Skip to main content
SpringerLink
Log in

Python Cryptographic Secure Scripting Concerns: A Study of Three Vulnerabilities

  • Conference paper
  • First Online:
Advances in Information and Communication (FICC 2023)

Part of the book series: Lecture Notes in Networks and Systems ((LNNS,volume 652))

Included in the following conference series:

  • 592 Accesses

Abstract

The maintenance and protection of data has never been more important than in our modern technological landscape. Cryptography remains a key method for lowering risks against the confidentiality and integrity of data. This paper will examine secure scripting topics within cryptography such as insecure hashing methods, insecure block cipher implementation, and pseudo random generation of numbers, through the scope of open-source Python scripts. Our research examines the analysis results of the open-source projects from two popular static analysis tool reports, namely Prospector and Bandit, to identify vulnerable scripting usages and patterns. Our analysis includes a comparison of the tool findings with data collected upon manual review. Our findings show that despite the many capabilities and features of common Python static analysis tools, seldom detection for insecure use of cryptography exists. Prospector was able to detect 0% of the cryptographic three identified vulnerability cases compared to 66% detection in Bandit. In addition, manual review of code remains necessary for security related issues that cannot be detected by static analysis tools as revealed by the presence of false negatives from this study.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 189.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 249.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Gulabovska, H., Porkolab, Z.: Survey on static analysis tools of python programs. http://ceur-ws.org/Vol-2508/paper-gul.pdf. Accessed 29 May 2022

  2. McGraw, G., et al.: Static analysis for security. Institute of Electrical and Electronics Engineer (2004), vol. 2:6, pp. 76–79. https://ieeexplore.ieee.org/abstract/document/1366126

  3. Braga, A., Dahab, R., Antunes, N., Laranjeiro, N., Vieira, M.: Understanding how to use static analysis tools for detecting cryptography misuse in software. IEEE Trans. Reliab. 68(4), 1384–1403 (2019). https://doi.org/10.1109/TR.2019.2937214

    Article  Google Scholar 

  4. Chess, B., West, J.: Secure Programming with Static Analysis. United States: Pearson Education (2007)

    Google Scholar 

  5. Gulabovska, H., Porkoláb, Z.: Evaluation of Static Analysis Methods of Python Programs. ipsitransactions, July 2020

    Google Scholar 

  6. Dong, T., Chen, L., Xu, Z., Yu, B.: Static type analysis for python. In: 2014 11th Web Information System and Application Conference, pp. 65–68 (2014). https://doi.org/10.1109/WISA.2014.20

  7. Lindstrom, G.: Programming with python. IT Professional 7(05), 10–16 (2005)

    Article  Google Scholar 

  8. P.T.G.H. Inc., P. Thomson, G. H. Inc., G. H. I. V. Profile, and O. M. V. A. Metrics: Static Analysis: An introduction: The fundamental challenge of software engineering is one of Complexity. Queue, vol. 19, no 4, Queue. https://dl.acm.org/doi/10.1145/3487019.3487021. Accessed 28 May 2022

  9. Ferrer, F., More, A.: Towards secure scripting development. Argentina Software Development Center, vol. 1, pp. 42–53 (2011). https://40jaiio.sadio.org.ar/sites/default/files/T2011/WSegI/972.pdf

  10. Nielson, J., Monson, C.: Practical Cryptography in Python: Learning Correct Cryptography by Example, 1st edn. Apress (2019)

    Google Scholar 

  11. Qadir, A.M., Varol, N.: A review paper on cryptography. In: 2019 7th International Symposium on Digital Forensics and Security (ISDFS), pp. 1–6 (2019). https://doi.org/10.1109/ISDFS.2019.8757514.URLhttps://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=8757514&isnumber=8757466

  12. Kessler, G.C.: An overview of cryptography - princeton university. https://www.cs.princeton.edu/~chazelle/courses/BIB/overview-crypto.pdf. Accessed 29 May 2022

  13. Mundt, M., Baier, H.: Towards mitigation of data exfiltration techniques using the MITRE ATT&CK framework. Research Institute CODE, Universität der Bundeswehr München, Germany, vol. 1 pp. 1–22 (2021). https://www.unibw.de/digfor/publikationen/pdf/2021-12-icdf2c-mundt-baier.pdf

  14. Algoma. https://archives.algomau.ca/main/sites/default/files/2012-25_001_011.pdf. Accessed 28 May 2022

  15. Devi, S.V., Kotha, H.D.: Journal of Physics: Conference Series; Bristol, vol. 1228, Iss. 1, May 2019

    Google Scholar 

  16. Contrast-security-OSS/VULNPY: Purposely-vulnerable python functions. GitHub. https://github.com/Contrast-Security-OSS/vulnpy. Accessed 28 May 2022

  17. Fportantier, Fportantier/vulpy: Vulnerable python application to learn secure development. GitHub, 14 Sep 2020. https://github.com/fportantier/vulpy. Accessed 28 May 2022

  18. Jorritfolmer/vulnerable-API: Enhanced Fork with logging, openapi 3.0 and Python 3 for Security Monitoring Workshops. GitHub. https://github.com/jorritfolmer/vulnerable-api. Accessed 28 May 2022

  19. sgabe/DSVPWA: Damn simple vulnerable python web application. GitHub. https://github.com/sgabe/DSVPWA. Accessed 28 May 2022

  20. Random - generate pseudo-random numbers. random - Generate pseudo-random numbers - Python 3.10.5 documentation. https://docs.python.org/3/library/random.html. Accessed 27 May 2022

  21. Secrets - generate secure random numbers for managing secrets. secrets - Generate secure random numbers for managing secrets - Python 3.10.5 documentation. https://docs.python.org/3/library/secrets.html#module-secrets. Accessed 27 May 2022

  22. Braga, A., Dahab, R., Antunes, N., Laranjeiro, N., Vieira, M.: Practical evaluation of static analysis tools for cryptography: benchmarking method and case study. In: 2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE), pp. 170–181 (2017). https://doi.org/10.1109/ISSRE.2017.27

  23. Wickert, A.-K., et al.: Python crypto misuses in the wild. In: ESEM Conference Bari, Italy (2021), vol. 1, pp. 1–6. https://dl.acm.org/doi/pdf/10.1145/3475716.3484195

  24. Schmeelk, S., Tao, L.: A case study of mobile health applications: the OWASP risk of insufficient cryptography. J. Comput. Sci. Res. [S.l.] 4(1) (2022). ISSN 2630-5151. https://ojs.bilpublishing.com/index.php/jcsr/article/view/4271. Accessed 28 May 2022. https://doi.org/10.30564/jcsr.v4i1.4271

  25. Rahaman, S., et al.: Cryptoguard. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (2019). https://doi.org/10.1145/3319535.3345659

  26. Acar, Y., Stransky, C., Wermke, D., Weir, C., Mazurek, M.L., Fahl, S.: Developers need support, too: a survey of security advice for software developers. In: 2017 IEEE Cybersecurity Development (SecDev) (2017)

    Google Scholar 

  27. Muske, T., Khedker, U.P.: Efficient elimination of false positives using static analysis. In: 2015 IEEE 26th International Symposium on Software Reliability Engineering (ISSRE), pp. 270–280 (2015). https://doi.org/10.1109/ISSRE.2015.7381820

  28. Thung, F., Lucia, Lo, D., Jiang, L., Rahman, F., Devanbu, P.T.: To what extent could we detect field defects? an empirical study of false negatives in static bug finding tools. In: 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering, pp. 50–59 (2012). https://doi.org/10.1145/2351676.2351685

  29. Chess, B., McGraw, G.: Static analysis for security. IEEE Secur. Privacy 2(6), 76–79 (2004). https://doi.org/10.1109/MSP.2004.111

  30. Sphinx-Quickstart: Prospector - python static analysis. Webpage (2014). ​​https://prospector.landscape.io/en/master/index.html

  31. Brown, E.: PyCQA - Bandit. GitHub (2022). https://github.com/PyCQA/bandit

  32. Luminousmen. “Python static analysis tools.” Webpage (2021). https://luminousmen.com/post/python-static-analysis-tools

  33. Ruohonen, J., Hjerppe, K., Rindell, K.: A large-scale security-oriented static analysis of python packages in PyPI. University of Turku, Finland, vol. 1, pp. 1–10 (2021)

    Google Scholar 

  34. Github: GitHub. https://github.com/. Accessed 28 May 2022

  35. Local Coder: Python: ignore ‘incorrect padding’ error when base64 decoding. Webpage (2022). https://localcoder.org/python-ignore-incorrect-padding-error-when-base64-decoding

  36. Projects: Linux Foundation, 28 June 2022. https://www.linuxfoundation.org/projects/. Accessed 30 June 2022

  37. Kannavara, R.: Securing opensource code via static analysis. In: 2012 IEEE Fifth International Conference on Software Testing, Verification and Validation, pp. 429–436 (2012). https://doi.org/10.1109/ICST.2012.123

  38. M2: Insecure data storage: M2: Insecure Data Storage | OWASP Foundation. https://owasp.org/www-project-mobile-top-10/2016-risks/m2-insecure-data-storage. Accessed 28 May 2022

  39. Enforcing security for temporary files. SpringerLink, 01 Jan 1970. https://link.springer.com/chapter/10.1007/978-1-4302-0057-4_15?noAccess=true#citeas. Accessed 28 May 2022

  40. IBM explores the future of Cryptography: IBM Newsroom. https://newsroom.ibm.com/IBM-Explores-the-Future-of-Cryptography

  41. Chen, Z., Chen, L., Zhou, Y., Xu, Z., Chu, W.C., Xu, B.: Dynamic slicing of python programs. In: 2014 IEEE 38th Annual Computer Software and Applications Conference (2014). https://doi.org/10.1109/compsac.2014.30

Download references

Author information

Authors and Affiliations

  1. St. John’s University, Queens, NY, 11439, USA

    Grace LaMalva & Suzanna Schmeelk

  2. University of Southern California, Los Angeles, CA, 90089, USA

    Dristi Dinesh

Authors
  1. Grace LaMalva
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Suzanna Schmeelk
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dristi Dinesh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Suzanna Schmeelk .

Editor information

Editors and Affiliations

  1. Faculty of Science and Engineering, Saga University, Saga, Japan

    Kohei Arai

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

LaMalva, G., Schmeelk, S., Dinesh, D. (2023). Python Cryptographic Secure Scripting Concerns: A Study of Three Vulnerabilities. In: Arai, K. (eds) Advances in Information and Communication. FICC 2023. Lecture Notes in Networks and Systems, vol 652. Springer, Cham. https://doi.org/10.1007/978-3-031-28073-3_42

Download citation

Publish with us

Policies and ethics

Search

Navigation