A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography
Quantum computing poses a significant global threat to modern security mechanisms. As such, security experts and public sectors have issued guidelines to help organizations transition their software to post-quantum cryptography (PQC). However, there is a lack of (semi-)automatic tools to support thi...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/10819261/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841550772665319424 |
|---|---|
| author | Norrathep Rattanavipanon Jakapan Suaboot Warodom Werapun |
| author_facet | Norrathep Rattanavipanon Jakapan Suaboot Warodom Werapun |
| author_sort | Norrathep Rattanavipanon |
| collection | DOAJ |
| description | Quantum computing poses a significant global threat to modern security mechanisms. As such, security experts and public sectors have issued guidelines to help organizations transition their software to post-quantum cryptography (PQC). However, there is a lack of (semi-)automatic tools to support this transition, particularly for software deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for this type of tool to detect quantum-vulnerable software executables. Following these requirements, we introduce <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula>: a toolchain for Quantum-vulnerable Executable Detection. <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. The key benefit of this design is that it provides efficiency without compromising accuracy, as it incorporates fast initial analyses to filter out executables unlikely to be quantum-vulnerable that in turn allows the more resource-intensive analysis to be performed on a smaller subset of executables. To demonstrate this claim, we evaluate <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results show that: 1) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; 2) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and 3) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%. |
| format | Article |
| id | doaj-art-6fc954845233441989906dc8c389e53f |
| institution | Kabale University |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-6fc954845233441989906dc8c389e53f2025-01-10T00:01:08ZengIEEEIEEE Access2169-35362025-01-01134368438010.1109/ACCESS.2024.352430910819261A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum CryptographyNorrathep Rattanavipanon0https://orcid.org/0000-0003-1192-5079Jakapan Suaboot1https://orcid.org/0000-0002-9519-0833Warodom Werapun2https://orcid.org/0000-0003-1915-036XCollege of Computing, Prince of Songkla University, Phuket Campus, Phuket, ThailandCollege of Computing, Prince of Songkla University, Phuket Campus, Phuket, ThailandCollege of Computing, Prince of Songkla University, Phuket Campus, Phuket, ThailandQuantum computing poses a significant global threat to modern security mechanisms. As such, security experts and public sectors have issued guidelines to help organizations transition their software to post-quantum cryptography (PQC). However, there is a lack of (semi-)automatic tools to support this transition, particularly for software deployed as binary executables. To address this gap, in this work, we first propose a set of requirements necessary for this type of tool to detect quantum-vulnerable software executables. Following these requirements, we introduce <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula>: a toolchain for Quantum-vulnerable Executable Detection. <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> uses a three-phase approach to identify quantum-vulnerable dependencies in a given set of executables, from file-level to API-level, and finally, precise identification of a static trace that triggers a quantum-vulnerable API. The key benefit of this design is that it provides efficiency without compromising accuracy, as it incorporates fast initial analyses to filter out executables unlikely to be quantum-vulnerable that in turn allows the more resource-intensive analysis to be performed on a smaller subset of executables. To demonstrate this claim, we evaluate <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> on both a synthetic dataset with four cryptography libraries and a real-world dataset with over 200 software executables. The results show that: 1) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> discerns quantum-vulnerable from quantum-safe executables with 100% accuracy in the synthetic dataset; 2) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> is practical and scalable, completing analyses on average in less than 4 seconds per real-world executable; and 3) <inline-formula> <tex-math notation="LaTeX">$\mathsf {QED}$ </tex-math></inline-formula> reduces the manual workload required by analysts to identify quantum-vulnerable executables in the real-world dataset by more than 90%.https://ieeexplore.ieee.org/document/10819261/Binary analysispost-quantum cryptographypost-quantum migrationsoftware security |
| spellingShingle | Norrathep Rattanavipanon Jakapan Suaboot Warodom Werapun A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography IEEE Access Binary analysis post-quantum cryptography post-quantum migration software security |
| title | A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography |
| title_full | A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography |
| title_fullStr | A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography |
| title_full_unstemmed | A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography |
| title_short | A Toolchain for Assisting Migration of Software Executables Towards Post-Quantum Cryptography |
| title_sort | toolchain for assisting migration of software executables towards post quantum cryptography |
| topic | Binary analysis post-quantum cryptography post-quantum migration software security |
| url | https://ieeexplore.ieee.org/document/10819261/ |
| work_keys_str_mv | AT norratheprattanavipanon atoolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography AT jakapansuaboot atoolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography AT warodomwerapun atoolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography AT norratheprattanavipanon toolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography AT jakapansuaboot toolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography AT warodomwerapun toolchainforassistingmigrationofsoftwareexecutablestowardspostquantumcryptography |