CryptoTutor: Teaching Secure Coding Practices through Misuse Pattern Detection

Abstract

Insecure program practices seriously threaten software security. Misusing security primitives in application-level code is not unusual. For example, in mobile banking apps, developers might store customers' privacy information in plaintext, leading to sensitive information leakage. To leverage cryptographic primitives, developers need to correctly select the cryptographic algorithm, appropriate parameters, and sometimes its post-process. While recent research discusses pitfalls in cryptography-related implementations, few academic programs integrate these concepts in their educational programs. One big challenge is the lack of automated guidance on how to utilize existing libraries for secure coding. In this paper, we discuss the prevalence of the problem, especially with respect to implementing programs that utilize cryptography, to motivate the need for better tool support for guidance in writing secure code. We present a tool, CryptoTutor, that can automatically flag common cryptographic misuses and suggest possible repairs. We discuss how tools like CryptoTutor can be integrated into programming courses at the college and pre-college levels.