nach oben

Erschienen in:

2018 | OriginalPaper | Buchkapitel

Combining Symbolic and Numerical Domains for Information Leakage Analysis

verfasst von : Agostino Cortesi, Pietro Ferrara, Raju Halder, Matteo Zanioli

Erschienen in: Transactions on Computational Science XXXI

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

We introduce an abstract domain for information-flow analysis of software. The proposal combines variable dependency analysis with numerical abstractions, yielding to accuracy and efficiency improvements. We apply the full power of the proposal to the case of database query languages as well. Finally, we present an implementation of the analysis, called \(\mathsf {Sails}\), as an instance of a generic static analyzer. Keeping the modular construction of the analysis, the tool allows one to tune the granularity of heap analysis and to choose the numerical domain involved in the reduced product. This way the user can tune the information leakage analysis at different levels of precision and efficiency.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Advanced Monitoring Based Intrusion Detection System for Distributed and Intelligent Energy Theft: DIET Attack in Advanced Metering Infrastructure

Nächstes Kapitel Minimizing Aliasing Effects Using Faster Super Resolution Technique on Text Images

http://www.pm.inf.ethz.ch/research/semper/Sample.

The paper is a revised and extended version of [24, 45, 46].

In the rest of the paper, we will omit the initial and final labels of statements when not required.

For other type of variables, the abstraction function represents identity function.

Notice that, as in [45], we assume that the attacker, in both cases, knows the source code of the program.

Andersen, H.R.: An introduction to binary decision diagrams. Technical report, Course Notes on the WWW (1997)

Armstrong, T., Marriott, K., Schachte, P., Søndergaard, H.: Two classes of boolean functions for dependency analysis. Sci. Comput. Program. 31, 3–45 (1998)MathSciNetCrossRefMATH

Askarov, A., Hedin, D., Sabelfeld, A.: Cryptographically-masked flows. Theor. Comput. Sci. 402, 82–101 (2008)MathSciNetCrossRefMATH

Askarov, A., Sabelfeld, A.: Security-typed languages for implementation of cryptographic protocols: a case study. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 197–221. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_12 CrossRef

Bagnara, R., Hill, P.M., Zaffanella, E.: The parma polyhedra library: toward a complete set of numerical abstractions for the analysis and verification of hardware and software systems. Sci. Comput. Program. 72, 3–21 (2008)MathSciNetCrossRef

Bagnara, R., Hill, P.M., Zaffanella, E.: Applications of polyhedral computations to the analysis and verification of hardware and software systems. Theor. Comput. Sci. 410, 4672–4691 (2009)MathSciNetCrossRefMATH

Banerjee, A., Naumann, D.A.: Secure information flow and pointer confinement in a Java-like language. In: Proceedings of the 15th IEEE Workshop on Computer Security Foundations, CSFW 2002. IEEE Computer Society, Washington, DC (2002)

Barthe, G., Rezk, T.: Non-interference for a JVM-like language. In: Proceedings of the 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation, TLDI 2005, pp. 103–112. ACM, New York (2005)

Bodei, C., Degano, P., Nielson, F., Nielson, H.R.: Static analysis for secrecy and non-interference in networks of processes. In: Malyshkin, V. (ed.) PaCT 2001. LNCS, vol. 2127, pp. 27–41. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44743-1_3 CrossRef

10.

Clause, J., Li, W., Orso, A.: Dytan: a generic dynamic taint analysis framework. In: Proceedings of the 2007 International Symposium on Software Testing and Analysis, ISSTA 2007, pp. 196–206. ACM, New York (2007)

11.

Cortesi, A., Filé, G., Winsborough, W.H.: Prop revisited: propositional formula as abstract domain for groundness analysis. In: LICS, pp. 322–327 (1991)

12.

Costantini, G., Ferrara, P., Cortesi, A.: Static analysis of string values. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011. LNCS, vol. 6991, pp. 505–521. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24559-6_34 CrossRef

13.

Cousot, P., Cousot, R.: Systematic design of program analysis frameworks. In: Proceedings of the 6th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL 1979, pp. 269–282. ACM, New York (1979)

14.

Cousot, P., Halbwachs, N.: Automatic discovery of linear restraints among variables of a program. In: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, POPL 1978, pp. 84–96. ACM, New York (1978)

15.

De Groef, W., Devriese, D., Nikiforakis, N., Piessens, F.: FlowFox: a web browser with flexible and precise information flow control. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012). ACM (2012)

16.

Denning, D.E.: A lattice model of secure information flow. Commun. ACM 19, 236–243 (1976)MathSciNetCrossRefMATH

17.

Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Commun. ACM 20, 504–513 (1977)CrossRefMATH

18.

Ferrara, P.: Static type analysis of pattern matching by abstract interpretation. In: Hatcliff, J., Zucca, E. (eds.) FMOODS/FORTE-2010. LNCS, vol. 6117, pp. 186–200. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13464-7_15 CrossRef

19.

Ferrara, P.: A fast and precise alias analysis for data race detection. In: Proceedings of the Third Workshop on Bytecode Semantics, Verification, Analysis and Transformation (Bytecode 2008), Electronic Notes in Theoretical Computer Science. Elsevier, April 2008

20.

Focardi, R., Centenaro, M.: Information flow security of multi-threaded distributed programs. In: Proceedings of the third ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, PLAS 2008, pp. 113–124. ACM, New York (2008)

21.

Giacobazzi, R., Mastroeni, I.: Abstract non-interference: parameterizing non-interference by abstract interpretation. In: Proceedings of the 31st ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2004, pp. 186–197. ACM, New York (2004)

22.

Halder, R., Cortesi, A.: Abstract interpretation of database query languages. Comput. Lang. Syst. Struct. 38, 123–157 (2012)MATH

23.

Halder, R., Cortesi, A.: Abstract program slicing of database query languages. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, Coimbra, Portugal, pp. 838–845. ACM Press (2013)

24.

Halder, R., Zanioli, M., Cortesi, A.: Information leakage analysis of database query languages. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, Gyeongju, Korea, pp. 813–820. ACM Press, 24–28 March 2014

25.

Hennessy, M.: The Semantics of Programming Languages: An Elementary Introduction Using Structural Operational Semantics. Wiley, New York (1990)MATH

26.

Jeannet, B.: Convex polyhedra library, March 2002. Documentation of the “New Polka” library. http://www.irisa.fr/prive/Bertrand.Jeannet/newpolka.html

27.

Jeannet, B., Miné, A.: Apron: a library of numerical abstract domains for static analysis. In: Bouajjani, A., Maler, O. (eds.) CAV 2009. LNCS, vol. 5643, pp. 661–667. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02658-4_52 CrossRef

28.

Joshi, R., Rustan, K., Leino, M.: A semantic approach to secure information flow. Sci. Comput. Program. 37, 113–138 (2000)MathSciNetCrossRefMATH

29.

Laud, P.: Semantics and program analysis of computationally secure information flow. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 77–91. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45309-1_6 CrossRef

30.

Liu, J.D., George, M.D., Vikram, K., Qi, X., Waye, L., Myers, A.C.: Fabric: a platform for secure distributed computation and storage. In: Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles, SOSP 2009, pp. 321–334. ACM, New York (2009)

31.

Liu, Y., Milanova, A.: Static information flow analysis with handling of implicit flows and a study on effects of implicit flows vs explicit flows. In: Proceedings of the 2010 14th European Conference on Software Maintenance and Reengineering, CSMR 2010, pp. 146–155. IEEE Computer Society, Washington, DC (2010)

32.

Miné, A.: A new numerical abstract domain based on difference-bound matrices. In: Danvy, O., Filinski, A. (eds.) PADO 2001. LNCS, vol. 2053, pp. 155–172. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44978-7_10 CrossRef

33.

Miné, A.: The octagon abstract domain. In: Proceedings of the Workshop on Analysis, Slicing, and Transformation (AST 2001), pp. 310–319. IEEE CS Press, October 2001

34.

Myers, A.C., Zheng, L., Zdancewic, S., Chong, S., Nystrom, N.: JIF: Java information flow. Software release, July 2001–2004

35.

Pottier, F., Simonet, V.: Information flow inference for ML. ACM Trans. Program. Lang. Syst. 25, 117–158 (2003)CrossRefMATH

36.

Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Sel. Areas Commun. 21(1), 5–19 (2003)CrossRef

37.

Sagiv, M., Reps, T., Wilhelm, R.: Parametric shape analysis via 3-valued logic. ACM Trans. Program. Lang. Syst. 24, 217–298 (2002)CrossRef

38.

Simonet, V.: The flow Caml System: documentation and user’s manual. Technical report 0282, Institut National de Recherche en Informatique et en Automatique (INRIA), July 2003

39.

Smith, G.: Principles of secure information flow analysis. In: Malware Detection, pp. 297–307 (2007)

40.

Smith, G., Volpano, D.: Secure information flow in a multi-threaded imperative language. In: Proceedings of the 25th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 1998, pp. 355–364. ACM, New York (1998)

41.

Stefan, D., Russo, A., Mitchell, J.C., Mazières, D.: Flexible dynamic information flow control in Haskell. SIGPLAN Not. 46(12), 95–106 (2011)CrossRef

42.

Tolstrup, T.K., Nielson, F., Nielson, H.R.: Information flow analysis for VHDL. In: Malyshkin, V. (ed.) PaCT 2005. LNCS, vol. 3606, pp. 79–98. Springer, Heidelberg (2005). https://doi.org/10.1007/11535294_8 CrossRef

43.

Stanford University. Stanford SecuriBench Micro. http://suif.stanford.edu/~livshits/work/securibench-micro/

44.

Volpano, D., Irvine, C., Smith, G.: A sound type system for secure flow analysis. J. Comput. Secur. 4, 167–187 (1996)CrossRef

45.

Zanioli, M., Cortesi, A.: Information leakage analysis by abstract interpretation. In: Černá, I., Gyimóthy, T., Hromkovič, J., Jefferey, K., Králović, R., Vukolić, M., Wolf, S. (eds.) SOFSEM 2011. LNCS, vol. 6543, pp. 545–557. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18381-2_45 CrossRef

46.

Zanioli, M., Ferrara, P., Cortesi, A.: Sails: static analysis of information leakage with sample. In: Proceedings of the 2012 ACM Symposium on Applied Computing, pp. 1308–1313. ACM Press (2012)

47.

Zanotti, M.: Security typings by abstract interpretation. In: Hermenegildo, M.V., Puebla, G. (eds.) SAS 2002. LNCS, vol. 2477, pp. 360–375. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45789-5_26 CrossRef

Titel: Combining Symbolic and Numerical Domains for Information Leakage Analysis
verfasst von: Agostino Cortesi
Pietro Ferrara
Raju Halder
Matteo Zanioli
Verlag: Springer Berlin Heidelberg
Buch: Transactions on Computational Science XXXI
Print ISBN: 978-3-662-56498-1

Electronic ISBN: 978-3-662-56499-8

Copyright-Jahr: 2018
DOI: https://doi.org/10.1007/978-3-662-56499-8_6

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"