This repository contains work for using SWAN to find cryptographic API misuses. This work is experimental.
I have extended SWAN to feature a hand-crafted analysis for detecting misuses in the popular open-source SwiftCrypto API. You can find the analysis code here. My analysis follows the classic crypto rules/guidelines as laid out in the following work:
- Modelling Analysis and Auto-detection of Cryptographic Misuse in Android Applications [link]
- A Comparative Study of Misapplied Crypto in Android and iOS Applications [link]
- An empirical study of cryptographic misuse in android applications [link]
My analysis currently supports the following rules:
-
Do Not Use ECB Mode for Encryption
let blockMode = ECB() _ = try AES(key: key, blockMode: blockMode, padding: padding)
-
No Non-random IVs for Encryption
let iv = "constant string" _ = try AES(key: key, iv: iv)
-
Do Not Use Constant Encryption Keys
let key = "constant key".bytes _ = try AES(key: key, blockMode: blockMode, padding: padding)
-
Do Not Use Constant Salts for PBE
let salt = "constant salt".bytes _ = try HKDF(password: pwd, salt: salt, info: i, keyLength: 128, variant: .sha2(.sha256))
-
Do Not Use < 1000 Iterations for PBE
let iterations = 500 _ = try PKCS5.PBKDF1(password: pwd, salt: salt, iterations: iterations, keyLength: 128)
-
Do Not Use Constant Password for PBE
Note that this rule is actually called rule 7 because I do not support rule 6 from Egele et al.
let password = "constant password".bytes _ = try HKDF(password: password, salt: salt, info: i, keyLength: 128, variant: .sha2(.sha256))
Clone SWAN.
git clone https://github.com/themaplelab/swan.git
Follow the instructions located in the README of SWAN to build SWAN. The lib/
directory will contain the executables you need to run SWAN. I recommend putting the lib/
directory onto your $PATH
.
CryptoSwiftTests/
contains an Xcode project with code that exhibits API misuses for use with the crypto analysis. You can run the analysis on the project using the following series of commands
cd CryptoSwiftTests/
Build the project
swan-xcodebuild -- -project CryptoSwiftTests.xcodeproj -scheme CryptoSwiftTests
Now you should see a swan-dir/
containing the SIL files to analyze. Due to an issue with parsing, you need to copy the CryptoSwift.CryptoSwift.sil
file located in sil/
into the swan-dir/
.
cp ../sil/CryptoSwift.CryptoSwift.sil swan-dir/
Run the SWAN crypto analysis.
java -jar driver.jar --crypto swan-dir/
You will see some output in the terminal. The following table summarizes the analysis results you should see.
Violation type | # of violations |
---|---|
Rule 1: ECB | 3 |
Rule 2: IV | 18 |
Rule 3: KEY | 21 |
Rule 4: SALT | 7 |
Rule 5: ITERATION | 3 |
Rule 7: PASSWORD | 7 |
The analysis results will be available in swan-dir/crypto-results.json
. Now, we use the annotation checker to make sure the analysis found the correct violations. You should see no output (and exit 0) if the violations are correct.
java -jar annotation.jar swan-dir/