A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography

Norrathep Rattanavipanon,Jakapan Suaboot,Warodom Werapun
2024-09-14
Abstract:Quantum computing poses a significant global threat to today's security mechanisms. As a result, security experts and public sectors have issued guidelines to help organizations migrate their software to post-quantum cryptography (PQC). Despite these efforts, there is a lack of (semi-)automatic tools to support this transition especially when software is used and deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for a tool to detect quantum-vulnerable software executables. Following these requirements, we introduce QED: a toolchain for Quantum-vulnerable Executable Detection. QED uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. We evaluate QED on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results demonstrate that: (1) QED discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; (2) QED is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and (3) QED reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%. We hope that QED can become a crucial tool to facilitate the transition to PQC, particularly for small and medium-sized businesses with limited resources.
Cryptography and Security
What problem does this paper attempt to address?
The main problem that this paper attempts to solve is: **How to assist the migration of software executables to post - quantum cryptography (PQC), especially identifying those software executables that are vulnerable to quantum attacks**. ### Problem Background With the development of quantum computing technology, quantum computers pose a serious threat to currently widely - used security mechanisms (such as public - key encryption systems). For example, RSA and elliptic - curve encryption algorithms may be cracked in the face of quantum computers. Therefore, security experts and the public sector have issued guidelines to help organizations migrate their software to post - quantum cryptography (PQC). However, there is currently a lack of tools that can support this migration automatically or semi - automatically, especially when the software is used and deployed in the form of binary executables. ### Paper Objectives To solve this problem, the authors proposed a toolchain named **QED (Quantum - vulnerable Executable Detection)**. The main objective of QED is to help analysts identify quantum - vulnerable (QV) executables located in specific computers/servers. Specifically, QED uses a three - stage method to identify quantum - vulnerable dependencies in a given set of executables: 1. **File - level dependency analysis**: Identify executables that depend on quantum - vulnerable encryption libraries. 2. **API - level dependency analysis**: Further narrow down the scope and only keep executables that call quantum - vulnerable APIs. 3. **Static trace analysis**: Through static call - graph analysis, accurately identify the function - call paths from the entry of the executable to the quantum - vulnerable API. ### Main Contributions 1. **Requirement definition**: Clearly defined the requirements that a tool for assisting the PQC migration task needs to meet, especially for identifying quantum - vulnerable software executables. 2. **Tool implementation**: Developed and open - sourced the QED toolchain for detecting quantum - vulnerable executables. 3. **Empirical verification**: Verified the accuracy and efficiency of QED through synthetic data sets and real - world data sets. The results show that QED achieved a 100% true - positive rate in the synthetic data set and reduced the analyst's manual workload by more than 90%. ### Application Scenarios QED is especially suitable for small and medium - sized enterprises with limited resources, helping them transition to post - quantum cryptography more easily and thus improve security. ### Summary This paper fills the gap in existing tools in terms of automatically identifying quantum - vulnerable executables by proposing the QED toolchain, providing strong support for organizations to migrate to post - quantum cryptography.