Abstract

We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples. PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies. PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing. We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.

Highlights

  • Many applications store and compute with sensitive information, including confidential and untrusted data

  • We present PIDGIN, a system that uses program dependence graphs (PDGs) [16] to precisely and intuitively capture the information flows within an entire program1 and a custom PDG query language to allow the exploration, specification, and enforcement of information security guarantees

  • If we look at the relevant fragment of the PDG for this program (Figure 2b) we see that there is a single path from a sensitive source to a dangerous sink

Read more

Summary

Introduction

Many applications store and compute with sensitive information, including confidential and untrusted data. PIDGIN can be incorporated into a build process to warn developers if recent code changes violate a security policy that previously held This includes information-flow properties that traditional test cases can not detect. For all but the simplest security policies, these tools require program annotations to specify policies, with the concomitant issues regarding legacy applications, modifying security policies, and understanding the system-wide security guarantees implied by the annotations. These techniques focus almost exclusively on enforcement of security guarantees and do not support exploration. We have developed security guarantees based on reported vulnerabilities in Apache Tomcat, and PIDGIN verifies that the security guarantees hold after the vulnerability is patched and fail to hold in earlier versions

PIDGIN By Example
PDGs and Security Guarantees
Structure of PIDGIN PDGs
Security Guarantees from PDGs
Querying PDGs with PidginQL
Implementation
Case Studies
E2 E3 E4
Analysis Performance
Free Chat-Server
Apache Tomcat
Micro-benchmark Results
Related Work
Conclusion
Using PIDGIN for legacy code
Using PIDGIN for new development
Full Text
Published version (Free)

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call