Algorithms and tool support for dynamic information flow analysis

Information and Software Technology

Volumn 51, Issue 2, 2009, Pages 385-404

  Masri, Wes ^a   Podgurski, Andy ^b  

^a AMERICAN UNIVERSITY OF BEIRUT   (Lebanon)

^b Case Western Reserve University   (United States)

Author keywords

Direct dynamic control dependence; Dynamic information flow analysis; Dynamic slicing; Forward computation; Insecure flows; Program debugging

Indexed keywords

ALGORITHMS; COMPUTER SOFTWARE; COMPUTER SOFTWARE SELECTION AND EVALUATION; CONCURRENCY CONTROL; DYNAMIC PROGRAMMING; INTRUSION DETECTION; JAVA PROGRAMMING LANGUAGE; PROGRAM DEBUGGING; PULSATILE FLOW; SOFTWARE TESTING; TELECOMMUNICATION NETWORKS;

DIRECT DYNAMIC CONTROL DEPENDENCE; DYNAMIC INFORMATION FLOW ANALYSIS; DYNAMIC SLICING; FORWARD COMPUTATION; INSECURE FLOWS;

DYNAMIC ANALYSIS;

EID: 56349150784     PISSN: 09505849     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.infsof.2008.05.008     Document Type: Article

References (64)

1. C. Hammer, M. Grimme, J. Krinke, Dynamic path conditions in dependence graphs, in: Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (Charleston, South Carolina, January 09-10, 2006). PEPM'06, ACM Press, New York, NY, 2006, pp. 58-67.
2. Agrawal H., and Horgan J. Dynamic program slicing. SIGPLAN Notices 25 6 (1990) 246-256
3. H. Agrawal, J. Horgan, E. Krauser, S. London, Incremental regression testing, in: Proceedings of the IEEE Conference on Software Maintenance, Montreal, Canada, 1993.
4. A. Beszedes, T. Gergely, Z.M. Szabó, J. Csirik, T. Gyimothy, Dynamic slicing method for maintenance of large C programs, in: 5th European Conference on Software Maintenance and Re-engineering, Lisbon, Portugal, March 2001.
5. Bishop M. Computer Security: Art and Science (2002), Addison-Wesley
6. J. Clause, W., Li, A. Orso, Dytan: a generic dynamic taint analysis framework, in: International Symposium on Software Testing and Analysis 2007 (ISSTA 2007).
7. W. Cheng, Q. Zhao, B. Yu, S. Hiroshige, TaintTrace: efficient flow tracing with dynamic binary rewriting, in: Proceedings of the 11th IEEE Symposium on Computers and Communications, 2006.
8. J.R. Crandall, F.T. Chong, Minos: control data attack prevention orthogonal to memory model, in: MICRO-37, 2004.
9. Denning D.E. Cryptography and Data Security (1982), Addison-Wesley
10. Denning D.E. A lattice model of secure information flow. Communication of the ACM 19 5 (1976) 236-242
11. Denning D.E., and Denning P.J. Certification of programs for secure information flow. Communication of the ACM 20 7 (1977) 504-513
12. D.E. Denning, Secure information flow in computer systems. Ph.D. Thesis, Computer Science Department, Purdue U., W. Lafayette, Ind., May 1975.
13. Faragó C., and Gergely T. Handling pointers and unstructured statements in the forward computed dynamic slice algorithm. Acta Cybernetica 15 (2002) 489-508
14. Fenton J.S. Memoryless subsystems. The Computer Journal 17 2 (1974) 143-147
15. Ferrante J., Ottenstein K.J., and Warren J.D. The program dependence graph and its use in optimization. ACM Transactions on Programming Languages and Systems 9 3 (1987) 319-349
16. T. Gyimothy, A. Beszedes, C. Farago, An efficient relevant slicing method for debugging, in: Proceedings of the 7th European Software Engineering Coinference, Toulouse, France, September 1999, pp. 303-321.
17. C. Hammer, M. Grimme, J. Krinke, Dynamic path conditions in dependence graphs, in: Proceedings of the 2006 ACM SIGPLAN Symposium on Partial Evaluation and Semantics-based Program Manipulation, Charleston, South Carolina, January 09-10, 2006, PEPM'06, ACM Press, New York, NY, 2006, pp. 58-67.
18. D. Jackson, E. Rolling, A new model of program dependences for reverse engineering, in: Symposium on Foundations of Software Engineering, New Orleans, Louisiana, 1994.
19. V. Haldar, d. Chandra, M. Franz, Practical Dynamic Information-flow for Virtual Machines, Technical Report No. 05-02, Department of Information and Computer Science, University of California, Irvine, February 2005.
20. M. Hind, A. Pioli, Which pointer analysis should I use?, International Symposium on Software Testing and Analysis, 2000.
21. Jones A., and Lipton R. The enforcement of security policies for computation. Journal of Computer and Systems Sciences (1978)
22. Keck D.O., and Kuehn P.J. The feature and service interaction problem in telecommunications systems: a survey. IEEE Transactions on Software Engineering 24 10 (1998) 779-796
23. Korel B. Computation of dynamic program slices for unstructured programs. IEEE TSE 23 1 (1997) 17-34
24. B. Korel, J. Laski, Algorithmic software fault localization, in: Proceedings of the 24th Annual Hawaii International Conference on System Sciences, vol. II, 1991, pp. 246-251.
25. Korel B., and Laski J. Dynamic program slicing. Information Processing Letters 29 (1988) 155-163
26. Korel B., and Yalamanchili S. Forward computation of dynamic program slices. ISSTA (1994) 66-79
27. Lampson B.W. A note on the confinement problem. Communication of the ACM 16 10 (1973) 613-615
28. D. Leon, W. Masri, A. Podgurski, An empirical evaluation of test case filtering techniques based on exercising complex information flows, in: International Conference on Software Engineering, St. Louis, MO, May 2005.
29. W. Masri, A. Podgurski, D. Leon, Detecting and debugging insecure information flows 15th, in: IEEE International Symposium on Software Reliability Engineering, ISSRE 2004, St. Malo, France, November 2-5, 2004.
30. W. Masri, N. Nahas, A. Podgurski, Memorized forward computation of program slices, in: 17th IEEE International Symposium on Software Reliability Engineering, ISSRE 2006. Raleigh, NC, USA, November, 2006.
31. W. Masri, A. Podgurski, Using dynamic information flow analysis to detect attacks against applications, in: 2005 Workshop on Software Engineering for Security Systems, St. Louis, MI, May 2005.
32. W. Masri, A. Podgurski, An empirical study of the relationship between information flow and program dependence, in: Fourth International Workshop on Dynamic Analysis (WODA 2006), Shanghai, China, May 2006.
33. W. Masri, Dynamic information flow analysis, slicing, and profiling, Ph.D. dissertation, 2005, Case Western Reserve University, Cleveland, OH.
34. W. Masri, A. Podgurski, An empirical study of test case filtering techniques based on exercising information flows, in: TSE 2007.
35. McClure S., Shah S., and Shah S. Web Hacking: Attacks and Defense (2003), Addison-Wesley Pub. Co.
36. S. Mccamant, M. Ernst, Quantitative Information-Flow Tracking for C and Related Languages. MIT Computer Science and Artificial Intelligence Laboratory technical report MIT-CSAIL-TR-2006-076, Cambridge, MA, November 2006.
37. S. Mccamant, M. Ernst, A simulation-based proof technique for dynamic information flow, in: ACM SIGPLAN Workshop on Programming Languages and Analysis for Security, San Diego, CA, USA, June 2007.
38. S. Nair, P. Simpson, B. Crispo, A. Tanenbaum, Design and implementation of a virtual machine based information flow control system, Vrije Universiteit technical report IR-CS-024, May 2007.
39. J. Newsome, D. Song, Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software, in: Proceedings of the Network and Distributed System Security Symposium (NDSS 2005), 2005.
40. Podgurski A., and Clarke L. A formal model of program dependencies and its implications for software testing debugging and maintenance. IEEE TSE 16 9 (1990) 965-979
41. A. Podgurski, Significance of program dependences for software testing, debugging and maintenance. Ph.D. Thesis. Computer Sc. Dept., U. of Mass., (September 1989).
42. Pomakis K.P., and Atlee J.M. Reachability analysis of feature interactions: a progress report. ISSTA (1996) 216-223
43. Q. Feng, W. Cheng, L. Zhenmin, K. Ho-seop, Z. Yuanyuan, Wu Youfeng, LIFT: a low-overhead practical information flow tracking system for detecting security attacks, in: MICRO-39, 2006.
44. Sabelfeld A., and Myers A.C. Language-based information-flow security. IEEE Journal on Selected Areas in Communications 21 1 (2003)
45. Sinha S., Harrold M.J., and Rothermel G. Interprocedural control dependence. ACM Transactions on Software Engineering and Methodology (2000)
46. Soot: a Java Optimization Framework. Available from: .
47. S. Steven, P. Chandra, B. Fleck, A. Podgurski, jRapture: a capture/replay tool for observation-based testing, in: 2000 International Symposium on Software Testing and Analysis, Portland, Oregon, August 2000, pp. 158-167.
48. G.E. Suh, J. Lee, S. Devadas, Secure program execution via dynamic information flow tracking, in: 11th International Conference on Architectural Support for Programming Languages and Operating Systems, Boston, MA, 2004.
49. The Byte Code Engineering Library (BCEL), The Apache Jakarta Project, http://jakarta.apache.org/bcel. Apache Software Foundation 2003.
50. T. Lindholm, F. Yellin, The Java Virtual Machine Specification, second ed.
51. Tip F. A survey of program slicing techniques. Journal of Programming Languages 3 3 (1995) 121-189
52. N. Vachharajani, M. Bridges, J. Chang, R. Rangan, G. Ottoni, J. Blome, G. Reis, M. Vachharajani, D. August, RIFLE: an architectural framework for user-centric information-flow security, in: Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004.
53. T. Wang, A. Roychoudhury, Using compressed bytecode traces for slicing Java programs, in: Internatonal Conference on Software Engineering, Edinburgh, UK, May 2004.
54. Weiser M. Program slicing. IEEE Transactions On Software Engineering 10 4 (1984) 352-357
55. Wolfe M. High Performance Compilers for Parallel Computing (1996), Addison-Wesley Pub. Co
56. B. Xin, X. Zhang, Efficient online detection of dynamic control dependence, in: International Symposium on Software Testing and Analysis, ISSTA 2007.
57. W. Xu, S. Bakhtar, R.A Sekar, Unified Approach to Preventing Attacks Exploiting a Range of Software Vulnerabilities, Technical Report SECLAB-05-05, Department of Computer Science, Stony Brook University, August 2005.
58. X. Zhang, R. Gupta, Y. Zhang, Efficient Forward Computation of Dynamic Slices Using Reduced Ordered Binary Decision Diagrams, in: International Conference on Software Engineering, Edinburgh, UK, May 2004.
59. X. Zhang, R. Gupta, Y. Zhang, Precise Dynamic Slicing Algorithms, in: IEEE/ACM International Conference on Software Engineering, Portland, Oregon, May 2003, pp. 319-329.
60. X. Zhang, N. Gupta, R. Gupta, Pruning dynamic slices with confidence, in: PLDI 2006.
61. X. Zhang, H. He, N. Gupta, R. Gupta, Experimental evaluation of using dynamic slices for fault location, in: AADEBUG, 2005.
62. X. Zhang, N. Gupta, R. Gupta, Locating Faults through automated predicate switching, in: International Conference on Software Engineering, 2006.
63. J. Zimmermann, L. Mé, C. Bidan, An improved reference flow control model for policy-based intrusion detection, in: 8th European Symposium on Research in Computer Security, Gjøvik, Norway, October 2003, Lecture Notes in Computer Science 2808, Springer-Verlag.
64. J. Zimmermann, L. Mé, C. Bidan, Experimenting with a policy-based HIDS based on and information flow control model, in: 19th Computer Security Applications Conference, Las Vegas, November 2003.