CogniCrypt - Secure Integration of Cryptographic Software
A large number of recent studies have shown that most software applications that use cryptographic procedures misuse them. The VeraCode Report State of the Software Security v11 (2020) lists the insecure use of cryptography as the third most common cause of software vulnerabilities, right after information leakage and CRLF injection.
Eclipse CogniCrypt was developed within the collaborative research center CROSSING of Technische Universität Darmstadt. It allows developers to quickly identify and fix security-critical misuses of cryptographic libraries.
The plugin Eclipse CogniCrypt ships in two main components: A wizard for code generation that supports a developer in generating secure code for common cryptographic tasks and a static code analysis that continuously checks the (generated and non-generated) code of the developer directly within Eclipse.
We currently have several openings for full-time research staff and software developers who will help us bring CogniCrypt to the next level. The openings are located both at Paderborn and Darmstadt. Please contact Eric Bodden for further information.
The code-generation feature CogniCryptGEN is designed as a wizard that guides developers to select the correct cryptographic algorithms for their cryptographic use case at hand. The wizard asks high-level questions related the use case in order to tailor the solution to the user’s needs. The user documentation discusses the wizard in more detail.
Static Code Analysis
The static code analysis CogniCryptSAST continuously checks the developer’s code for correct implementations. Upon saving the code in the editor, a static analysis is triggered in the background and reports warning when a cryptographic API is used incorrectly.
The video below shows a minimal example demonstrating the static code analysis within Eclipse.