Search

US-12627506-B2 - Creating language independent crypto assets

US12627506B2US 12627506 B2US12627506 B2US 12627506B2US-12627506-B2

Abstract

Mechanisms are provided for generating a cryptographic asset bill of materials of a source code. The mechanisms generate flow graph of the source code and execute a parsing and analyzing the source code based on a cryptographic asset knowledge base to identify an initial set of cryptographic artifacts referenced in the source code. The mechanisms execute, for each cryptographic asset in the initial set of cryptographic artifacts, a flow graph analysis to identify one or more dependent cryptographic artifacts to form sets of related cryptographic artifacts. In addition, the mechanisms generate, for each set of related cryptographic artifacts, a cryptographic asset, compile the generated cryptographic assets into a cryptographic bill of materials, and generate and output a report of the cryptographic bill of materials.

Inventors

  • Anatoly Koyfman
  • Micha Gideon Moffie
  • Eyal Bin
  • Omer Yehuda Boehm

Assignees

  • INTERNATIONAL BUSINESS MACHINES CORPORATION

Dates

Publication Date
20260512
Application Date
20240729

Claims (18)

  1. 1 . A method, in a data processing system, for generating a cryptographic asset bill of materials of a source code, the method comprising: generating at least one flow graph of the source code; executing a parsing and analyzing of the source code based on a cryptographic asset knowledge base to identify an initial set of cryptographic artifacts referenced in the source code; executing, for each cryptographic asset in the initial set of cryptographic artifacts, at least one flow graph analysis, based on the at least one flow graph, to identify one or more dependent cryptographic artifacts and form sets of related cryptographic artifacts; generating, for each set of related cryptographic artifacts, a cryptographic asset; compiling the generated cryptographic assets into a cryptographic bill of materials; generating and outputting a report of the cryptographic bill of materials; and wherein the cryptographic asset knowledge base comprises a plurality of programming language independent cryptographic function models.
  2. 2 . The method of claim 1 , wherein the programming language independent cryptographic function models comprise models for at least one of a cryptographic library, cryptographic application programming interface call, or cryptographic domain relevant keywords.
  3. 3 . The method of claim 1 , wherein the parsing and analyzing of the source code comprises: scanning the at least one flow graph based on cryptographic artifact search terms provided in the cryptographic asset knowledge base to identify portions of the at least one flow graph matching one or more of the cryptographic artifact search terms; and adding the identified portions as cryptographic artifacts in the initial set of cryptographic artifacts.
  4. 4 . The method of claim 1 , wherein executing the parsing and analyzing of the source code comprises identifying a final cryptographic operation in the source code and performing a backward parsing and analysis operation from the final cryptographic operation to other operations that contribute to parameters of the final cryptographic operation.
  5. 5 . The method of claim 1 , wherein the at least one flow graph comprises a control flow graph and a data flow graph, and wherein executing the at least one flow graph analysis comprises executing a control flow analysis combined with data dependency analysis, based on the control flow graph and data flow graph, to identify the one or more dependent cryptographic artifacts.
  6. 6 . The method of claim 5 , wherein executing the at least one flow graph analysis comprises: performing a backward traversal of the control flow graph from a final cryptographic operation to identify instances of cryptographical artifacts connected through data dependencies to the final cryptographic operation; and for identified instances of cryptographical artifacts comprising program variables, determining a set of constant values that the program variables can be assigned with using a data flow analysis; and for identified instances of cryptographical artifacts comprising function calls, tracing back the function argument definitions by performing a reaching definitions data flow analysis.
  7. 7 . The method of claim 1 , wherein generating, for each set of related cryptographic artifacts, a cryptographic asset comprises: filtering the set of related cryptographic artifacts to identify a subset of one or more cryptographic artifacts that have cryptographic semantics; and generating the cryptographic asset based on the subset of cryptographic artifacts, in the set of related cryptographic artifacts, that are not filtered out by the filtering operation.
  8. 8 . The method of claim 1 , further comprising: executing at least one of a computer executed rules engine or trained machine learning computer model, configured to identify cryptographic vulnerabilities or weaknesses in cryptographic assets, on the cryptographic bill of materials to identify one or more vulnerabilities or weaknesses in the cryptographic bill of materials; and automatically executing a cryptographic agility operation based on the one or more identified vulnerabilities or weaknesses in the cryptographic bill of materials.
  9. 9 . The method of claim 1 , wherein the cryptographic asset knowledge base comprises data structures that map language dependent details of cryptographic assets to language agnostic properties in a cryptographic domain.
  10. 10 . A computer program product comprising a computer readable storage medium having a computer readable program stored therein, wherein the computer readable program, when executed in a data processing system, causes the data processing system to: generate at least one flow graph of the source code; execute a parsing and analyzing of the source code based on a cryptographic asset knowledge base to identify an initial set of cryptographic artifacts referenced in the source code; execute, for each cryptographic asset in the initial set of cryptographic artifacts, at least one flow graph analysis, based on the at least one flow graph, to identify one or more dependent cryptographic artifacts and form sets of related cryptographic artifacts; generate, for each set of related cryptographic artifacts, a cryptographic asset; compile the generated cryptographic assets into a cryptographic bill of materials; generate and output a report of the cryptographic bill of materials; and wherein the cryptographic asset knowledge base comprises a plurality of programming language independent cryptographic function models.
  11. 11 . The computer program product of claim 10 , wherein the programming language independent cryptographic function models comprise models for at least one of a cryptographic library, cryptographic application programming interface call, or cryptographic domain relevant keywords.
  12. 12 . The computer program product of claim 10 , wherein the parsing and analyzing of the source code comprises: scanning the at least one flow graph based on cryptographic artifact search terms provided in the cryptographic asset knowledge base to identify portions of the at least one flow graph matching one or more of the cryptographic artifact search terms; and adding the identified portions as cryptographic artifacts in the initial set of cryptographic artifacts.
  13. 13 . The computer program product of claim 10 , wherein executing the parsing and analyzing of the source code comprises identifying a final cryptographic operation in the source code and performing a backward parsing and analysis operation from the final cryptographic operation to other operations that contribute to parameters of the final cryptographic operation.
  14. 14 . The computer program product of claim 10 , wherein the at least one flow graph comprises a control flow graph and a data flow graph, and wherein executing the at least one flow graph analysis comprises executing a control flow analysis combined with data dependency analysis, based on the control flow graph and data flow graph, to identify the one or more dependent cryptographic artifacts.
  15. 15 . The computer program product of claim 14 , wherein executing the at least one flow graph analysis comprises: performing a backward traversal of the control flow graph from a final cryptographic operation to identify instances of cryptographical artifacts connected through data dependencies to the final cryptographic operation; and for identified instances of cryptographical artifacts comprising program variables, determining a set of constant values that the program variables can be assigned with using a data flow analysis; and for identified instances of cryptographical artifacts comprising function calls, tracing back the function argument definitions by performing a reaching definitions data flow analysis.
  16. 16 . The computer program product of claim 10 , wherein generating, for each set of related cryptographic artifacts, a cryptographic asset comprises: filtering the set of related cryptographic artifacts to identify a subset of one or more cryptographic artifacts that have cryptographic semantics; and generating the cryptographic asset based on the subset of cryptographic artifacts, in the set of related cryptographic artifacts, that are not filtered out by the filtering operation.
  17. 17 . The computer program product of claim 10 , wherein the computer readable program further causes the data processing system to: execute at least one of a computer executed rules engine or trained machine learning computer model, configured to identify cryptographic vulnerabilities or weaknesses in cryptographic assets, on the cryptographic bill of materials to identify one or more vulnerabilities or weaknesses in the cryptographic bill of materials; and automatically execute a cryptographic agility operation based on the one or more identified vulnerabilities or weaknesses in the cryptographic bill of materials.
  18. 18 . An apparatus comprising: at least one processor; and at least one memory coupled to the at least one processor, wherein the at least one memory comprises instructions which, when executed by the at least one processor, cause the at least one processor to: generate at least one flow graph of the source code; execute a parsing and analyzing of the source code based on a cryptographic asset knowledge base to identify an initial set of cryptographic artifacts referenced in the source code; execute, for each cryptographic asset in the initial set of cryptographic artifacts, at least one flow graph analysis, based on the at least one flow graph, to identify one or more dependent cryptographic artifacts and form sets of related cryptographic artifacts; generate, for each set of related cryptographic artifacts, a cryptographic asset; compile the generated cryptographic assets into a cryptographic bill of materials; generate and output a report of the cryptographic bill of materials; and wherein the cryptographic asset knowledge base comprises a plurality of programming language independent cryptographic function models.

Description

BACKGROUND The present application relates generally to an improved data processing apparatus and method and more specifically to an improved computing tool and improved computing tool operations/functionality for creating language independent crypto assets from source code. Cryptographic agility refers to the ability of a system or organization to adapt and evolve its cryptographic methods and protocols in response to changing security needs and threats. This means that the system or organization is able to upgrade, replace or modify its cryptographic algorithms, key lengths, and protocols in a timely and efficient manner. The need for cryptographic agility arises because cryptographic algorithms and protocols typically become outdated and vulnerable to attacks over time, while new cryptographic techniques and standards are developed to address these vulnerabilities. Organizations supporting cryptographic agility can respond to such changes quickly and effectively and maintain the security and confidentiality of their data and communications. SUMMARY This Summary is provided to introduce a selection of concepts in a simplified form that are further described herein in the Detailed Description. This Summary is not intended to identify key factors or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. In one illustrative embodiment, a method, in a data processing system, is provided for generating a cryptographic asset bill of materials of a source code. The method comprises generating at least one flow graph of the source code and executing a parsing and analyzing of the source code based on a cryptographic asset knowledge base to identify an initial set of cryptographic artifacts referenced in the source code. The method further comprises executing, for each cryptographic asset in the initial set of cryptographic artifacts, at least one flow graph analysis, based on the at least one flow graph, to identify one or more dependent cryptographic artifacts and form sets of related cryptographic artifacts. Moreover, the method comprises generating, for each set of related cryptographic artifacts, a cryptographic asset and compiling the generated cryptographic assets into a cryptographic bill of materials. The method further comprises generating and outputting a report of the cryptographic bill of materials. In other illustrative embodiments, a computer program product comprising a computer useable or readable medium having a computer readable program is provided. The computer readable program, when executed on a computing device, causes the computing device to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment. In yet another illustrative embodiment, a system/apparatus is provided. The system/apparatus may comprise one or more processors and a memory coupled to the one or more processors. The memory may comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform various ones of, and combinations of, the operations outlined above with regard to the method illustrative embodiment. These and other features and advantages of the present invention will be described in, or will become apparent to those of ordinary skill in the art in view of, the following detailed description of the example embodiments of the present invention. BRIEF DESCRIPTION OF THE DRAWINGS The invention, as well as a preferred mode of use and further objectives and advantages thereof, will best be understood by reference to the following detailed description of illustrative embodiments when read in conjunction with the accompanying drawings, wherein: FIG. 1 is an example diagram of a distributed data processing system environment in which aspects of the illustrative embodiments may be implemented and at least some of the computer code involved in performing the inventive methods may be executed; FIG. 2 is an example block diagram illustrating the primary operational components of a language independent cryptographic asset identification (CAID) tool in accordance with one illustrative embodiment; FIGS. 3A-3B provide example diagrams illustrating a portion of source code and the resulting cryptographic assets generated by the language independent CAID tool in accordance with one illustrative embodiment; and FIG. 4 presents a flowchart outlining an example operation of a language independent cryptographic asset identification tool in accordance with one or more illustrative embodiments. DETAILED DESCRIPTION The illustrative embodiments provide an improved computing tool and improved computing tool operations/functionality for creating language independent crypto assets from source code. The improved computing tool and improved computing tool operations/functionality may operate to generate a cryptographic inventory of such crypto assets, and