Termination-insensitive noninterference leaks more than just a bit

Current tools for analysing information flow in programs build upon ideas going back to Denning's work from the 70's. These systems enforce an imperfect notion of information flow which has become known as termination-insensitive noninterference. Under this version of noninterference, information leaks are permitted if they are transmitted purely by the program's termination behaviour (i.e., whether it terminates or not). This imperfection is the price to pay for having a security condition which is relatively liberal (e.g. allowing while-loops whose termination may depend on the value of a secret) and easy to check. But what is the price exactly? We argue that, in the presence of output, the price is higher than the “one bit” often claimed informally in the literature, and effectively such programs can leak all of their secrets. In this paper we develop a definition of termination-insensitive noninterference suitable for reasoning about programs with outputs. We show that the definition generalises “batch-job” style definitions from the literature and that it is indeed satisfied by a Denning-style program analysis with output. Although more than a bit of information can be leaked by programs satisfying this condition, we show that the best an attacker can do is a brute-force attack, which means that the attacker cannot reliably (in a technical sense) learn the secret in polynomial time in the size of the secret. If we further assume that secrets are uniformly distributed, we show that the advantage the attacker gains when guessing the secret after observing a polynomial amount of output is negligible in the size of the secret

Standard reference materials: Thermal conductivity of electrolytic iron, SRM 734, from 4 to 300 K

Thermal conductivity data were obtained by the axial one-dimensional heat flow method for a cylindrical rod 3.6 mm in diameter and 23 cm long with an electric heater at one end and a temperature controlled sink at the other. Variability of this iron was studied by means of electrical residual resistivity ratio measurements on 63 specimens. This study showed that with a two-hour anneal at 1000 C one can obtain a thermal conductivity Standard Reference Material that has variability of less than 1% in thermal conductivity

Climbing the Software Assurance Ladder - Practical Formal Verification for Reliable Software

There is a strong link between software quality and software reliability. By decreasing the probability of imperfection in the software, we can augment its reliability guarantees. At one extreme, software with one unknown bug is not reliable. At the other extreme, perfect software is fully reliable. Formal verification with SPARK has been used for years to get as close as possible to zero-defect software. We present the well-established processes surrounding the use of SPARK at Altran UK, as well as the deployment experiments performed at Thales to finetune the gradual insertion of formal verification techniques in existing processes. Experience of both long-term and new users helped us define adoption and usage guidelines for SPARK based on five levels of increasing assurance that map well with industrial needs in practice

System safety in Stirling engine development

The DOE/NASA Stirling Engine Project Office has required that contractors make safety considerations an integral part of all phases of the Stirling engine development program. As an integral part of each engine design subtask, analyses are evolved to determine possible modes of failure. The accepted system safety analysis techniques (Fault Tree, FMEA, Hazards Analysis, etc.) are applied in various degrees of extent at the system, subsystem and component levels. The primary objectives are to identify critical failure areas, to enable removal of susceptibility to such failures or their effects from the system and to minimize risk

Automatically Securing Permission-Based Software by Reducing the Attack Surface: An Application to Android

A common security architecture, called the permission-based security model (used e.g. in Android and Blackberry), entails intrinsic risks. For instance, applications can be granted more permissions than they actually need, what we call a "permission gap". Malware can leverage the unused permissions for achieving their malicious goals, for instance using code injection. In this paper, we present an approach to detecting permission gaps using static analysis. Our prototype implementation in the context of Android shows that the static analysis must take into account a significant amount of platform-specific knowledge. Using our tool on two datasets of Android applications, we found out that a non negligible part of applications suffers from permission gaps, i.e. does not use all the permissions they declare

Static Analysis for Extracting Permission Checks of a Large Scale Framework: The Challenges And Solutions for Analyzing Android

A common security architecture is based on the protection of certain resources by permission checks (used e.g., in Android and Blackberry). It has some limitations, for instance, when applications are granted more permissions than they actually need, which facilitates all kinds of malicious usage (e.g., through code injection). The analysis of permission-based framework requires a precise mapping between API methods of the framework and the permissions they require. In this paper, we show that naive static analysis fails miserably when applied with off-the-shelf components on the Android framework. We then present an advanced class-hierarchy and field-sensitive set of analyses to extract this mapping. Those static analyses are capable of analyzing the Android framework. They use novel domain specific optimizations dedicated to Android.Comment: IEEE Transactions on Software Engineering (2014). arXiv admin note: substantial text overlap with arXiv:1206.582

Testing to Transition the J-2X from Paper to Hardware

The J-2X Upper Stage Engine (USE) will be the first new human-rated upper stage engine since the Apollo program of the 1960s. It is designed to carry the Ares I and Ares V into orbit and send the Ares V to the Moon as part of NASA's Constellation Program. This paper will provide an overview of progress on the design, testing, and manufacturing of this new engine in 2009 and 2010. The J-2X embodies the program goals of basing the design on proven technology and experience and seeking commonality between the Ares vehicles as a way to minimize risk, shorten development times, and live within current budget constraints. It is based on the proven J-2 engine used on the Saturn IB and Saturn V launch vehicles. The prime contractor for the J-2X is Pratt & Whitney Rocketdyne (PWR), which is under a design, development, test, and engineering (DDT&E) contract covering the period from June 2006 through September 2014. For Ares I, the J-2X will provide engine start at approximately 190,000 feet, operate roughly 500 seconds, and shut down. For Ares V, the J-2X will start at roughly 190,000 feet to place the Earth departure stage (EDS) in orbit, shut down and loiter for up to five days, re-start on command and operate for roughly 300 seconds at its secondary power level to perform trans lunar injection (TLI), followed by final engine shutdown. The J-2X development effort focuses on four key areas: early risk mitigation, design risk mitigation, component and subassembly testing, and engine system testing. Following that plan, the J-2X successfully completed its critical design review (CDR) in 2008, and it has made significant progress in 2009 and 2010 in moving from the drawing board to the machine shop and test stand. Post-CDR manufacturing is well under way, including PWR in-house and vendor hardware. In addition, a wide range of component and sub-component tests have been completed, and more component tests are planned. Testing includes heritage powerpack, turbopump inducer water flow, turbine air flow, turbopump seal testing, main injector and gas generator, injector testing, augmented spark igniter testing, nozzle side loads cold flow testing, nozzle extension film cooling flow testing, control system testing with hardware in the loop, and nozzle extension emissivity coating tests. In parallel with hardware manufacturing, work is progressing on the new A-3 test stand to support full duration altitude testing. The Stennis A-2 test stand is scheduled to be turned over to the Constellation Program in September 2010 to be modified for J-2X testing also. As the structural steel was rising on the A-3 stand, work was under way in the nearby E complex on the chemical steam generator and subscale diffuser concepts to be used to evacuate the A-3 test cell and simulate altitude conditions

Combining Model-Driven Design With Diverse Formal Verification

International audienceTwo historically diverse research streams are now delivering strong industrial performance in the engineering of high-integrity, software-intensive systems. The earlier of these is the use of source-language-based static analysis and formal verification. The more recent is the use of model-driven design coupled with automatic code generation. Although both have been effective, neither is without problems. Fortunately, these approaches are not mutually exclusive and combining them offers a route to ultra-high integrity at low cost. The paper exemplifies the approach by describing the combining of SPARK and SCADE and illustrating the benefits and opportunities that this brings

Trusted product lines

This thesis describes research undertaken into the application of software product line approaches to the development of high-integrity, embedded real-time software systems that are subject to regulatory approval/certification. The motivation for the research arose from a real business need to reduce cost and lead time of aerospace software development projects. The thesis hypothesis can be summarised as follows: It is feasible to construct product line models that allow the specification of required behaviour within a reference architecture that can be transformed into an effective product implementation, whilst enabling suitable supporting evidence for certification to be produced. The research concentrates on the following four main areas: 1. Construction of an argument framework in which the application of product line techniques to high-integrity software development can be assessed and critically reviewed. 2. Definition of a product-line reference architecture that can host components containing variation. 3. Design of model transformations that can automatically instantiate products from a set of components hosted within the reference architecture. 4. Identification of verification approaches that may provide evidence that the transformations designed in step 3 above preserve properties of interest from the product line model into the product instantiations. Together, these areas form the basis of an approach we term “Trusted Product Lines”. The approach has been evaluated and validated by deployment on a real aerospace project; the approach has been used to produce DO-178B/ED-12B Level A applications of over 300 KSLOC in size. The effect of this approach on the software development process has been critically evaluated in this thesis, both quantitatively (in terms of cost and relative size of process phases) and qualitatively (in terms of software quality). The “Trusted Product Lines” approach, as described within the thesis, shows how product line approaches can be applied to high-integrity software development, and how certification evidence created and arguments constructed for products instantiated from the product line. To the best of our knowledge, the development and effective application of product line techniques in a certification environment is novel and unique