-
CogniCrypt transfer project:
Fraunhofer IEM and achelos improve quality for secure software implementation
CogniCrypt uses advanced static code analysis techniques to detect security vulnerabilities early in the software development life cycle. Developed and continually enhanced at the Fraunhofer IEM, CogniCrypt benefits from years of research. By identifying potential misuse of cryptographic libraries, CogniCrypt significantly improves software quality. In a collaborative effort lasting five months, Fraunhofer IEM and achelos further advanced CogniCrypt within the ‘It’s OWL-Transfer project’. This collaboration resulted in valuable insights being integrated into the open-source project. Additionally, more rules were incorporated to cover a broader range of cryptographic libraries, enhancing the tool’s effectiveness.
![[Translate to English:] Logo CogniCrypt](/fileadmin/_processed_/8/8/csm_Logo-CogniCrypt_488x320px_4bb0c9d93c.webp){kind=logo}
| CogniCrypt | CogniCrypt elevates both the security and quality of software development by providing assurance that application interfaces (APIs) are utilised correctly. Beyond aiding in code reviews, CogniCrypt validates the accurate usage of application interfaces (APIs), thereby bolstering the integrity of software projects.
|
| Project duration | 1 January 2019 to 31 May 2019
|
| Project partners | Fraunhofer IEM, achelos GmbH (both located in Paderborn)
|
| Project contribution by achelos | Continuous knowledge transfer in the transfer project achelos’ security experts seamlessly integrated the product into their software development’s continuous integration process and rigorously tested its functionality. Leveraging their extensive expertise in cryptography, achelos collaborated with Fraunhofer IEM to refine the product iteratively throughout the transfer project. As a result, CogniCrypt has been fortified with a suite of new rules designed to identify flawed implementations of other libraries, such as Bouncy Castle, thereby pre-empting security vulnerabilities at an early stage. These rules adhere to the guidelines outlined in the BSI Technical Guideline 02102-1. |
Funding | it’s OWL transfer voucher |
Project website |
|
The Eclipse plug-in CogniCrypt serves as a robust tool for identifying cryptography misuse directly within the development environment. (Photo: Copyright: Fraunhofer IEM)
The genesis of the CogniCrypt transfer project
Security risks in software often stem from flawed cryptography implementations, exacerbated by the complexity of encryption algorithms and their configurations (key length, block modes or padding). Uncertainty in selecting the right algorithm during development often results in security vulnerabilities.
Spotlight on static code analysis
CogniCrypt’s static code analysis feature meticulously examines code for accurate implementations throughout the development process. It automatically conducts analyses in the background upon code saving, promptly flagging any misuse of cryptographic application programming interface (API) to developers.
The primary goal of the project was to seamlessly integrate the CogniCrypt tool into achelos’ software development life cycle. Fraunhofer IEM provided clear guidelines on the proper utilisation of software libraries to mitigate implementation errors. Throughout the collaboration, CogniCrypt underwent significant enhancements, including the development of new rules to identify errors in alternative libraries like Bouncy Castle, thereby pre-empting potential security risks. Leveraging their extensive expertise in cryptography and its practical application, the achelos team played a pivotal role in guiding the evolution of CogniCrypt through continuous feedback loops.
The CogniCrypt tool originated from the CROSSING Collaborative Research Centre at the Technical University of Darmstadt, in partnership with the Heinz Nixdorf Institute at Paderborn University. This tool equips security and cryptography organisations with the means to efficiently detect and rectify critical misuses of cryptographic libraries. Moreover, it automatically generates secure cryptographic integration code for various common usage scenarios. Through collaboration with Fraunhofer IEM, CogniCrypt has reached market maturity and seamlessly integrates into the Eclipse development environment.
Fraunhofer IEM
Fraunhofer IEM in Paderborn offers intelligent mechatronics
The Fraunhofer Institute for Mechatronic Systems Design IEM is renowned for its expertise in intelligent mechatronics within the realm of Industry 4.0, located at its Paderborn site. Interdisciplinary teams comprising researchers from mechanical engineering, software engineering and electrical engineering work collaboratively to pioneer innovative methods and tools for developing intelligent products, production systems and services.
it’s OWL
The it’s OWL – Intelligent Technical Systems OstWestfalenLippe technology network brings together over 200 companies, research institutes and organisations to develop solutions for intelligent products and production processes. From 2018 to 2022, projects totalling €100 million were realised with the backing of the state of North Rhine-Westphalia. Key focus areas include artificial intelligence, digital platforms, digital twin and Industry 4.0. Recognised for excellence in the Federal Government’s Leading-Edge Cluster Competition, it’s OWL stands out as one of the most comprehensive Industry 4.0 initiatives targeting small and medium-sized businesses.
Press release Project completion
Interview with Thomas Freitag:
It’s not just about researching success stories at Fraunhofer IEM
Any questions? Your contact person for queries in this field is:
