SAILS: static analysis of information leakage with sample

In this paper, we introduce Sails, a new tool that combines Sample, a generic static analyzer, and a sophisticated domain for leakage analysis. This tool does not require to modify the original language, since it works with mainstream languages like Java, and it does not require any manual annotation. Sails can combine the information leakage analysis with different heap abstractions, inferring information leakage over programs dealing with complex data structures. We applied Sails to the analysis of the SecuriBench-micro suite. The experimental results show the effectiveness of our approach.

[1]  Bertrand Jeannet,et al.  Apron: A Library of Numerical Abstract Domains for Static Analysis , 2009, CAV.

[2]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[3]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[4]  Pietro Ferrara,et al.  A fast and precise analysis for data race detection , 2008 .

[5]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[6]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[7]  Patrick Cousot,et al.  Systematic design of program analysis frameworks , 1979, POPL.

[8]  François Pottier,et al.  Information flow inference for ML , 2003, TOPL.

[9]  Yin Liu,et al.  Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows , 2010, 2010 14th European Conference on Software Maintenance and Reengineering.

[10]  Pietro Ferrara,et al.  Static Type Analysis of Pattern Matching by Abstract Interpretation , 2010, FMOODS/FORTE.

[11]  Peng Li,et al.  Arrows for secure information flow , 2010, Theor. Comput. Sci..

[12]  I. H. Öğüş,et al.  NATO ASI Series , 1997 .

[13]  Agostino Cortesi,et al.  Information flow security in Boundary Ambients , 2008, Inf. Comput..

[14]  Roberto Giacobazzi,et al.  Abstract non-interference: parameterizing non-interference by abstract interpretation , 2004, POPL.

[15]  Patrick Cousot,et al.  The calculational design of a generic abstract interpreter , 1999 .

[16]  Reinhard Wilhelm,et al.  Parametric shape analysis via 3-valued logic , 1999, POPL '99.

[17]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[18]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[19]  Anindya Banerjee,et al.  Secure information flow and pointer con .nement in a java-like language , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[20]  Agostino Cortesi,et al.  Optimal Groundness Analysis Using Propositional Logic , 1996, J. Log. Program..

[21]  Agostino Cortesi,et al.  Static Analysis of String Values , 2011, ICFEM.

[22]  Pietro Ferrara,et al.  Automatic Inference of Access Permissions , 2012, VMCAI.

[23]  Riccardo Focardi,et al.  Information flow security of multi-threaded distributed programs , 2008, PLAS '08.

[24]  Agostino Cortesi,et al.  Information Leakage Analysis by Abstract Interpretation , 2011, SOFSEM.

[25]  Andrei Sabelfeld,et al.  Security-Typed Languages for Implementation of Cryptographic Protocols: A Case Study , 2005, ESORICS.