About CRITICALMATE research
Errors in the use of cryptographic program libraries represent a major risk for the IT security of practically all software systems. Ideally, such usage errors are already found during development by static analysis and displayed in the development environment in order to correct the errors promptly and cost-effectively. Currently, such integration in development environments is difficult because (1) the analyses themselves still take too long and thus delay the developers, and (2) the large number of programming languages, development environments and analysis tools results in exponentially high integration costs.
The CRITICALMATE project addresses these problems by bundling the expertise of RIGS IT, the provider of static security analysis tool Xanitizer, and the University of Stuttgart, which has expertise in the use of static analysis and in particular in the usability of cryptographic program libraries. Together, they will develop methods for partial, local and incremental analyses that can be performed in a few seconds, and design and implement protocols for the exchange between development environment and analysis tool as well as between rule providers that minimize the integration effort. The resulting product will be marketed by RIGS IT and will give software vendors an easy way to identify and resolve security issues early.
The company RIGS IT develops and markets the security analysis tool Xanitizer. Xanitizer currently detects more than 90 security-relevant problem types, such as those described in the Open Web Application Security Project (OWASP) Top 10, including misuse of crypto APIs. Xanitizer performs a static code analysis to create a complete data flow graph of the software system under investigation. Since the creation and evaluation of a detailed data flow graph of the complete system requires a lot of computing time, the current state of the art does not allow the security analysis to be executed in the context of an Integrated Development Environment (IDE) in order to implement direct feedback for the developer. To make this possible is one of the main targets of CRITICALMATE.
University of Stuttgart
The University of Stuttgart is a research-oriented university within the TU9 network. It is distinguished above all by its strong engineering science and interdisciplinary research. It is also embedded in one of the most innovative industrial regions in Europe.
The Chair of Software Engineering at the Institute of Software Technology deals with the topics Requirements Engineering, Software Quality, Safety and Security Engineering and agile/continuous Software Development. In the context of this project also extensive preliminary work is available. This begins with general work on the investigation of software quality with the help of static analyses. Various quality models have been developed for this purpose and their use to evaluate quality, e.g. with the help of Bayesian networks, has been described. In the latter, information security was already intensively regarded as an important quality. Furthermore, work exists to develop new static analyses (e.g. in the field of clone detection), in particular with a focus on the empirical investigation of the efficiency of static analysis and its embedding in the development process. In addition, the usability of cryptographic libraries is currently being explicitly investigated.