Eclipse CogniCrypt is planned as a set of Eclipse plugins, which to developers ultimately are meant to provide the following features:
- Generation of secure crypto-integration code
- Static analysis of existing crypto-integration code (to automatically and instantly highlight insecure integrations)
- Suggest better/more secure integrations via quick fixes
- Alert developers of security breaches of cryptographic algorithms
The project will initially support Java and Android projects only, through an integration with the JDT/ADT projects. In the future we might add support for C/C++ through an integration with CDT.
CogniCrypt's code-generation and static-analysis features are configured through crypto-library specifications, which are written in a domain-specific language called CrySL (Crypto Specification Language). CrySL specifications are written once, and then regularly maintained over time, by cryptography experts. This is supported by additional Eclipse plugins who support an XText-based editor for CrySL.
Initially, the project will provide built-in CrySL specifications for the Java Cryptographic Architecture (JCA), the default crypto API that ships with the Java Development Kit. At a later point in time, we plan to also provide CrySL specifications for other widely used crypto libraries such as BouncyCastle. The way CogniCrypt's tool support is designed, this will then automatically allow CogniCrypt to also support developers using those crypto libraries with targeted code generation and static analysis. CogniCrypt will be designed as an open framework, providing extension points allowing others to plug in CrySL specifications for other libraries as well. In particular, other researchers of CROSSING (see above) have signalled an interest in providing specifications for crypto libraries they themselves are developing as part of the CROSSING project.
Lastly, we might want to extend CogniCrypt with functionality to discover, download and install cryptographic libraries into Java/Android/C/C++ projects, jointly with their respective CrySL specifications, and to update them in cases where CogniCrypt has learned that a paritcular version of their implementation has been broken. This would require the CogniCrypt plugins to communicate with a web service giving information about those cryptographic libraries (and potentially even hosting copies of them).