Title: Analysis and Implementation Method of Program to Detect Inappropriate Information Leak
1Analysis and Implementation Method of Program to
Detect Inappropriate Information Leak
- Reishi Yokomori, Fumiaki Ohata, Yoshiaki
Takata, Hiroyuki Seki and Katsuro Inoue - Graduate School of Engineering Science, Osaka
University, - Graduate School of Information Science, Nana
Institute of Science and Technology
2Program slice
- Program slice a set of all the statements that
affect the value of the variable of a certain
statement in a program. - The main directions of a program slice
- Debugging support
- Testing
- maintenance
- program composition
- Calculation of a Program slice has a common
method using Program Dependence Graph (PDG).
3Program Dependence Graph
- Program Dependence Graph (PDG)
- PDG Graph about definition / reference relation
between the variables of a program - Node lt-gt Statement
- Edge lt-gt Dependency
- Data Dependence (DD)
- Control Dependence (CD)
1 readln( a) 2 readln( b) 3 readln( c)
4 if c lt 0 then 5 a 2 6
println(a)
Nodes which can reach by traversing edges from a
slice criterion are included in the Slice
4Security Analysis
- For the purpose of prevention of the information
leak by the execution of a program, Security
analysis is proposed. - Kuninobus algorithm
- Information Flow Analysis Algorithm
- Algorithm which investigates where the program
outputs confidential information - From Security Class(SC) of the each input value,
by using Information Flow, Security Class(SC) of
the each output value is calculated. - Analysis based on repetition calculation of
simultaneous equations
Shigeta Kuninobu, Yoshiaki Takata, Hiroyuki
Seki, Katsuro Inoue "An Efficient Information
Flow Analysis of Recursive Programs based on a
Lattice Model of Security Classes", Proceedings
of Third International Conference on Information
and Communications Security (ICICS 2001), Lecture
Notes in Computer Science 2229, pp.292-303,Xian,
China, Nov. 2001
5Security Class(SC)
- The degree of secrecy which the data has.
- The strength relation is expressed by lattice
structure. - Henceforth, I express SC with two values.
- SC high, low
- high Information which should be protected
- low Information without the necessity of
protecting - operation of SC
- sum the least upper bound of SCs
(Example low high high) - product the greatest lower bound of SCs
(Example low high low)
6Information Flow
- The data transfer relation which exists
between the variables in a program - explicit flow
- relationship between a definition /
reference of a variable. - implicit flow
- relationship between variables referred to
at condition clause of a branch (repetition)
command / variables defined at its internal
statement.
1 b 5 2 c 5 3 if ( c gt 0 ) 4 a
b 5
7Example of Analysis
- SC for each statement in the program is
calculated based on information flow.
1 void method(int a ,int b, int c) 2 int
d a b c 3 if ( c gt 0 ) 4 a
b 5 6 printf(s\n, a) 7
8Purpose of Study
- Security Analysis method was proposed by
Kuninobu,but no implementation has been yet made. - The approaches for slicing is closely related to
the security analysis. - Implementation a prototype system of the
information security analysis algorithm. - Realization of Security analysis as an example of
application of a slice.
9Implementation of Information Flow Analysis
Algorithm (1/2)
- The approaches for slicing is closely related
to the security analysis. - The plan of Implementation
- Analysis based on the technique of PDG-creation
- explicit flow (implicit flow) is made to
correspond to DD (CD).
10Implementation of Information Flow Analysis
Algorithm (2/2)
- The Implementation method
- Analysis based on the technique of PDG-creation
- procedure
- SC is set up about the each input value of a
program - SCset is built for every procedure.
- SCset the set of SC of each variable which has
at each analysis point. - The element of SCset variable, SC
- According to the order of execution of a program
statement, SCset is updated by its updating
algorithm. - Analysis is repeated until the result is
stabilized. - SC of the each output value is obtained.
11The Example of Analysis
- Analysis of procedure test
procedure swap(var integer a,b) begin temp
a ab b temp end procedure
test begin readln(a) ? high readln(b) ?
low swap(a,b) writeln(a)
writeln(b) end.
SCset is built from variables used within
procedure before analysis. SCset (a, low)
,(b, low)
SC of writeln(a) is low
SC of writeln(b) is high.
12Security Analysis Tool (1/2)
- Object language Pascal programs
- A pointer and a structure object are not taken
into consideration. - Implementation of prototype tool
- The tool is realized in the form of the
functional addition to Osaka Slicing System,
which is a slicing tool. - An additional part is described by C language.
(about 1,000 statements)
13Security Analysis Tool (2/2)
- Analysis procedure
- Syntactic analysis,and semantic analysis
- Information required for analysis is extracted.
- The precondition of the analysis is set up.
- SC about the input value of a program
- Analysis is performed on the precondition.
- SC of the each output value is obtained.
- The statements with high SC are
emphasis-displayed.
14The example of application
- The reservation system of ticket (500 statements)
- The module which certify a credit card number is
attached. - The Analysis is performed by giving high SC to
the input about a credit card number.
15The example of application (Analysis result)
- 35 output statements of 36 output statements have
high SC. - statements with high SC are widely embedded in
the reservation module - The information flow to the reservation module
from a card number exists. - "any possible action in the reservation" implies
"a success of credit card certification."
16The example of application
- change of the structure of the program
- The system handles the reservation before the
certification of a credit card. - Result
- Only SC of the output statement about
certification is high. - SC of the output statement of the reservation
module is low. - the information flow from a card number to
the reservation module disappeared.
17Conclusion
- we proposed the implementation method of the
security analysis algorithm. - Realization of Security analysis as an example
of application of Program Slice. - information flow and security class
- Analysis based on the technique of PDG-creation
- Realization of a security analysis tool
- The validity to the safety check of a program was
verified.
18(No Transcript)