Measuring the strength of information flows in programs

Dynamic information flow analysis (DIFA) was devised to enable the flow of information among variables in an executing program to be monitored and possibly regulated. It is related to techniques like dynamic slicing and dynamic impact analysis. To better understand the basis for DIFA, we conducted an empirical study in which we measured the strength of information flows identified by DIFA, using information theoretic and correlation-based methods. The results indicate that in most cases the occurrence of a chain of dynamic program dependences between two variables does not indicate a measurable information flow between them. We also explored the relationship between the strength of an information flow and the length of the corresponding dependence chain, and we obtained results indicating that no consistent relationship exists between the length of an information flow and its strength. Finally, we investigated whether data dependence and control dependence makes equal or unequal contributions to flow strength. The results indicate that flows due to data dependences alone are stronger, on average, than flows due to control dependences alone. We present the details of our study and consider the implications of the results for applications of DIFA and related techniques.

[1]  S. Siegel,et al.  Nonparametric Statistics for the Behavioral Sciences , 2022, The SAGE Encyclopedia of Research Design.

[2]  Gregg Rothermel,et al.  Interprocedural control dependence , 2001, TSEM.

[3]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[4]  FerranteJeanne,et al.  The program dependence graph and its use in optimization , 1987 .

[5]  Gregg Rothermel,et al.  Whole program path-based dynamic impact analysis , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[6]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[7]  Tao Xie,et al.  Automatic extraction of abstract-object-state machines from unit-test executions , 2006, ICSE.

[8]  Gregg Rothermel,et al.  Prioritizing test cases for regression testing , 2000, ISSTA '00.

[9]  David Leon,et al.  An Empirical Study of Test Case Filtering Techniques Based on Exercising Information Flows , 2007, IEEE Transactions on Software Engineering.

[10]  Joseph Robert Horgan,et al.  Dynamic program slicing , 1990, PLDI '90.

[11]  Sidney Addelman,et al.  trans-Dimethanolbis(1,1,1-trifluoro-5,5-dimethylhexane-2,4-dionato)zinc(II) , 2008, Acta crystallographica. Section E, Structure reports online.

[12]  Martin R. Woodward,et al.  Testability, fault size and the domain-to-range ratio: An eternal triangle , 2000, ISSTA '00.

[13]  David M. Clark,et al.  Quantified Interference: Information Theory and Information Flow , 2004 .

[14]  Stephen McCamant,et al.  Quantitative Information-Flow Tracking for C and Related Languages , 2006 .

[15]  Xiangyu Zhang,et al.  Experimental evaluation of using dynamic slices for fault location , 2005, AADEBUG'05.

[16]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[17]  Arnold L. Rosenberg,et al.  The significance of program dependences for software testing, debugging, and maintenance , 1989 .

[18]  Lori A. Clarke,et al.  A Formal Model of Program Dependences and Its Implications for Software Testing, Debugging, and Maintenance , 1990, IEEE Trans. Software Eng..

[19]  A. Orso,et al.  Efficient and precise dynamic impact analysis using execute-after sequences , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[20]  Terry Speed Statistics for Experimenters: Design, Innovation, and Discovery (2nd ed.) , 2006 .

[21]  Andy Podgurski,et al.  An empirical study of the strength of information flows in programs , 2006, WODA '06.

[22]  Ken Kennedy,et al.  Optimizing Compilers for Modern Architectures: A Dependence-based Approach , 2001 .

[23]  K.J. Lieberherr,et al.  Controlling the complexity of software designs , 2004, Proceedings. 26th International Conference on Software Engineering.

[24]  MasriWes,et al.  Measuring the strength of information flows in programs , 2009 .

[25]  Gregg Rothermel,et al.  Prioritizing test cases for regression testing , 2000, ISSTA '00.

[26]  Andreas Zeller,et al.  Mining object behavior with ADABU , 2006, WODA '06.

[27]  Gavin Lowe,et al.  Quantifying information flow , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[28]  William Stallings,et al.  THE ADVANCED ENCRYPTION STANDARD , 2002, Cryptologia.

[29]  Mark Harman,et al.  Analysis and visualization of predicate dependence on formal parameters and global variables , 2004, IEEE Transactions on Software Engineering.

[30]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[31]  John Steven,et al.  jRapture: A Capture/Replay tool for observation-based testing , 2000, ISSTA '00.

[32]  Joe D. Warren,et al.  The program dependence graph and its use in optimization , 1987, TOPL.

[33]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[34]  David Leon,et al.  Detecting and debugging insecure information flows , 2004, 15th International Symposium on Software Reliability Engineering.

[35]  Sam Kash Kachigan Statistical Analysis: An Interdisciplinary Introduction to Univariate & Multivariate Methods , 1986 .

[36]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[37]  Andy Podgurski,et al.  Using dynamic information flow analysis to detect attacks against applications , 2005, SOEN.

[38]  Bogdan Korel,et al.  Forward computation of dynamic program slices , 1994, ISSTA '94.

[39]  Xiangyu Zhang,et al.  Cost effective dynamic program slicing , 2004, PLDI '04.

[40]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[41]  James Newsome,et al.  Dynamic Taint Analysis for Automatic Detection, Analysis, and SignatureGeneration of Exploits on Commodity Software , 2005, NDSS.

[42]  Illtyd Trethowan Causality , 1938 .

[43]  Frank Tip,et al.  A survey of program slicing techniques , 1994, J. Program. Lang..

[44]  Xiangyu Zhang,et al.  Locating faults through automated predicate switching , 2006, ICSE.

[45]  Andy Podgurski,et al.  Dynamic information flow analysis, slicing and profiling , 2005 .

[46]  Stephen McCamant,et al.  A simulation-based proof technique for dynamic information flow , 2007, PLAS '07.

[47]  Jeffrey M. Voas,et al.  Semantic metrics for software testability , 1993, J. Syst. Softw..

[48]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[49]  Gregg Rothermel,et al.  Supporting Controlled Experimentation with Testing Techniques: An Infrastructure and its Potential Impact , 2005, Empirical Software Engineering.

[50]  Joseph G. Pigeon,et al.  Statistics for Experimenters: Design, Innovation and Discovery , 2006, Technometrics.

[51]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[52]  Klaus Havelund,et al.  Model Checking Programs , 2004, Automated Software Engineering.

[53]  Xiangyu Zhang,et al.  Pruning dynamic slices with confidence , 2006, PLDI '06.

[54]  David Clark,et al.  Quantitative Analysis of the Leakage of Confidential Data , 2002, QAPL.