{"id":"https://openalex.org/W2979528578","doi":"https://doi.org/10.1109/tr.2019.2937214","title":"Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software","display_name":"Understanding How to Use Static Analysis Tools for Detecting Cryptography Misuse in Software","publication_year":2019,"publication_date":"2019-10-09","ids":{"openalex":"https://openalex.org/W2979528578","doi":"https://doi.org/10.1109/tr.2019.2937214","mag":"2979528578"},"language":"en","primary_location":{"id":"doi:10.1109/tr.2019.2937214","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tr.2019.2937214","pdf_url":null,"source":{"id":"https://openalex.org/S87725633","display_name":"IEEE Transactions on Reliability","issn_l":"0018-9529","issn":["0018-9529","1558-1721"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Reliability","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://hdl.handle.net/20.500.12733/1661900","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5029184440","display_name":"Alexandre Braga","orcid":"https://orcid.org/0000-0001-8969-4683"},"institutions":[{"id":"https://openalex.org/I181391015","display_name":"Universidade Estadual de Campinas (UNICAMP)","ror":"https://ror.org/04wffgt70","country_code":"BR","type":"education","lineage":["https://openalex.org/I181391015"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Alexandre Braga","raw_affiliation_strings":["Institute of Computing, University of Campinas, Campinas, Brazil"],"raw_orcid":"https://orcid.org/0000-0001-8969-4683","affiliations":[{"raw_affiliation_string":"Institute of Computing, University of Campinas, Campinas, Brazil","institution_ids":["https://openalex.org/I181391015"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5077598713","display_name":"Ricardo Dahab","orcid":"https://orcid.org/0000-0002-7002-875X"},"institutions":[{"id":"https://openalex.org/I181391015","display_name":"Universidade Estadual de Campinas (UNICAMP)","ror":"https://ror.org/04wffgt70","country_code":"BR","type":"education","lineage":["https://openalex.org/I181391015"]}],"countries":["BR"],"is_corresponding":false,"raw_author_name":"Ricardo Dahab","raw_affiliation_strings":["Institute of Computing, University of Campinas, Campinas, Brazil"],"raw_orcid":"https://orcid.org/0000-0002-7002-875X","affiliations":[{"raw_affiliation_string":"Institute of Computing, University of Campinas, Campinas, Brazil","institution_ids":["https://openalex.org/I181391015"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5030619096","display_name":"Nuno Antunes","orcid":"https://orcid.org/0000-0002-6044-4012"},"institutions":[{"id":"https://openalex.org/I76903346","display_name":"University of Coimbra","ror":"https://ror.org/04z8k9a98","country_code":"PT","type":"education","lineage":["https://openalex.org/I76903346"]}],"countries":["PT"],"is_corresponding":false,"raw_author_name":"Nuno Antunes","raw_affiliation_strings":["Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal"],"raw_orcid":"https://orcid.org/0000-0002-6044-4012","affiliations":[{"raw_affiliation_string":"Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal","institution_ids":["https://openalex.org/I76903346"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063901162","display_name":"Nuno Laranjeiro","orcid":"https://orcid.org/0000-0003-0011-9901"},"institutions":[{"id":"https://openalex.org/I76903346","display_name":"University of Coimbra","ror":"https://ror.org/04z8k9a98","country_code":"PT","type":"education","lineage":["https://openalex.org/I76903346"]}],"countries":["PT"],"is_corresponding":false,"raw_author_name":"Nuno Laranjeiro","raw_affiliation_strings":["Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal"],"raw_orcid":"https://orcid.org/0000-0003-0011-9901","affiliations":[{"raw_affiliation_string":"Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal","institution_ids":["https://openalex.org/I76903346"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5016622594","display_name":"Marco Vieira","orcid":"https://orcid.org/0000-0001-5103-8541"},"institutions":[{"id":"https://openalex.org/I76903346","display_name":"University of Coimbra","ror":"https://ror.org/04z8k9a98","country_code":"PT","type":"education","lineage":["https://openalex.org/I76903346"]}],"countries":["PT"],"is_corresponding":false,"raw_author_name":"Marco Vieira","raw_affiliation_strings":["Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal"],"raw_orcid":"https://orcid.org/0000-0001-5103-8541","affiliations":[{"raw_affiliation_string":"Department of Informatics Engineering, Centre for Informatics and Systems, University of Coimbra, Coimbra, Portugal","institution_ids":["https://openalex.org/I76903346"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":5,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":2.3365,"has_fulltext":false,"cited_by_count":30,"citation_normalized_percentile":{"value":0.89548968,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":{"min":90,"max":99},"biblio":{"volume":"68","issue":"4","first_page":"1384","last_page":"1403"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.9998999834060669,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.9955999851226807,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9905999898910522,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cryptography","display_name":"Cryptography","score":0.8238213062286377},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.7430154085159302},{"id":"https://openalex.org/keywords/secure-coding","display_name":"Secure coding","score":0.6290187239646912},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.6122621297836304},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.5233577489852905},{"id":"https://openalex.org/keywords/coding","display_name":"Coding (social sciences)","score":0.4430139362812042},{"id":"https://openalex.org/keywords/implementation","display_name":"Implementation","score":0.4354281425476074},{"id":"https://openalex.org/keywords/cryptographic-primitive","display_name":"Cryptographic primitive","score":0.43306291103363037},{"id":"https://openalex.org/keywords/software-security-assurance","display_name":"Software security assurance","score":0.37724894285202026},{"id":"https://openalex.org/keywords/software-engineering","display_name":"Software engineering","score":0.24174576997756958},{"id":"https://openalex.org/keywords/information-security","display_name":"Information security","score":0.23694446682929993},{"id":"https://openalex.org/keywords/cryptographic-protocol","display_name":"Cryptographic protocol","score":0.20647308230400085},{"id":"https://openalex.org/keywords/programming-language","display_name":"Programming language","score":0.09213706851005554},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.08506104350090027}],"concepts":[{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.8238213062286377},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7430154085159302},{"id":"https://openalex.org/C22680326","wikidata":"https://www.wikidata.org/wiki/Q7444867","display_name":"Secure coding","level":5,"score":0.6290187239646912},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6122621297836304},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.5233577489852905},{"id":"https://openalex.org/C179518139","wikidata":"https://www.wikidata.org/wiki/Q5140297","display_name":"Coding (social sciences)","level":2,"score":0.4430139362812042},{"id":"https://openalex.org/C26713055","wikidata":"https://www.wikidata.org/wiki/Q245962","display_name":"Implementation","level":2,"score":0.4354281425476074},{"id":"https://openalex.org/C15927051","wikidata":"https://www.wikidata.org/wiki/Q246593","display_name":"Cryptographic primitive","level":4,"score":0.43306291103363037},{"id":"https://openalex.org/C62913178","wikidata":"https://www.wikidata.org/wiki/Q7554361","display_name":"Software security assurance","level":4,"score":0.37724894285202026},{"id":"https://openalex.org/C115903868","wikidata":"https://www.wikidata.org/wiki/Q80993","display_name":"Software engineering","level":1,"score":0.24174576997756958},{"id":"https://openalex.org/C527648132","wikidata":"https://www.wikidata.org/wiki/Q189900","display_name":"Information security","level":2,"score":0.23694446682929993},{"id":"https://openalex.org/C33884865","wikidata":"https://www.wikidata.org/wiki/Q1254335","display_name":"Cryptographic protocol","level":3,"score":0.20647308230400085},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.09213706851005554},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.08506104350090027},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.0},{"id":"https://openalex.org/C29983905","wikidata":"https://www.wikidata.org/wiki/Q7445066","display_name":"Security service","level":3,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1109/tr.2019.2937214","is_oa":false,"landing_page_url":"https://doi.org/10.1109/tr.2019.2937214","pdf_url":null,"source":{"id":"https://openalex.org/S87725633","display_name":"IEEE Transactions on Reliability","issn_l":"0018-9529","issn":["0018-9529","1558-1721"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319808","host_organization_name":"Institute of Electrical and Electronics Engineers","host_organization_lineage":["https://openalex.org/P4310319808"],"host_organization_lineage_names":["Institute of Electrical and Electronics Engineers"],"type":"journal"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"IEEE Transactions on Reliability","raw_type":"journal-article"},{"id":"pmh:oai:https://www.repositorio.unicamp.br/:1210064","is_oa":true,"landing_page_url":"https://hdl.handle.net/20.500.12733/1661900","pdf_url":null,"source":{"id":"https://openalex.org/S4306402641","display_name":"LA Referencia (Red Federada de Repositorios Institucionales de Publicaciones Cient\u00edficas)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4383465926","host_organization_name":"LA Referencia","host_organization_lineage":["https://openalex.org/I4383465926"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"reponame:Reposit\u00f3rio da Produ\u00e7\u00e3o Cient\u00edfica e Intelectual da Unicamp","raw_type":"info:eu-repo/semantics/publishedVersion"}],"best_oa_location":{"id":"pmh:oai:https://www.repositorio.unicamp.br/:1210064","is_oa":true,"landing_page_url":"https://hdl.handle.net/20.500.12733/1661900","pdf_url":null,"source":{"id":"https://openalex.org/S4306402641","display_name":"LA Referencia (Red Federada de Repositorios Institucionales de Publicaciones Cient\u00edficas)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I4383465926","host_organization_name":"LA Referencia","host_organization_lineage":["https://openalex.org/I4383465926"],"host_organization_lineage_names":[],"type":"repository"},"license":"other-oa","license_id":"https://openalex.org/licenses/other-oa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"reponame:Reposit\u00f3rio da Produ\u00e7\u00e3o Cient\u00edfica e Intelectual da Unicamp","raw_type":"info:eu-repo/semantics/publishedVersion"},"sustainable_development_goals":[{"score":0.6299999952316284,"display_name":"Peace, Justice and strong institutions","id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":76,"referenced_works":["https://openalex.org/W1106092","https://openalex.org/W103419956","https://openalex.org/W108218230","https://openalex.org/W572872720","https://openalex.org/W589443784","https://openalex.org/W1279320161","https://openalex.org/W1480385994","https://openalex.org/W1481826112","https://openalex.org/W1486481742","https://openalex.org/W1503609498","https://openalex.org/W1517949462","https://openalex.org/W1531064568","https://openalex.org/W1531530153","https://openalex.org/W1558012247","https://openalex.org/W1561062765","https://openalex.org/W1565745194","https://openalex.org/W1761184020","https://openalex.org/W1769319322","https://openalex.org/W1846223776","https://openalex.org/W1880212920","https://openalex.org/W1892798954","https://openalex.org/W1985424295","https://openalex.org/W2008810193","https://openalex.org/W2016321105","https://openalex.org/W2020841721","https://openalex.org/W2025411198","https://openalex.org/W2036872500","https://openalex.org/W2042923641","https://openalex.org/W2049357384","https://openalex.org/W2076239188","https://openalex.org/W2078142664","https://openalex.org/W2084864601","https://openalex.org/W2085032701","https://openalex.org/W2092115639","https://openalex.org/W2093791094","https://openalex.org/W2103370348","https://openalex.org/W2109156518","https://openalex.org/W2109540106","https://openalex.org/W2126762719","https://openalex.org/W2129426180","https://openalex.org/W2145994642","https://openalex.org/W2209872464","https://openalex.org/W2269664735","https://openalex.org/W2279161046","https://openalex.org/W2280486853","https://openalex.org/W2290790037","https://openalex.org/W2324502852","https://openalex.org/W2344058806","https://openalex.org/W2357927175","https://openalex.org/W2401113443","https://openalex.org/W2521898510","https://openalex.org/W2536964484","https://openalex.org/W2590214825","https://openalex.org/W2611293128","https://openalex.org/W2614124547","https://openalex.org/W2698406033","https://openalex.org/W2724374034","https://openalex.org/W2737015327","https://openalex.org/W2753645335","https://openalex.org/W2897146119","https://openalex.org/W2912939975","https://openalex.org/W4205192141","https://openalex.org/W4206021034","https://openalex.org/W4250848060","https://openalex.org/W4290474734","https://openalex.org/W4300630742","https://openalex.org/W4406944226","https://openalex.org/W6600040774","https://openalex.org/W6604274820","https://openalex.org/W6630212538","https://openalex.org/W6637892429","https://openalex.org/W6704699803","https://openalex.org/W6737627401","https://openalex.org/W6806241510","https://openalex.org/W6841466026","https://openalex.org/W6845165520"],"related_works":["https://openalex.org/W2153810551","https://openalex.org/W2560421591","https://openalex.org/W4385236631","https://openalex.org/W4206242080","https://openalex.org/W2990618290","https://openalex.org/W4290474734","https://openalex.org/W2273713505","https://openalex.org/W1608272056","https://openalex.org/W4298148275","https://openalex.org/W2590214825"],"abstract_inverted_index":{"The":[0,101],"use":[1,115,169,174],"of":[2,76,91,103,142,152,210,215,224,228,241],"cryptography":[3,67,92,123,144],"is":[4,52,79,93,109,125,150,243],"nowadays":[5],"common":[6],"in":[7,24,45,106,119,127,179,186],"software":[8,16,26,133],"systems,":[9],"with":[10],"cryptographic":[11,30,237],"libraries":[12],"widely":[13],"available":[14],"to":[15,33,64,111,162,181],"developers.":[17],"As":[18],"such,":[19],"the":[20,34,74,140,163,197,202],"likely":[21],"weakest":[22],"link":[23],"sensitive":[25],"has":[27],"moved":[28],"from":[29,50],"function":[31],"implementations":[32],"application":[35],"code":[36,98,147],"surrounding":[37],"such":[38,77,104],"functions.":[39],"Ordinary":[40],"developers":[41],"usually":[42],"lack":[43,214],"knowledge":[44],"practical":[46],"cryptography,":[47],"and":[48,71,114,168,220],"support":[49,240],"specialists":[51],"rare.":[53],"Frequently,":[54],"these":[55],"difficulties":[56],"are":[57],"addressed":[58],"by":[59,95,132,145,200],"running":[60],"static":[61,97,146],"analysis":[62,99,148],"tools":[63,78,105,149,156,190,231],"automatically":[65],"detect":[66],"misuse":[68,90,108,124],"during":[69],"coding":[70,112,166],"reviews.":[72],"However,":[73],"effectiveness":[75],"not":[80],"yet":[81],"well":[82,88,206],"understood.":[83],"This":[84],"article":[85],"studies":[86],"how":[87],"programmatic":[89],"detected":[94,199],"free":[96],"tools.":[100],"performance":[102],"detecting":[107],"correlated":[110],"tasks":[113,167],"cases":[116],"commonly":[117],"found":[118,177],"development":[120],"efforts;":[121],"also,":[122],"classified":[126],"comprehensive":[128],"categories,":[129],"easily":[130],"recognizable":[131],"security":[134],"practitioners.":[135],"Our":[136],"research":[137],"shows":[138],"that":[139],"coverage":[141],"public-key":[143],"full":[151],"blind":[153],"spots,":[154],"because":[155],"prioritize":[157],"only":[158],"those":[159],"misuses":[160,198,219],"related":[161],"most":[164],"frequent":[165],"cases,":[170],"while":[171],"neglecting":[172],"infrequent":[173],"cases.":[175,249],"We":[176],"that,":[178,229],"addition":[180],"a":[182,193],"relatively":[183],"low":[184],"recall":[185],"our":[187],"tests,":[188],"evaluated":[189,203],"also":[191],"have":[192],"small":[194],"overlap":[195],"regarding":[196],"all":[201],"tools,":[204],"as":[205,207],"an":[208],"intersection":[209],"false":[211],"alarms,":[212],"suggesting":[213],"discrimination":[216],"between":[217],"specific":[218],"corresponding":[221],"good":[222],"uses":[223],"cryptography.":[225],"In":[226],"spite":[227],"well-selected":[230],"can":[232],"be":[233],"useful":[234],"when":[235],"developing":[236],"software,":[238],"but":[239],"experts":[242],"still":[244],"required":[245],"for":[246],"solving":[247],"complex":[248]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":3},{"year":2024,"cited_by_count":4},{"year":2023,"cited_by_count":7},{"year":2022,"cited_by_count":4},{"year":2021,"cited_by_count":6},{"year":2020,"cited_by_count":3},{"year":2019,"cited_by_count":1}],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2025-10-10T00:00:00"}