-
Notifications
You must be signed in to change notification settings - Fork 170
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cryptographic APIs misuses #898
Comments
This tool does look interesting. For me it gives stack overflow errors or out of memory errors. |
Hello @HashEngineering, Depending on the program size it requires a lot of memory to complete the analysis. At Dash-wallet, I needed 30 GB of ram. |
I changed the RAM parameters and was able to run the report. It will take some time to go through the findings. I suppose that the rules in the system are looking for insecure code. One example is this:
Which if we get the source in case OP_SHA1:
if (stack.size() < 1)
throw new ScriptException(ScriptError.SCRIPT_ERR_INVALID_STACK_OPERATION, "Attempted OP_SHA1 on an empty stack");
try {
stack.add(MessageDigest.getInstance("SHA-1").digest(stack.pollLast()));
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e); // Cannot happen.
}
break; The OP_SHA1 is an opcode for the Dash script language. Most likely it is no longer used. I suppose we could work on getting this opcode made obsolete or deprecated. But that is outside the scope of my work which is to implement the Dash standard in Java. Other items are in dependencies and further investigation would be required to determine if an update of such dependencies would eliminate the warning. |
I'm a PhD student interested in finding security vulnerabilities in open source projects.
We found a total of 180 warnings (indicating potential vulnerabilities) when running the CogniCrypt static analyzer (*) on dash-wallet (or its library dependencies). We documented each one of these issues in private gists for the sake of confidentiality (non-disclosure).
Can you please let us know whether we can share these gists with you? We are eager to evaluate the perception of developers (e.g. severity of these warnings) and improve dash-wallet's security, and the quality of the reports of static analysis tools.
(*) https://github.com/CROSSINGTUD/CryptoAnalysis
The text was updated successfully, but these errors were encountered: