Eclipse CogniCrypt is planned as a set of Eclipse plugins, which to developers ultimately are meant to provide the following features:
- Generation of secure crypto-integration code
- Static analysis of existing crypto-integration code (to automatically and instantly highlight insecure integrations)
- Suggest better/more secure integrations via quick fixes
- Alert developers of security breaches of cryptographic algorithms
The project will initially support Java and Android projects only, through an integration with the JDT/ADT projects. In the future, we might add support for C/C++ through an integration with CDT.
CogniCrypt's code-generation and static-analysis features are configured through crypto-library specifications, which are written in a domain-specific language called CrySL (Crypto Specification Language). CrySL specifications are written once, and then regularly maintained over time, by cryptography experts. This is supported by additional Eclipse plugins who support an XText-based editor for CrySL.
Initially, the project will provide built-in CrySL specifications for the Java Cryptographic Architecture (JCA), the default crypto API that ships with the Java Development Kit. At a later point in time, we plan to also provide CrySL specifications for other widely used crypto libraries such as BouncyCastle. The way CogniCrypt's tool support is designed, this will then automatically allow CogniCrypt to also support developers using those crypto libraries with targeted code generation and static analysis. CogniCrypt will be designed as an open framework, providing extension points allowing others to plug in CrySL specifications for other libraries as well. In particular, other researchers of CROSSING (see above) have signaled an interest in providing specifications for crypto libraries they themselves are developing as part of the CROSSING project.
Lastly, we might want to extend CogniCrypt with functionality to discover, download and install cryptographic libraries into Java/Android/C/C++ projects, jointly with their respective CrySL specifications, and to update them in cases where CogniCrypt has learned that a particular version of their implementation has been broken. This would require the CogniCrypt plugins to communicate with a web service giving information about those cryptographic libraries (and potentially even hosting copies of them).
We are in the process of moving CogniCrypt's code base to Eclipse, at the moment the code is found in the following repositories on GitHub:
CogniCrypt Eclipse Plugin Code: https://github.com/CROSSINGTUD/CogniCrypt
CrySL Rule Parser: https://github.com/CROSSINGTUD/CryptSL
CrySL Rules for the JCA: https://github.com/CROSSINGTUD/Crypto-API-Rules
CogniCrypt's Static Analysis: https://github.com/CROSSINGTUD/CryptoAnalysis
If you have questions regarding this project feel free to contact:
Stefan Krüger or Johannes Späth