfait: Designing a scalable bug checker. In Proceedings of the 2008 Workshop on Static Analysis. 4\u201311."},{"doi-asserted-by":"publisher","key":"e_1_3_3_13_2","DOI":"10.1145\/2508859.2516693"},{"doi-asserted-by":"publisher","key":"e_1_3_3_14_2","DOI":"10.1145\/2382196.2382205"},{"doi-asserted-by":"publisher","key":"e_1_3_3_15_2","DOI":"10.1145\/2382196.2382204"},{"key":"e_1_3_3_16_2","first-page":"1","volume-title":"Proceedings of 5th Asia-Pacific Workshop on Systems","author":"Lazar David","year":"2014","unstructured":"David Lazar, Haogang Chen, Xi Wang, and Nickolai Zeldovich. 2014. Why does cryptographic software fail? A case study and open problems. In Proceedings of 5th Asia-Pacific Workshop on Systems. 1\u20137."},{"key":"e_1_3_3_17_2","doi-asserted-by":"crossref","first-page":"372","DOI":"10.1145\/3180155.3180201","volume-title":"Proceedings of the 40th International Conference on Software Engineering","author":"Meng Na","year":"2018","unstructured":"Na Meng, Stefan Nagy, Danfeng Yao, Wenjie Zhuang, and Gustavo Arango Argoty. 2018. Secure coding practices in Java: Challenges and vulnerabilities. In Proceedings of the 40th International Conference on Software Engineering. 372\u2013383."},{"doi-asserted-by":"publisher","key":"e_1_3_3_18_2","DOI":"10.1145\/2884781.2884790"},{"doi-asserted-by":"publisher","key":"e_1_3_3_19_2","DOI":"10.1145\/3133956.3133977"},{"key":"e_1_3_3_20_2","volume-title":"Fifteenth Symposium on Usable Privacy and Security (SOUPS\u201919)","author":"Patnaik Nikhil","year":"2019","unstructured":"Nikhil Patnaik, Joseph Hallett, and Awais Rashid. 2019. Usability smells: An analysis of developers\u2019 struggle with crypto libraries. In Fifteenth Symposium on Usable Privacy and Security (SOUPS\u201919)."},{"key":"e_1_3_3_21_2","doi-asserted-by":"crossref","first-page":"2455","DOI":"10.1145\/3319535.3345659","volume-title":"Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security","author":"Rahaman Sazzadur","year":"2019","unstructured":"Sazzadur Rahaman, Ya Xiao, Sharmin Afrose, Fahad Shaon, Ke Tian, Miles Frantz, Murat Kantarcioglu, and Danfeng Yao. 2019. CryptoGuard: High precision detection of cryptographic vulnerabilities in massive-sized Java projects. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. 2455\u20132472."},{"doi-asserted-by":"publisher","key":"e_1_3_3_22_2","DOI":"10.1145\/199448.199462"},{"doi-asserted-by":"publisher","key":"e_1_3_3_23_2","DOI":"10.1109\/TDSC.2017.2745575"},{"key":"e_1_3_3_24_2","doi-asserted-by":"crossref","first-page":"214","DOI":"10.1145\/1925805.1925818","volume-title":"CASCON First Decade High Impact Papers","author":"Vall\u00e9e-Rai Raja","year":"2010","unstructured":"Raja Vall\u00e9e-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. 2010. Soot: A Java bytecode optimization framework. In CASCON First Decade High Impact Papers. 214\u2013224."},{"key":"e_1_3_3_25_2","first-page":"1296","volume-title":"2019 IEEE Symposium on Security and Privacy (SP)","author":"Zuo Chaoshun","year":"2019","unstructured":"Chaoshun Zuo, Zhiqiang Lin, and Yinqian Zhang. 2019. Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1296\u20131310."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3507682","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3507682","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T18:10:15Z","timestamp":1750183815000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3507682"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,3,7]]},"references-count":24,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2023,3,31]]}},"alternative-id":["10.1145\/3507682"],"URL":"https:\/\/doi.org\/10.1145\/3507682","relation":{},"ISSN":["2692-1626","2576-5337"],"issn-type":[{"type":"print","value":"2692-1626"},{"type":"electronic","value":"2576-5337"}],"subject":[],"published":{"date-parts":[[2023,3,7]]},"assertion":[{"value":"2021-05-12","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2021-12-17","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-03-07","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}