Annotation-Based Static Analysis for Personal Data Protection

This paper elaborates the use of static source code analysis in the context of data protection. The topic is important for software engineering in order for software developers to improve the protection of personal data during software development. To this end, the paper proposes a design of annotating classes and functions that process personal data. The design serves two primary purposes: on one hand, it provides means for software developers to document their intent; on the other hand, it furnishes tools for automatic detection of potential violations. This dual rationale facilitates compliance with the General Data Protection Regulation (GDPR) and other emerging data protection and privacy regulations. In addition to a brief review of the state-of-the-art of static analysis in the data protection context and the design of the proposed analysis method, a concrete tool is presented to demonstrate a practical implementation for the Java programming language.

[1]  Peter W. O'Hearn,et al.  Scaling static analyses at Facebook , 2019, Commun. ACM.

[2]  Pietro Ferrara,et al.  Tailoring Taint Analysis to GDPR , 2018, APF.

[3]  Daniele Romano,et al.  Using source code metrics to predict change-prone Java interfaces , 2011, 2011 27th IEEE International Conference on Software Maintenance (ICSM).

[4]  Ville Leppänen,et al.  The General Data Protection Regulation: Requirements, Architectures, and Constraints , 2019, 2019 IEEE 27th International Requirements Engineering Conference (RE).

[5]  Josep Domingo-Ferrer,et al.  Privacy and Data Protection by Design - from policy to engineering , 2014, ArXiv.

[6]  Alireza Sadeghi,et al.  A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android Software , 2017, IEEE Transactions on Software Engineering.

[7]  Armin Gerl,et al.  LPL, Towards a GDPR-Compliant Privacy Language: Formal Definition and Usage , 2018, Trans. Large Scale Data Knowl. Centered Syst..

[8]  Lotfi Ben Othmane,et al.  Identification of Dependency-based Attacks on Node.js , 2017, ARES.

[9]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[10]  Jukka Ruohonen An Empirical Analysis of Vulnerabilities in Python Packages for Web Applications , 2018, 2018 9th International Workshop on Empirical Software Engineering in Practice (IWESEP).

[11]  Sencun Zhu,et al.  LeakDoctor: Toward Automatically Diagnosing Privacy Leaks in Mobile Applications , 2019, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[12]  Peter W. O'Hearn,et al.  Compositional Shape Analysis by Means of Bi-Abduction , 2011, JACM.

[13]  Tiziana Margaria,et al.  Leveraging Applications of Formal Methods, Verification and Validation. Modeling: 8th International Symposium, ISoLA 2018, Limassol, Cyprus, November 5-9, 2018, Proceedings, Part I , 2018, ISoLA.

[14]  Suhair Alshehri,et al.  DroidRista: a highly precise static data flow analysis framework for android applications , 2019, International Journal of Information Security.

[15]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[16]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[17]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[18]  Pietro Ferrara,et al.  MorphDroid: Fine-grained Privacy Verification , 2015, ACSAC.

[19]  Marco Tulio Valente,et al.  How Annotations are Used in Java: An Empirical Study , 2011, SEKE.

[20]  David Hovemeyer,et al.  Experiences Using Static Analysis to Find Bugs , 2008 .

[21]  Ville Leppänen,et al.  Client-based cohesion metrics for Java programs , 2009, Sci. Comput. Program..

[22]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[23]  Jens Palsberg,et al.  The essence of the Visitor pattern , 1998, Proceedings. The Twenty-Second Annual International Computer Software and Applications Conference (Compsac '98) (Cat. No.98CB 36241).

[24]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[25]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[26]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[27]  Hal Berghel,et al.  Equifax and the Latest Round of Identity Theft Roulette , 2017, Computer.

[28]  Barry W. Boehm,et al.  Quantitative evaluation of software quality , 1976, ICSE '76.

[29]  Olaf Owe,et al.  A secrecy-preserving language for distributed and object-oriented systems , 2018, J. Log. Algebraic Methods Program..

[30]  Patrick Cousot,et al.  Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints , 1977, POPL.

[31]  David Hovemeyer,et al.  Using Static Analysis to Find Bugs , 2008, IEEE Software.

[32]  Pietro Ferrara,et al.  Static Analysis for GDPR Compliance , 2018, ITASEC.

[33]  Peter W. O'Hearn,et al.  Moving Fast with Software Verification , 2015, NFM.

[34]  Panagiotis Katsaros,et al.  Test-Driving Static Analysis Tools in Search of C Code Vulnerabilities , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[35]  Alexandru G. Bardas,et al.  Static Code Analysis , 2011, Encyclopedia of Cryptography and Security.

[36]  Ville Leppänen,et al.  DebtFlag: Technical debt management with a development environment integrated tool , 2013, 2013 4th International Workshop on Managing Technical Debt (MTD).

[37]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[38]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[39]  Gerardo Schneider,et al.  Is Privacy by Construction Possible? , 2018, ISoLA.

[40]  Markus Zimmermann,et al.  Small World with High Risks: A Study of Security Threats in the npm Ecosystem , 2019, USENIX Security Symposium.

[41]  Patrick Cousot,et al.  Modular Static Program Analysis , 2002, CC.