Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows

Abstract

Reasoning about information flow can help software engineering. Static information flow inference analysis is a technique which automatically infers information flows based on data or control dependence. It can be utilized for the purposes of general program understanding, detection of security attacks and security vulnerabilities, and type inference for security type systems. This paper proposes a new static information flow inference analysis, which unlike most other information flow analyses, handles both explicit and implicit information flows. The analysis does not require annotations and it is relatively precise and practical. We illustrate the usage of the static information flow analysis on three applications. The first application of information flow analysis is security violation detection. We perform experiments on a set of Java web applications and the experiments show that our analysis effectively detects security violations. The second application is type inference. Our experiments on the Java web applications successfully infer security types. The last application studies the effect of thread-shared variables on thread-local variables. Our experiments on a set of multi-thread programs show that most of the thread-local variables are affected by the thread-shared variables. We study the impact of implicit flow versus explicit flow in these applications. Implicit flow has significant impact on all these applications. In security violation detection, implicit flow detects more security violations than explicit flow. In type inference, implicit flow infers more untrusted type variables. In the study of the effect of thread-shared variables, implicit flow detects more affected variables than explicit flow.