Removing the Human Element: Securing Deployed Cryptographic Systems through the use of Cryptographic Automation

Principal Investigator: Christina Garman

Cryptography has shown itself to be invaluable in everyday life, especially as more and more devices and interactions are moving to the online world. Whether it is browsing the web, making a purchase, or sending a message to a friend, cryptography is everywhere. Despite the fact that users (often unknowingly) rely on the security of systems that use cryptography, recent years have seen a number of serious vulnerabilities in the cryptographic pieces of systems, some with large consequences. These have been caused by various problems, including poor designs, difficulty of implementation, and use (or misuse) of (in)secure primitives. There is a common denominator in all of these problems: the human element. Many of the errors that are found when analyzing these insecure systems could have been prevented if both designers and software engineers had better tools to help them navigate the complex cryptographic space. Cryptographic automation is a relatively new and promising area that is designed to help solve many of these issues and make developing secure systems far easier and less error-prone, even for a non-expert. This project focuses on removing the human element from the deployment and analysis of cryptographic systems. Through the use of cryptographic automation and the development of tools, the project's aim is to make it easier to design and securely deploy new and complex cryptographic systems while preventing insecurities from occurring in such systems. Additionally, the project contains an education plan designed to help make cryptography more accessible to a broader audience. The creation of the Midwest Women in Computer Security Workshop, as well as the project's goal to not just develop but also disseminate tools, will allow more students of all ages, and more software engineers, to explore cryptography and computer security, instead of being intimidated or afraid of it.

The project has three main thrusts. The core of the project centers around the first thrust of building tools to aid in the deployment of complex cryptography. This will principally focus on automating the end-to-end development of zero-knowledge proof code, from expressing the proof statement to realizing the implementation, with additional applications to anonymous credentials. The second thrust focuses on automating the discovery of cryptographic vulnerabilities in applications that use zkSNARKs, a popular zero-knowledge proof instantiation. This thrust will leverage fuzzing to help both programmers and end users detect inconsistencies and errors in existing, already deployed zkSNARK circuits and applications. The third thrust works to automate the discovery and identification of modern cryptographic algorithms and techniques in both traditional as well as heavily obfuscated binaries, through a novel combination of various dynamic analysis and machine-learning based approaches. If successful, the combination of these three thrusts will, for expert and non-expert developers alike, make it both easier to discover the use of cryptography and potentially vulnerable algorithms in existing systems as well as design and securely deploy new and complex cryptographic systems while preventing these insecurities from happening.

Personnel

Students: Yongming Fan Jacob White