Abstract
Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: CSAW 2007: Proceedings of the 2007 ACM workshop on Computer security architecture, pp. 1–10. ACM, New York (2007)
CEA-LIST and INRIA-Futurs. Frama-C: Framework for Modular Analysis of C, http://www.frama-c.cea.fr
Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th Symposium on Principles of Programming Languages, Los Angeles, Californie, États-Unis, pp. 238–252. ACM Press, New York (1977)
Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)
Gunter, C.A.: Semantics of Programming Languages: Structures and Techniques. In: Foundations of Computing. MIT Press, Cambridge (1992)
Heiser, G.: Your system is secure? prove it! USENIX;login: 32(6), 35–38 (December 2007)
Leroy, X., Doligez, D., Garrigue, J., Rémy, D., Vouillon, J.: The Objective Caml system, release 3.10 (May 2007), http://caml.inria.fr
Meyer, B.: Proving pointer program properties. part 1: Context and overview. Journal of Object Technology 2(2), 87–108 (2003), http://www.jot.fm/issues/issue_2003_03/column8
Ottenstein, K.J., Ottenstein, L.M.: The program dependence graph in a software development environment. In: Karl, J. (ed.) SDE 1: Proceedings of the first ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments, pp. 177–184. ACM Press, New York (1984)
Kent, S., Seo, K.: Security Architecture for the Internet Protocol. Request for comments (rfc) 4301, Network Working Group (December 2005), ftp://ftp.rfc-editor.org/in-notes/rfc4301.txt
Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics 5, 285–309 (1955)
Tip, F.: A survey of program slicing techniques. Journal of programming languages 3, 121–189 (1995)
Weiser, M.: Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. PhD thesis, University of Michigan, Ann Arbor (1979)
Weiser, M.: Program slicing. In: ICSE 1981: Proceedings of the 5th international conference on Software engineering, Piscataway, NJ, USA, pp. 439–449. IEEE Press, Los Alamitos (1981)
Winskel, G.: The formal semantics of programming languages: an introduction. MIT Press, Cambridge (1993)
Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. SIGSOFT Softw. Eng. Notes 30(2), 1–36 (2005)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Monate, B., Signoles, J. (2008). Slicing for Security of Code. In: Lipp, P., Sadeghi, AR., Koch, KM. (eds) Trusted Computing - Challenges and Applications. Trust 2008. Lecture Notes in Computer Science, vol 4968. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-68979-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-540-68979-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68978-2
Online ISBN: 978-3-540-68979-9
eBook Packages: Computer ScienceComputer Science (R0)