Go to DBLP homepageA Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography
Abstract: Quantum computing poses a significant global threat to modern security mechanisms. As such, security experts and public sectors have issued guidelines to help organizations transition their software to post-quantum cryptography (PQC). However, there is a lack of (semi-)automatic tools to support this transition, particularly for software deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for this type of tool to detect quantum-vulnerable software executables. Following these requirements, we introduce $\mathsf {QED}$ : a toolchain for Quantum-vulnerable Executable Detection. $\mathsf {QED}$ uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. The key benefit of this design is that it provides efficiency without compromising accuracy, as it incorporates fast initial analyses to filter out executables unlikely to be quantum-vulnerable that in turn allows the more resource-intensive analysis to be performed on a smaller subset of executables. To demonstrate this claim, we evaluate $\mathsf {QED}$ on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results show that: 1) $\mathsf {QED}$ discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; 2) $\mathsf {QED}$ is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and 3) $\mathsf {QED}$ reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%.
Loading