CryptoTutor

Proceedings of the 21st Annual Conference on Information Technology Education Pub Date : 2020-10-07 DOI:10.1145/3368308.3415419

Larry Singleton, Rui Zhao, Myoungkyu Song, Harvey P. Siy

{"title":"CryptoTutor","authors":"Larry Singleton, Rui Zhao, Myoungkyu Song, Harvey P. Siy","doi":"10.1145/3368308.3415419","DOIUrl":null,"url":null,"abstract":"Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.","PeriodicalId":374890,"journal":{"name":"Proceedings of the 21st Annual Conference on Information Technology Education","volume":"495 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2020-10-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the 21st Annual Conference on Information Technology Education","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3368308.3415419","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.

查看原文