Towards Precise Reporting of Cryptographic Misuses
Yikang Chen
Network and Distributed System Security (NDSS) Symposium 2024 · Day 1 · Applied Cryptography
Modern software relies heavily on cryptographic Application Programming Interfaces (APIs) to secure data and communications. However, developers frequently misuse these complex APIs, leading to critical vulnerabilities. To address this, a significant body of research has focused on developing static analysis tools that detect cryptographic API misuses. While these tools aim to improve security, they often generate an overwhelming number of alarms, many of which are false positives or ineffectual warnings that do not represent true vulnerabilities or actionable issues. This high rate of inaccurate alerts significantly hinders developer adoption and trust in these security tools.