Truffle Hog, A Tool that can Dig Out Hard-Coded Keys from the Source Code


The security researcher’s team has created a tool that can inherently identify subtle access keys which were hard-coded within the software.

The Truffle Hog tool has been created by Dylan Ayrey who is a US based researcher. The entire tool has been created in python language. The tool helps in identifying the hard-coded access keys in as such a way which involves throughput scanning of strings with 20 to 30 characters or more. Usually these strings in disoriented much of the time. This disorientation is called as Shannon entropy, which has been named after US based math scientist Claude E. Shannon. This concept of Shannon entropy suggests that a level of randomness which makes it a member of a cryptographic key, such as an access token.

The hard-coded access keys for different functions which belong in software projects are said to a security threat because these keys can be identified with very little effort by attackers. Even with those backlogs, this very usual drill.

In recent years, the researcher’s team has found as many as 10,000 access patches for Amazon Web Services and Elastic cloud based services absconded by developers into local accessible scripts on GitHub. This made Amazon to start looking inside of GitHub for such patches by themselves and removing them.

Almost 1,000 Slack keys encrypted by developers inside GitHub projects, are found to be providing access to web-chats, directories, personal messages and crucial data transferred inside Slack teams.

Truffle Hog helps in to dig out a project’s related history and strings. It will calculate the Shannon entropy for the services such as base64 and some decimal index character string which is at least 20 characters or more. This tool has special configuration, such as the GitPython library to run. Though, tools like this keeps on building hackers stature, but they tend to help developers to move towards perfection in software development.