Data Flow Analysis of Embedded Program Expressions

Data flow analysis techniques can be used to help assess threats to data confidentiality and integrity in security-critical program code. However, a fundamental weakness of static analysis techniques is that they overestimate the ways in which data may propagate at run time. Discounting large numbers of these false-positive data flow paths wastes an information security evaluator's time and effort. Here we show how to automatically eliminate some false-positive data flow paths by precisely modelling how classified data is blocked by certain expressions in embedded C code. We present a library of detailed data flow models of individual expression elements and an algorithm for introducing these components into conventional data flow graphs. The resulting models can be used to accurately trace byte-level or even bit-level data flow through expressions that are normally treated as atomic. This allows us to identify expressions that safely downgrade their classified inputs and thereby eliminate false-positive data flow paths from the security evaluation process. To validate the approach we have implemented and tested it in an existing data flow analysis toolkit.

[1]  Luke Wildman,et al.  SIFA: A Tool for Evaluation of High-Grade Security Devices , 2005, ACISP.

[2]  Eran Yahav,et al.  A survey of static analysis methods for identifying security vulnerabilities in software systems , 2007, IBM Syst. J..

[3]  Luke Wildman,et al.  A Combined Approach for Information Flow Analysis in Fault Tolerant Hardware , 2007, 12th IEEE International Conference on Engineering Complex Computer Systems (ICECCS 2007).

[4]  Robert C. Seacord,et al.  Secure coding in C and C , 2005 .

[5]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[6]  田端 利宏,et al.  Network and Distributed System Security Symposiumにおける研究動向の調査 , 2004 .

[7]  Colin J. Fidge,et al.  Tool-Supported Dataflow Analysis of a Security-Critical Embedded Device , 2012, AISC.

[8]  Geoffrey Smith,et al.  Lenient array operations for practical secure information flow , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[9]  Cristina Cifuentes,et al.  User-Input Dependence Analysis via Graph Reachability , 2008, 2008 Eighth IEEE International Working Conference on Source Code Analysis and Manipulation.

[10]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[11]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[12]  Peng Li,et al.  Downgrading policies and relaxed noninterference , 2005, POPL '05.

[13]  Lawrence Rauchwerger,et al.  Scalable Array SSA and Array Data Flow Analysis , 2005, LCPC.

[14]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[15]  James Newsom,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software, Network and Distributed System Security Symposium Conference Proceedings : 2005 , 2005 .

[16]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[17]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[18]  Stephen McCamant,et al.  Measuring channel capacity to distinguish undue influence , 2009, PLAS '09.

[19]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[20]  D. Song,et al.  Version Measuring Channel Capacity to Distinguish Undue Influence , 2007 .

[21]  Andrew S. Tanenbaum,et al.  Using Peephole Optimization on Intermediate Code , 1982, TOPL.