Abstract
We present PIDGIN, a program analysis and understanding tool that enables the specification and enforcement of precise application-specific information security guarantees. PIDGIN also allows developers to interactively explore the information flows in their applications to develop policies and investigate counter-examples. PIDGIN combines program dependence graphs (PDGs), which precisely capture the information flows in a whole application, with a custom PDG query language. Queries express properties about the paths in the PDG; because paths in the PDG correspond to information flows in the application, queries can be used to specify global security policies. PIDGIN is scalable. Generating a PDG for a 330k line Java application takes 90 seconds, and checking a policy on that PDG takes under 14 seconds. The query language is expressive, supporting a large class of precise, application-specific security guarantees. Policies are separate from the code and do not interfere with testing or development, and can be used for security regression testing. We describe the design and implementation of PIDGIN and report on using it: (1) to explore information security guarantees in legacy programs; (2) to develop and modify security policies concurrently with application development; and (3) to develop policies based on known vulnerabilities.
Highlights
Many applications store and compute with sensitive information, including confidential and untrusted data
We present PIDGIN, a system that uses program dependence graphs (PDGs) [16] to precisely and intuitively capture the information flows within an entire program1 and a custom PDG query language to allow the exploration, specification, and enforcement of information security guarantees
If we look at the relevant fragment of the PDG for this program (Figure 2b) we see that there is a single path from a sensitive source to a dangerous sink
Summary
Many applications store and compute with sensitive information, including confidential and untrusted data. PIDGIN can be incorporated into a build process to warn developers if recent code changes violate a security policy that previously held This includes information-flow properties that traditional test cases can not detect. For all but the simplest security policies, these tools require program annotations to specify policies, with the concomitant issues regarding legacy applications, modifying security policies, and understanding the system-wide security guarantees implied by the annotations. These techniques focus almost exclusively on enforcement of security guarantees and do not support exploration. We have developed security guarantees based on reported vulnerabilities in Apache Tomcat, and PIDGIN verifies that the security guarantees hold after the vulnerability is patched and fail to hold in earlier versions
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.