Slicing for Security of Code

  • Benjamin Monate
  • Julien Signoles
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4968)

Abstract

Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bernstein, D.J.: Some thoughts on security after ten years of qmail 1.0. In: CSAW 2007: Proceedings of the 2007 ACM workshop on Computer security architecture, pp. 1–10. ACM, New York (2007)CrossRefGoogle Scholar
  2. 2.
    CEA-LIST and INRIA-Futurs. Frama-C: Framework for Modular Analysis of C, http://www.frama-c.cea.fr
  3. 3.
    Cousot, P., Cousot, R.: Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proceedings of the 4th Symposium on Principles of Programming Languages, Los Angeles, Californie, États-Unis, pp. 238–252. ACM Press, New York (1977)CrossRefGoogle Scholar
  4. 4.
    Ferrante, J., Ottenstein, K.J., Warren, J.D.: The program dependence graph and its use in optimization. ACM Trans. Program. Lang. Syst. 9(3), 319–349 (1987)MATHCrossRefGoogle Scholar
  5. 5.
    Gunter, C.A.: Semantics of Programming Languages: Structures and Techniques. In: Foundations of Computing. MIT Press, Cambridge (1992)Google Scholar
  6. 6.
    Heiser, G.: Your system is secure? prove it! USENIX;login: 32(6), 35–38 (December 2007)Google Scholar
  7. 7.
    Leroy, X., Doligez, D., Garrigue, J., Rémy, D., Vouillon, J.: The Objective Caml system, release 3.10 (May 2007), http://caml.inria.fr
  8. 8.
    Meyer, B.: Proving pointer program properties. part 1: Context and overview. Journal of Object Technology 2(2), 87–108 (2003), http://www.jot.fm/issues/issue_2003_03/column8 Google Scholar
  9. 9.
    Ottenstein, K.J., Ottenstein, L.M.: The program dependence graph in a software development environment. In: Karl, J. (ed.) SDE 1: Proceedings of the first ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments, pp. 177–184. ACM Press, New York (1984)CrossRefGoogle Scholar
  10. 10.
    Kent, S., Seo, K.: Security Architecture for the Internet Protocol. Request for comments (rfc) 4301, Network Working Group (December 2005), ftp://ftp.rfc-editor.org/in-notes/rfc4301.txt
  11. 11.
    Tarski, A.: A lattice-theoretical fixpoint theorem and its applications. Pacific Journal of Mathematics 5, 285–309 (1955)MATHMathSciNetGoogle Scholar
  12. 12.
    Tip, F.: A survey of program slicing techniques. Journal of programming languages 3, 121–189 (1995)Google Scholar
  13. 13.
    Weiser, M.: Program slices: formal, psychological, and practical investigations of an automatic program abstraction method. PhD thesis, University of Michigan, Ann Arbor (1979)Google Scholar
  14. 14.
    Weiser, M.: Program slicing. In: ICSE 1981: Proceedings of the 5th international conference on Software engineering, Piscataway, NJ, USA, pp. 439–449. IEEE Press, Los Alamitos (1981)Google Scholar
  15. 15.
    Winskel, G.: The formal semantics of programming languages: an introduction. MIT Press, Cambridge (1993)MATHGoogle Scholar
  16. 16.
    Xu, B., Qian, J., Zhang, X., Wu, Z., Chen, L.: A brief survey of program slicing. SIGSOFT Softw. Eng. Notes 30(2), 1–36 (2005)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Benjamin Monate
    • 1
  • Julien Signoles
    • 1
  1. 1.Software Reliability LabsCEA LISTGif-sur-Yvette CedexFrance

Personalised recommendations