Crypto: Roll Your Own Crypto?: Study of Vulns in Crypto Libs

[grarpamp]

https://arxiv.org/abs/2107.04940

You Really Shouldn't Roll Your Own Crypto: An Empirical Study of
Vulnerabilities in Cryptographic Libraries

The security of the Internet rests on a small number of open-source
cryptographic libraries: a vulnerability in any one of them threatens
to compromise a significant percentage of web traffic. Despite this
potential for security impact, the characteristics and causes of
vulnerabilities in cryptographic software are not well understood. In
this work, we conduct the first comprehensive analysis of
cryptographic libraries and the vulnerabilities affecting them. We
collect data from the National Vulnerability Database, individual
project repositories and mailing lists, and other relevant sources for
eight widely used cryptographic libraries.
Among our most interesting findings is that only 27.2% of
vulnerabilities in cryptographic libraries are cryptographic issues
while 37.2% of vulnerabilities are memory safety issues, indicating
that systems-level bugs are a greater security concern than the actual
cryptographic procedures. In our investigation of the causes of these
vulnerabilities, we find evidence of a strong correlation between the
complexity of these libraries and their (in)security, empirically
demonstrating the potential risks of bloated cryptographic codebases.
We further compare our findings with non-cryptographic systems,
observing that these systems are, indeed, more complex than similar
counterparts, and that this excess complexity appears to produce
significantly more vulnerabilities in cryptographic libraries than in
non-cryptographic software.