Principles and Practices of Secure Cryptographic Coding in Java

Ya Xiao, Miles Frantz, Sharmin Afrose, Prof. Danfeng (Daphne) Yao

Department of Computer Science Virginia Tech, USA

Various software libraries and frameworks provide a variety of APIs to support secure coding. However, misusing these APIs can cost developers tremendous time and effort, introduce security vulnerabilities to software, and cause serious consequences like data leakage or Denial of Service (DoS) on servers. Our tutorial aims to educate people on the best practice of secure coding, the pitfalls that should be avoided, and the detection tools and fixing suggestions of insecure code.

To increase the security awareness of developers and improve the quality of their software products, we propose a tutorial to teach participants the principles and practices of Java secure coding, including the SSL/TLS and Spring Security configuration. In this tutorial, we will introduce the principles of using security APIs, analyze typical API misuse cases to explain the causes and effects. We will also introduce a tool named CRYPTOGUARD that we developed to automaticallydetect API misuse in Java.

There are five parts in our tutorial. To reveal the secure coding practice, we will first introduce the findings in our recent study on StackOverflow posts relevant to Java security. Second, we will discuss the recommended principles of API usage by security experts. Third, to correlate the principles with existing practice, we will discuss some API misuse examples for the SSL/TLS certificate verification, Spring Security authentication, etc. Fourth, we will ask participants to examine extra code examples and discuss the security property. Finally, We will give an overview of the available tools and resources, demonstrate a tool CRYPTOGUARD that we developed to automatically detect API misuse in Java. We will also help participants install and use CRYPTOGUARD plugins on their own machines and ask them for trials.

By actively involving participants in code discussion and tool trial, we aim to raise the security awareness among developers, improve their secure coding capabilities, and equip them with the tools they need for secure coding.


Speakers

Prof. Danfeng (Daphne) Yao
is a Professor of Computer Science at Virginia Tech. She is an Elizabeth and James E. Turner Jr. ’56 Faculty Fellow and CACI Faculty Fellow. Her research interests include building cyber defenses, as well as machine learning for digital health, with a shared focus on accuracy and deployment. She creates new models, algorithms, techniques, and deployment-quality tools for securing large-scale software and systems. Her tool CryptoGuard helps large software companies and Apache projects harden their cryptographic code. She systematized program anomaly detection in the book Anomaly Detection as a Service. Her patents on anomaly detection are extremely influential in the industry, having been cited by over 200 other patents from major cybersecurity firms and technology companies, including FireEye, Symantec, Qualcomm, Cisco, IBM, SAP, Boeing, and Palo Alto Networks. Her IEEE TIFS papers on enterprise data loss prevention were viewed 30,000 times.
Dr. Yao received the prestigious ACM CODASPY Lasting Research Award in 2021. Previously, she received the NSF CAREER Award and ARO Young Investigator Award. Dr. Yao is the ACM SIGSAC Treasurer/Secretary and is a member of the ACM SIGSAC executive committee since 2017. She spearheads multiple inclusive excellence initiatives, including the NSFsponsored Individualized Cybersecurity Research Mentoring (iMentor) Workshop and the Women in Cybersecurity Research (CyberW) Workshop. Daphne received her Ph.D. degree from Brown University (Computer Science), M.S. degrees from Princeton University (Chemistry) and Indiana University (Computer Science), Bloomington, B.S. degree from Peking University in China (Chemistry).

Check her homepage at https://people.cs.vt.edu/danfeng/.


Ya Xiao
is a Ph.D. candidate of computer science department at Virginia Tech. She is working under the supervision of Professor Danfeng (Daphne) Yao. Her research interests focus on giving advanced solutions for software security problems, including neural network based code embedding and code completion, program analysis, cryptographic vulnerability detection, and neural cryptanalysis. She has been awarded the Bit Shares Fellowship and the Dennis G. Kafura Fellowship at Virginia Tech. She received M.S. degree and B.S. degree from Beijing University of Posts and Telecommunications (BUPT).

Check her homepage at https://people.cs.vt.edu/yax99/.


Miles Frantz
is a 3rd year Ph.D. student at Virginia Tech with Dr. Yao. He is currently working on developer-friendly static code analysis tools to detect cryptographic misuse. Before this, He has had several internships at Worldpay from FIS. There He created and enhanced several Java-based APIs.

Check his homepage at https://franceme.github.io/.


Sharmin Afrose
is a Ph.D. student in the department of computer science at Virginia Tech. She is working under the supervision of Professor Danfeng (Daphne) Yao. Her research is broadly on improving the computational accuracy of classification-based applications, e.g., machine-learning-based prognosis, treatment, and vulnerability detection for cybersecurity. She received a BS in Computer Science and Engineering from the Bangladesh University of Engineering and Technology (BUET).

Check her homepage at https://sites.google.com/view/sharminafrose/home.