Google Tests Crypto Software Vulnerabilities With Project Wycheproof

A group of Google security researchers has come up with a way to test cryptographic software libraries for bugs. This security test is called Project Wycheproof, and is named after the smallest mountain in the world, Mount Wycheproof.

The said mountain in Australia is just 237 meters above sea level. Google has named the project after the said mountain because it is small in scope, and because the "smaller the mountain, the easier it is to climb it." In its latest blog post, Google has acknowledged that Project Wycheproof is not yet complete, and is currently a work in progress.

What Does Project Wycheproof Do?

Project Wycheproof is being developed and maintained by a handful of Google researchers, but it is not an official Google product. The goal of the project is to eradicate known flaws from cryptography software libraries, some of which are used in commercial products and enterprise applications.

Almost all software contains private information of its users, which is why some level of encryption is always needed. However, no matter how complex and detailed the cryptography used, there will always be bugs that will need patching in order to be resolved. This makes the software vulnerable for an attack.

Project Wycheproof has been created for this specific reason. By performing the tests in Project Wycheproof on their own software libraries, software engineers will be able to identify the bugs and fix them early on.

Cryptographic Issues Resolved Through Unit Testing

According to Google engineers Daniel Bleichenbacher and Thai Duong, these bugs "can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long."

The two have also added that the weaknesses in cryptographic algorithms can be fixed through unit testing, which has been demonstrated in the project. "We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means."

Project Wycheproof has already been used in over 80 test cases and has uncovered over 40 security bugs. The first battery of tests were written using the Java programming language, because it is a common enough cryptographic interface, and also because Android is using the same Java APIs. Google has also announced that it intends to expand to other programming languages in the future.

Project Wycheproof Is Released To The Public

The developers have released the project in an open-source platform, meaning that the public will be able to use and contribute to the project. By releasing the tests publicly, developers, vendors, and users can download the project from GitHub in order to perform their own tests and check the existing security of their own cryptography software libraries.

In order to use the testing program, one will need to install Google's Bazel tool as well as the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion
Real Time Analytics