CRYLOGGER: Detecting Crypto Misuses Dynamically (Short Intro)
Brief Introduction to CRYLOGGER, the new open-source tool developed by Columbia Engineering computer scientists that detects unsafe security practices in Android apps
The researchers ran 1,780 popular Android apps downloaded from the official Google Play Store—the largest case study on cryptographic misuses not based on code analysis—and discovered that almost all the apps contained code or used libraries that did not strictly adhere to security standards. Many of them used broken algorithms and others adopted unsafe cryptographic practices to protect users’ data.
Each violation does not necessarily mean that an attack is possible. The rule violations should be treated as warnings to be further investigated. Some violations can be false alarms because it is very hard to precisely discriminate in all situations. The researchers contacted more than 300 developers for confirmation, but only 10 provided useful feedback.
“Many developers do not consider attacks such as privilege escalation and side-channel attacks to be possible on phones, and so they store data locally without sufficient safeguards,” notes Sethumadhavan.
The team also manually analyzed the code of 28 Android apps and found that some of the violations reported by CRYLOGGER could potentially be exploited. They see two significant applications of CRYLOGGER. Developers can use it to find cryptographic misuses in their apps as well as in the third-party libraries they use. App stores, such as the Google Play Store, can use CRYLOGGER to screen submitted apps to ensure they meet security standards and are safe for final users to download. Google already uses similar screening technologies to get rid of unsafe or scam apps and these could be extended to consider cryptographic misuses.
The researchers are working on improving the accuracy of CRYLOGGER by defining techniques that will further reduce the number of false alarms. They are also using CRYLOGGER to perform inter-app analysis so that it can analyze how apps exchange data and determine if sensitive data are kept secure. In addition, they are putting rule checking for cryptographic misuses into hardware, rather than software, to force applications to use safe practices in critical contexts.
“While we keep working to improve the accuracy of CRYLOGGER, our approach can be used by app stores to promote better security practices,” Carloni adds. “And we believe that CRYLOGGER’s technique of analyzing thousands of Android applications by running them and collecting information that can be later analyzed offline could also be used in other security domains.”
CRYLOGGER_ Detecting Crypto Misuses Dynamically
Brief preview of May 2021 presentation, explaining how CRYLOGGER detects crypto misuses dynamically. CRYLOGGER is the new open-source tool developed by Columbia Engineering computer scientists that detects unsafe security practices in Android apps.
Columbia Engineering
Columbia Engineering, based in New York City, is one of the top engineering schools in the U.S. and one of the oldest in the nation. Also known as The Fu Foundation School of Engineering and Applied Science, the School expands knowledge and advances technology through the pioneering research of its more than 220 faculty, while educating undergraduate and graduate students in a collaborative environment to become leaders informed by a firm foundation in engineering. The School’s faculty are at the center of the University’s cross-disciplinary research, contributing to the Data Science Institute, Earth Institute, Zuckerman Mind Brain Behavior Institute, Precision Medicine Initiative, and the Columbia Nano Initiative. Guided by its strategic vision, “Columbia Engineering for Humanity,” the School aims to translate ideas into innovations that foster a sustainable, healthy, secure, connected, and creative humanity.
ABOUT THE STUDY
The study is titled “CRYLOGGER: Detecting Crypto Misuses Dynamically.”
Authors are: Luca Piccolboni, Giuseppe Di Guglielmo, Luca P. Carloni, and Simha Sethumadhavan, Department of Computer Science, Columbia Engineering.
This work was supported in part by the National Science Foundation (1527821 and 1764000), a gift from Bloomberg, DARPA HR0011-18-C-0017 (System Security Integrated Through Hardware and firmware), and N00014-17-1-2010.
The authors declare no financial or other conflicts of interest.
3D-ViTac in Action
This contact-rich data provides a clear demonstration of how touch can enhance manipulation and how combining touch with vision can bring robots closer to human-level dexterity. The system was tested on tasks like grasping fragile items, such as eggs and grapes, and performing in-hand manipulation, like reorienting a hex key between fingers or adjusting the grip on a spatula. The tactile and visual fusion significantly outperformed systems relying solely on visual inputs, which was especially useful when handling fragile items or doing tasks with limited visibility.
Thin, flexible tactile sensors transform robots from clunky tools into ones capable of precise, fluid manipulation
The researchers developed a dense, flexible tactile sensor array integrated into a soft robotic gripper. The data from the sensors, combined with visual data, generate a 3D-point cloud, like a visual representation or a scene, that enables the robot to both “see” and “feel” its surroundings. The tactile feedback allows the robot to adjust its grip strength in real time, which is especially crucial when visual information is limited or occluded.
Equipped with “fingers” capable of feeling the world around them, these robots can now handle fragile objects with care. Thin, flexible tactile sensors cover their hands, enabling them to perceive the slightest pressure and adjust their movements accordingly. This innovation has transformed the robots from clunky tools into ones capable of precise, fluid manipulation once thought impossible for machines.
“This breakthrough also enables robots to handle occluded objects more reliably and effectively,” said Binghao Huang, the project lead and a Columbia Engineering PhD student who works with Li. Occlusion occurs when an object is hidden from view, which is problematic for robots that rely on visual information to manipulate objects. “As the demand for humanoid robots to assist with household chores grows, our bimanual system equipped with tactile sensors presents a promising solution for achieving such tasks.”
What’s next?
With this leap forward in robotics, the line between human and machine skills begins to blur, opening the door to a future where robots cannot only see the world but feel it, too.
The next step for the researchers is to further improve the system's scalability and to scale up data collection. They are also developing a tactile simulation and integrating it into the robot learning process. This will allow for larger-scale data collection and better generalization of the policy, enabling the system to perform well in new situations for which it was not explicitly trained.
About the Study
Conference: Conference on Robot Learning (CoRL) in Munich, Germany, November 6-9, 2024.
Title: 3D ViTac: Learning Fine-Grained Manipulation with Visuo-Tactile Sensing
Authors: Binghao Huang1, Yixuan Wang1, Xinyi Yang2, Yiyue Luo3, Yunzhu Li1,
- Columbia University
- University of Illinois Urbana-Champaign
- University of Washington
Funding: This work is partly funded by the Toyota Research Institute (TRI). This research solely reflects the opinions and conclusions of its authors and not TRI or any other Toyota entity.