TY - GEN
T1 - CryptoTutor
T2 - 21st Annual Conference of the Special Interest Group in Information Technology Education, SIGITE 2020
AU - Singleton, Larry
AU - Zhao, Rui
AU - Song, Myoungkyu
AU - Siy, Harvey
N1 - Publisher Copyright:
© 2020 ACM.
PY - 2020/10/7
Y1 - 2020/10/7
N2 - Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.
AB - Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.
KW - cryptographic misuse
KW - programming education
KW - secure coding
UR - http://www.scopus.com/inward/record.url?scp=85094910740&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85094910740&partnerID=8YFLogxK
U2 - 10.1145/3368308.3415419
DO - 10.1145/3368308.3415419
M3 - Conference contribution
AN - SCOPUS:85094910740
T3 - SIGITE 2020 - Proceedings of the 21st Annual Conference on Information Technology Education
SP - 403
EP - 408
BT - SIGITE 2020 - Proceedings of the 21st Annual Conference on Information Technology Education
PB - Association for Computing Machinery, Inc
Y2 - 7 October 2020 through 9 October 2020
ER -