CryptoTutor: Teaching Secure Coding Practices through Misuse Pattern Detection

Larry Singleton, Rui Zhao, Myoungkyu Song, Harvey Siy

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.

Original languageEnglish (US)
Title of host publicationSIGITE 2020 - Proceedings of the 21st Annual Conference on Information Technology Education
PublisherAssociation for Computing Machinery, Inc
Pages403-408
Number of pages6
ISBN (Electronic)9781450370455
DOIs
StatePublished - Oct 7 2020
Event21st Annual Conference of the Special Interest Group in Information Technology Education, SIGITE 2020 - Virtual, Online, United States
Duration: Oct 7 2020Oct 9 2020

Publication series

NameSIGITE 2020 - Proceedings of the 21st Annual Conference on Information Technology Education

Conference

Conference21st Annual Conference of the Special Interest Group in Information Technology Education, SIGITE 2020
CountryUnited States
CityVirtual, Online
Period10/7/2010/9/20

Keywords

  • cryptographic misuse
  • programming education
  • secure coding

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Artificial Intelligence
  • Computer Science Applications
  • Software

Fingerprint Dive into the research topics of 'CryptoTutor: Teaching Secure Coding Practices through Misuse Pattern Detection'. Together they form a unique fingerprint.

Cite this