Evaluating Cryptographic API Misuse Detectors for Go
Vivi Andersson, Martin Monperrus
TLDR
This paper presents the first comprehensive study of cryptographic API misuse detection in Go, evaluating 4 tools and finding thousands of misuses.
Key contributions
- Conducted the first comprehensive study of cryptographic API misuse detection in Go.
- Evaluated 4 state-of-the-art tools and established a taxonomy of 14 misuse classes.
- Discovered 7,473 crypto API misuses in 328 Go projects, revealing tool coverage variations.
Why it matters
Cryptographic API misuse is a critical vulnerability, especially in Go's security-critical infrastructure. This study provides crucial insights into the prevalence and detection capabilities of existing tools, offering immediate practical guidance for security engineers and informing future research.
Original Abstract
Cryptographic API misuse represents a critical vulnerability class that undermines the security foundations of modern software. Yet, it remains largely unexplored in Go despite its dominance in security-critical infrastructure. This paper presents the first comprehensive study of cryptographic API misuse detection in Go, identifying and analyzing 4 state-of-the-art tools (CodeQL, Gopher, Gosec, and Snyk Code) and establishing a consolidated taxonomy of 14 relevant misuse classes. Through an experimental evaluation of 328 security-critical open-source Go projects, we discovered 7,473 cryptographic API misuses, providing insights into the prevalence and distribution of these vulnerabilities. Our systematic comparison reveals significant variations in misuse coverage, with immediate practical implications for security engineers and long-term implications for research in this domain.
📬 Weekly AI Paper Digest
Get the top 10 AI/ML arXiv papers from the week — summarized, scored, and delivered to your inbox every Monday.