1 / 18

Analysis and Implementation Method of Program to Detect Inappropriate Information Leak

Analysis and Implementation Method of Program to Detect Inappropriate Information Leak. Reishi Yokomori † , Fumiaki Ohata † , Yoshiaki Takata ‡ , Hiroyuki Seki ‡ and Katsuro Inoue † † Graduate School of Engineering Science, Osaka University,

cgetz
Download Presentation

Analysis and Implementation Method of Program to Detect Inappropriate Information Leak

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Analysis and Implementation Method of Program to Detect Inappropriate Information Leak Reishi Yokomori†, Fumiaki Ohata†, Yoshiaki Takata‡, Hiroyuki Seki‡ and Katsuro Inoue† †Graduate School of Engineering Science, Osaka University, ‡ Graduate School of Information Science, Nana Institute of Science and Technology

  2. Program slice Program slice: a set of all the statements that affect the value of the variable of a certain statement in a program. • The main directions of a program slice • Debugging support • Testing • maintenance • program composition • Calculation of a Program slice has a common method using Program Dependence Graph (PDG). APAQS 2001

  3. 1 1 1 2 2 2 3 3 3 c c c a a a 4 4 4 1: readln( a); 5 5 5 3: readln( c); a a a 6 6 6 4: if c < 0 then 5: a := 2; 6: println(a) ; Program Dependence Graph Program Dependence Graph (PDG) • PDG : Graph about definition / reference relation between the variables of a program • Node <-> Statement • Edge <->Dependency • Data Dependence (DD) • Control Dependence (CD) 1: readln( a); 2: readln( b); 3: readln( c); 4: if c < 0 then 5: a := 2; 6: println(a) ; Nodes which can reach by traversing edges from a slice criterion are included in the Slice APAQS 2001

  4. Security Analysis • For the purpose of prevention of the information leak by the execution of a program, Security analysis is proposed. • Kuninobu’s algorithm† • Information Flow Analysis Algorithm • Algorithm which investigates where the program outputs confidential information • From Security Class(SC) of the each input value, by using Information Flow, Security Class(SC) of the each output value is calculated. • Analysis based on repetition calculation of simultaneous equations †Shigeta Kuninobu, Yoshiaki Takata, Hiroyuki Seki, Katsuro Inoue: "An Efficient Information Flow Analysis of Recursive Programs based on a Lattice Model of Security Classes", Proceedings of Third International Conference on Information and Communications Security (ICICS 2001), Lecture Notes in Computer Science 2229, pp.292-303,Xian, China, Nov. 2001 APAQS 2001

  5. Security Class(SC) The degree of secrecy which the data has. • The strength relation is expressed by lattice structure. • Henceforth, I express SC with two values. SC ={ high, low } high: Information which should be protected low: Information without the necessity of protecting • operation of SC sum : the least upper bound of SCs (Example : low +high = high) product : the greatest lower bound of SCs (Example : low× high = low) APAQS 2001

  6. Information Flow The data transfer relation which exists between the variables in a program • explicit flow relationship between a definition / reference of a variable. • implicit flow relationship between variables referred to at condition clause of a branch (repetition) command / variables defined at its internal statement. 1: b = 5; 2: c = 5; 3: if ( c > 0 ) { 4: a = b; 5: } APAQS 2001

  7. Example of Analysis SC for each statement in the program is calculated based on information flow. 1: void method(int a ,int b, int c) { 2: int d = a + b + c; 3: if ( c > 0 ) { 4: a = b; 5: } 6: printf(“%s\n”, a); 7: } APAQS 2001

  8. Purpose of Study • Security Analysis method was proposed by Kuninobu,but no implementation has been yet made. • The approaches for slicing is closely related to the security analysis. • Implementation a prototype system of the information security analysis algorithm. • Realization of Security analysis as an example of application of a slice. APAQS 2001

  9. Relationship Analysis method DD CD Program Slice PDG Dependency simultaneous equations Security Analysis Information flow explicit flow implicit flow Technique of PDG-creation Dependency based on the Information flow Implementation Implementation of Information Flow Analysis Algorithm (1/2) The approaches for slicing is closely related to the security analysis. The plan of Implementation • Analysis based on the technique of PDG-creation • explicit flow (implicit flow) is made to correspond to DD (CD). APAQS 2001

  10. Implementation of Information Flow Analysis Algorithm (2/2) The Implementation method Analysis based on the technique of PDG-creation • procedure • SC is set up about the each input value of a program • SCset is built for every procedure. • SCset: the set of SC of each variable which has at each analysis point. • The element of SCset: {variable, SC} • According to the order of execution of a program statement, SCset is updated by its updating algorithm. • Analysis is repeated until the result is stabilized. • SC of the each output value is obtained. APAQS 2001

  11. Analysis is performed according to the order of execution. SCset = { (a, low) ,(b, low) } SCset = { (a, high) ,(b, low) } (After analysis of statement “readln(a);” ) Analysis is performed according to the order of execution. SCset = { (a, high ) ,(b, low) } SCset = { (a, high) ,(b, low) } (After analysis of statement “readln(b);” ) The SCset of procedure ‘swap’ is built. SCset = { (a, high) ,(b, low) } SCset = { (a, high), (b, low) , (temp, low) } (Before analysis of statement “temp:= a;” ) The procedure ‘swap’ is analyzed. SCset = { (a, high), (b, low) , (temp, low) } SCset = { (a, high), (b, low) , (temp, high) } (After analysis of statement “temp:= a;” ) The procedure ‘swap’ is analyzed. SCset = { (a, high), (b, low) , (temp, high) } SCset = { (a, low), (b, low) , (temp, high) } (After analysis of statement “a:= b;” ) The procedure ‘swap’ is analyzed. SCset = { (a, low), (b, low) , (temp, high) } SCset = { (a, low), (b, high) , (temp, high) } (After analysis of statement “b:= temp;” ) The result of analysis is made to reflected in ‘test’. SCset = {(a, low), (b, high) , (temp, high)} SCset = {(a, low), (b, high)} (After analysis of statement “swap(a,b);” ) The sum of SC of the variable referred to is calculated. SCset = { (a, low) ,(b, high) } The Example of Analysis Analysis of procedure test procedure swap(var integer a,b); begin temp:= a; a:=b; b :=temp; end; procedure test; begin readln(a); ← high readln(b); ← low swap(a,b); writeln(a); writeln(b); end. SCset is built from variables used within procedure before analysis. SCset = { (a, low) ,(b, low) } SC of ‘writeln(a)’ is low SC of ‘writeln(b)’ is high. APAQS 2001

  12. Security Analysis Tool (1/2) • Object language: Pascal programs • A pointer and a structure object are not taken into consideration. • Implementation of prototype tool: • The tool is realized in the form of the functional addition to Osaka Slicing System, which is a slicing tool. • An additional part is described by C language. (about 1,000 statements) APAQS 2001

  13. Security Analysis Tool (2/2) • Analysis procedure: • Syntactic analysis,and semantic analysis Information required for analysis is extracted. • The precondition of the analysis is set up. SC about the input value of a program • Analysis is performed on the precondition. SC of the each output value is obtained. • The statements with high SC are emphasis-displayed. APAQS 2001

  14. Credit card number certification fail success certification failure reservation success fail reservation result reservation failure The example of application The reservation system of ticket (500 statements) • The module which certify a credit card number is attached. • The Analysis is performed by giving high SC to the input about a credit card number. APAQS 2001

  15. Credit card number Credit card number certification certification fail success fail success reservation certification failure reservation certification failure success fail success fail reservation result reservation failure reservation result reservation failure The example of application (Analysis result) 35 output statements of 36 output statements have high SC. • statements with high SC are widely embedded in the reservation module • The information flow to the reservation module from a card number exists. "any possible action in the reservation" implies "a success of credit card certification." APAQS 2001

  16. reservation reservation success success fail fail reservation result reservation result reservation failure reservation failure Credit card number Credit card number certification certification success success fail fail certification result certification result certification failure certification failure The example of application change of the structure of the program • The system handles the reservation before the certification of a credit card. Result • Only SC of the output statement about certification is high. • SC of the output statement of the reservation module is low. the information flow from a card number to the reservation module disappeared. APAQS 2001

  17. Conclusion we proposed the implementation method of the security analysis algorithm. • Realization of Security analysis as an example of application of Program Slice. • information flow and security class • Analysis based on the technique of PDG-creation • Realization of a security analysis tool • The validity to the safety check of a program was verified. APAQS 2001

  18. APAQS 2001

More Related