Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code

Information flow vulnerabilities in UML statecharts and C code are detrimental as they can cause data leakages or unexpected program behavior. Detecting such vulnerabilities with static code analysis techniques is challenging because code is usually not available during the software design phase and previous knowledge about what should be annotated and tracked is needed. In this paper we propose textual annotations used to introduce information flow constraints in UML state charts and code which are afterwards automatically loaded by informationflow checkers that check if imposed constraints hold or not. We evaluated our approach on 6 open source test cases available in the National Institute of Standards and Technology (NIST)Juliet test suite for C/C++. Our results show that our approach is effective and can be further applied to other types of UML models and programming languages as well, in order to detect different types of vulnerabilities.

[1]  David Evans,et al.  Improving Security Using Extensible Lightweight Static Analysis , 2002, IEEE Softw..

[2]  Andrew C. Myers,et al.  A decentralized model for information flow control , 1997, SOSP.

[3]  Alberto Griggio,et al.  The MathSAT 5 SMT Solver ⋆ , 2012 .

[4]  George C. Necula,et al.  Dependent Types for Low-Level Programming , 2007, ESOP.

[5]  David E. Evans,et al.  Static detection of dynamic memory errors , 1996, PLDI '96.

[6]  Claudia Eckert,et al.  Context-sensitive detection of information exposure bugs with symbolic execution , 2014, InnoSWDev@SIGSOFT FSE.

[7]  Nikolai Tillmann,et al.  Transparent Privacy Control via Static Information Flow Analysis , 2011 .

[8]  Kurt Stenzel,et al.  Model-Driven Development of Information Flow-Secure Systems with IFlow , 2013, 2013 International Conference on Social Computing.

[9]  Dorothy E. Denning,et al.  A lattice model of secure information flow , 1976, CACM.

[10]  Juan Chen,et al.  Enforcing Stateful Authorization and Information Flow Policies in Fine , 2010, ESOP.

[11]  Yuanyuan Zhou,et al.  aComment: mining annotations from comments and code to detect interrupt related concurrency bugs , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[12]  David S. Rosenblum A Practical Approach to Programming With Assertions , 1995, IEEE Trans. Software Eng..

[13]  Adrian Hilton,et al.  Enforcing security and safety models with an information flow analysis tool , 2004, SIGAda '04.

[14]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[15]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[16]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[17]  Shashi Shekhar,et al.  QUIRE: Lightweight Provenance for Smart Phone Operating Systems , 2011, USENIX Security Symposium.

[18]  Michael Hicks,et al.  Fable: A Language for Enforcing User-defined Security Policies , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[19]  David A. Wagner,et al.  This copyright notice must be included in the reproduced paper. USENIX acknowledges all trademarks herein. Detecting Format String Vulnerabilities with Type Qualifiers , 2001 .

[20]  Marco Guarnieri Security vulnerabilities detection and protection using eclipse , 2011 .

[21]  Alejandro Russo,et al.  From Dynamic to Static and Back: Riding the Roller Coaster of Information-Flow Control Research , 2009, Ershov Memorial Conference.

[22]  Nathaniel Husted,et al.  Android Provenance: Diagnosing Device Disorders , 2013, TaPP.

[23]  Sören Preibusch Information Flow Control for Static Enforcement of User-Defined Privacy Policies , 2011, 2011 IEEE International Symposium on Policies for Distributed Systems and Networks.

[24]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[25]  Xi Wang,et al.  Improving application security with data flow assertions , 2009, SOSP '09.

[26]  Scott Moore,et al.  Static Analysis for Efficient Hybrid Information-Flow Control , 2011, 2011 IEEE 24th Computer Security Foundations Symposium.

[27]  Vincent Simonet The Flow Caml System: Documentation and user's manual , 2003 .

[28]  Fredrik Hultin,et al.  Bridging Model-Based and Language-Based Security , 2003, ESORICS.

[29]  David S. Rosenblum Towards A Method Of Programming With Assertions , 1992, International Conference on Software Engineering.

[30]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[31]  Vincent Simonet The Flow Caml system , 2003 .

[32]  Jeffrey S. Fenton Memoryless Subsystems , 1974, Comput. J..

[33]  Andrew C. Myers,et al.  Protecting privacy using the decentralized label model , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[34]  K. Rustan M. Leino,et al.  Extended Static Checking: A Ten-Year Perspective , 2001, Informatics.

[35]  Reinhard Wilhelm Informatics - 10 Years Back. 10 Years Ahead , 2001, Informatics - 10 Years Back. 10 Years Ahead..

[36]  Steve Zdancewic,et al.  AURA: a programming language for authorization and audit , 2008, ICFP 2008.

[37]  K. Rustan M. Leino,et al.  Extended static checking , 1998, PROCOMET.

[38]  Eric Bodden,et al.  SuSi: A Tool for the Fully Automated Classification and Categorization of Android Sources and Sinks , 2013 .

[39]  Andrew C. Myers,et al.  JFlow: practical mostly-static information flow control , 1999, POPL '99.

[40]  David Brumley,et al.  AEG: Automatic Exploit Generation , 2011, NDSS.