Detecting and debugging insecure information flows

@inproceedings{citeulike:2253110, abstract = {A new approach to dynamic information flow analysis is presented that can be used to detect and debug insecure flows in programs. It can be applied offline to validate and debug a program against an information flow policy, or, when fast response is not critical, it can be applied online to prevent illegal flows in deployed programs. Since dynamic analysis alone is inherently unable to detect implicit information flows, our approach incorporates a static preprocessing phase that permits detection of most implicit flows at runtime, in addition to explicit ones. To support interactive debugging of insecure flows, it also incorporates a new forward computing algorithm for dynamic slicing, which is more precise than previous forward computing algorithms and is not restricted to programs with structured control flow. A prototype tool implementing the proposed approach has been developed for Java byte code programs. Case studies in which this tool was applied to several subject programs are described.}, author = {Masri, W. and Podgurski, A. and Leon, D. }, booktitle = {Software Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on}, citeulike-article-id = {2253110}, doi = {10.1109/ISSRE.2004.17}, journal = {Software Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on}, keywords = {information\_flow, obt, sw\_engineering, testing}, pages = {198--209}, posted-at = {2008-01-18 19:42:02}, priority = {0}, title = {Detecting and debugging insecure information flows}, url = {http://dx.doi.org/10.1109/ISSRE.2004.17}, year = {2004} }

TY - CONF ID - citeulike:2253110 L3 - citeulike-article-id:2253110 TI - Detecting and debugging insecure information flows T2 - Software Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on JF - Software Reliability Engineering, 2004. ISSRE 2004. 15th International Symposium on SP - 198 EP - 209 N2 - A new approach to dynamic information flow analysis is presented that can be used to detect and debug insecure flows in programs. It can be applied offline to validate and debug a program against an information flow policy, or, when fast response is not critical, it can be applied online to prevent illegal flows in deployed programs. Since dynamic analysis alone is inherently unable to detect implicit information flows, our approach incorporates a static preprocessing phase that permits detection of most implicit flows at runtime, in addition to explicit ones. To support interactive debugging of insecure flows, it also incorporates a new forward computing algorithm for dynamic slicing, which is more precise than previous forward computing algorithms and is not restricted to programs with structured control flow. A prototype tool implementing the proposed approach has been developed for Java byte code programs. Case studies in which this tool was applied to several subject programs are described. KW - information_flow KW - obt KW - sw_engineering KW - testing AU - Masri, W AU - Podgurski, A AU - Leon, D PY - 2004/// UR - http://dx.doi.org/10.1109/ISSRE.2004.17 ER -