Slicing for Security of Code

Monate, Benjamin; Signoles, Julien

doi:10.1007/978-3-540-68979-9_10

Benjamin Monate¹ &
Julien Signoles¹

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4968))

Included in the following conference series:

International Conference on Trusted Computing

823 Accesses
4 Citations
3 Altmetric

Abstract

Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 69.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: CSAW 2007: Proceedings of the 2007 ACM workshop on Computer security architecture, pp. 1–10. ACM, New York (2007)
Chapter Google Scholar
CEA-LIST and INRIA-Futurs. Frama-C: Framework for Modular Analysis of C, http://www.frama-c.cea.fr
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th Symposium on Principles of Programming Languages, Los Angeles, Californie, États-Unis, pp. 238–252. ACM Press, New York (1977)
Chapter Google Scholar
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)
Article MATH Google Scholar
Gunter, C.A.: Semantics of Programming Languages: Structures and Techniques. In: Foundations of Computing. MIT Press, Cambridge (1992)
Google Scholar
Heiser, G.: Your system is secure? prove it! USENIX;login: 32(6), 35–38 (December 2007)
Google Scholar
Leroy, X., Doligez, D., Garrigue, J., Rémy, D., Vouillon, J.: The Objective Caml system, release 3.10 (May 2007), http://caml.inria.fr
Meyer, B.: Proving pointer program properties. part 1: Context and overview. Journal of Object Technology 2(2), 87–108 (2003), http://www.jot.fm/issues/issue_2003_03/column8
Google Scholar
Ottenstein, K.J., Ottenstein, L.M.: The program dependence graph in a software development environment. In: Karl, J. (ed.) SDE 1: Proceedings of the first ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments, pp. 177–184. ACM Press, New York (1984)
Chapter Google Scholar
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. Request for comments (rfc) 4301, Network Working Group (December 2005), ftp://ftp.rfc-editor.org/in-notes/rfc4301.txt
Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics 5, 285–309 (1955)
MATH MathSciNet Google Scholar
Tip, F.: A survey of program slicing techniques. Journal of programming languages 3, 121–189 (1995)
Google Scholar
Weiser, M.: Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. PhD thesis, University of Michigan, Ann Arbor (1979)
Google Scholar
Weiser, M.: Program slicing. In: ICSE 1981: Proceedings of the 5th international conference on Software engineering, Piscataway, NJ, USA, pp. 439–449. IEEE Press, Los Alamitos (1981)
Google Scholar
Winskel, G.: The formal semantics of programming languages: an introduction. MIT Press, Cambridge (1993)
MATH Google Scholar
Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. SIGSOFT Softw. Eng. Notes 30(2), 1–36 (2005)
Article Google Scholar

Download references

Author information

Authors and Affiliations

Software Reliability Labs, CEA LIST, 91191, Gif-sur-Yvette Cedex, France
Benjamin Monate & Julien Signoles

Authors

Benjamin Monate
View author publications
You can also search for this author in PubMed Google Scholar
Julien Signoles
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Peter Lipp Ahmad-Reza Sadeghi Klaus-Michael Koch

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Monate, B., Signoles, J. (2008). Slicing for Security of Code. In: Lipp, P., Sadeghi, AR., Koch, KM. (eds) Trusted Computing - Challenges and Applications. Trust 2008. Lecture Notes in Computer Science, vol 4968. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-68979-9_10

Download citation

DOI: https://doi.org/10.1007/978-3-540-68979-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68978-2
Online ISBN: 978-3-540-68979-9
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics