Abstract
Checking for information leaks in real-world applications is a difficult task. IFlow is a model-driven approach which allows to develop information flow-secure applications using intuitive modeling guidelines. It supports the automatic generation of partial Java code while also providing the developer with the ability to formally verify complex information flow properties. To simplify the formal verification, we integrate an automatic Java application information flow analyzer, allowing to check simple noninterference properties. In this paper, we evaluate both Jif and Joana as such analyzers to determine the best suiting information flow control tool in the context of, but not limited to the IFlow approach.
This work is sponsored by the Priority Programme 1496 “Reliably Secure Software Systems - RS3” of the Deutsche Forschungsgemeinschaft (DFG).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Balser, M., Reif, W., Schellhorn, G., Stenzel, K., Thums, A.: Formal System Development with KIV. In: Maibaum, T. (ed.) FASE 2000. LNCS, vol. 1783, pp. 363–366. Springer, Heidelberg (2000)
Binkley, D., Harman, M., Krinke, J.: Empirical study of optimization techniques for massive slicing. ACM Trans. Program. Lang. Syst. 30 (November 2007)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, SEC 2011, p. 21. USENIX Association, Berkeley (2011)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. ACM, New York (2011)
Fischer, P., Katkalov, K., Stenzel, K., Reif, W.: Formal Verification of Information Flow Secure Systems with IFlow. Technical Report 2012-05, Universität Augsburg (2012), http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/publications/
Hammer, C.: Experiences with PDG-Based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)
Hammer, C., Snelting, G.: Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependence graphs. International Journal of Information Security 8(6), 399–422 (2006); Supersedes ISSSE and ISoLA 2006
Hardy, N.: The confused deputy: (or why capabilities might have been invented). SIGOPS Oper. Syst. Rev. 22(4), 36–38 (1988)
Katkalov, K., Fischer, P., Stenzel, K., Reif, W.: Model-Driven Code Generation of Information Flow Secure Systems with IFlow. Technical Report 2012-04, Universität Augsburg (2012), http://www.informatik.uni-augsburg.de/lehrstuehle/swt/se/publications/
Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. In: Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems], pp. 89–116 (2003)
Preibusch, S.: Information flow control for static enforcement of user-defined privacy policies. In: 2011 IEEE International Symposium on Policies for Distributed Systems and Networks (POLICY), pp. 133–136 (June 2011)
Schlegel, R., Zhang, K., Yong Zhou, X., Intwala, M., Kapadia, A., Wang, X.: Soundcomber: A stealthy and context-aware sound trojan for smartphones. In: NDSS. The Internet Society (2011)
Snelting, G., Robschink, T., Krinke, J.: Efficient path conditions in dependence graphs for software safety analysis. ACM Transactions on Software Engineering and Methodology 15(4), 410–457 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Katkalov, K., Fischer, P., Stenzel, K., Moebius, N., Reif, W. (2013). Evaluation of Jif and Joana as Information Flow Analyzers in a Model-Driven Approach. In: Di Pietro, R., Herranz, J., Damiani, E., State, R. (eds) Data Privacy Management and Autonomous Spontaneous Security. DPM SETOP 2012 2012. Lecture Notes in Computer Science, vol 7731. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35890-6_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-35890-6_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35889-0
Online ISBN: 978-3-642-35890-6
eBook Packages: Computer ScienceComputer Science (R0)