Google released this week a new tool called Project Wycheproof, which is a set of automated tests developers can run on their code and identify weaknesses or problems in the sections that deal with cryptography operations.
Project Wycheproof is currently available on GitHub and includes over 80 built-in unit tests that developers can run right out of the box.
Coded in Java, Project Wycheproof tests cover some of the most important and most used crypto algorithms today, such as:
Because crypto libraries are nothing more than code implementing a certain data encryption algorithm, errors often found their way inside it, in most cases due to human error.
Catching errors in code is often handled via unit tests, an automated procedure for finding problematic code sections. Project Wycheproof is nothing more than a collection of unit tests specifically tailored for finding crypto bugs that lead to certain attack vectors.
The test suites cover a series of common attack vectors on cryptographic algorithm implementations, such as invalid curve attacks, biased nonces in digital signature schemes, Bleichenbacher’s attacks, and more.
Project Wycheproof is meant for non-crypto experts
“Understanding how to implement cryptography securely requires digesting decades’ worth of academic literature,” Google said. “With Project Wycheproof developers and users now can check their libraries against a large number of known attacks without having to sift through hundreds of academic papers or become cryptographers themselves.”
Google says that its engineers have used Project Wycheproof to discover up to 40 security bugs in projects such as OpenSSL, Bouncycastle, JDK’s crypto libraries, and others.
Because the project has been open-sourced on GitHub, Google hopes researchers will contribute new tests to expand its testing spectrum.
“The main motivation for the project is to have an achievable goal,” Google said. “That’s why we’ve named it after the Mount Wycheproof, the smallest mountain in the world. The smaller the mountain the easier it is to climb it!”