MicroPython Analysis: Exploring Crypto API Usage and Custom Implementations

cover
6 May 2024

Authors:

(1) Anna-Katharina Wickert, Technische Universität Darmstadt, Darmstadt, Germany (wickert@cs.tu-darmstadt.de);

(2) Lars Baumgärtner, Technische Universität Darmstadt, Darmstadt, Germany (baumgaertner@cs.tu-darmstadt.de);

(3) Florian Breitfelder, Technische Universität Darmstadt, Darmstadt, Germany (florian.breitfelder@tu-darmstadt.de);

(4) Mira Mezini, Technische Universität Darmstadt, Darmstadt, Germany (mezini@cs.tu-darmstadt.de).

Abstract and 1 Introduction

2 Background

3 Design and Implementation of Licma and 3.1 Design

3.2 Implementation

4 Methodology and 4.1 Searching and Downloading Python Apps

4.2 Comparison with Previous Studies

5 Evaluation and 5.1 GitHub Python Projects

5.2 MicroPython

6 Comparison with previous studies

7 Threats to Validity

8 Related Work

9 Conclusion, Acknowledgments, and References

5.2 MicroPython

When we applied LICMA upon the 5 source files containing crypto API usages of the MicroPython data set, we identified no misuse. For this reason, we inspected the MicroPython repositories for usages of other crypto functions not covered by LICMA and identified 5 additional files. We notice that the crypto module ucryptolib which is provided by MicroPython, is only used by tests in 2 projects. For the remaining 3 findings, the crypto functions are written in C rather than Python. Thus, these files were removed due to our filter steps described in Section 4.1.2.

Our small analysis of MicroPython projects shows that for further exploration of MicroPython applications, we need to consider custom implementations of AES in Python and C. This seems to be a common pattern for embedded code where performance is important and low-level code is often shipped as custom C blobs. Thus, we can observe the importance of hybrid analysis approaches [5, 10].

Figure 4: Comparison of our evaluation results with the results of CryptoLint [4] and CryptoREX [13].

This paper is available on arxiv under CC BY 4.0 DEED license.