On Time-sensitive Control Dependencies

We present efficient algorithms for time-sensitive control dependencies (CDs). If statement y is time-sensitively control dependent on statement x, then x decides not only whether y is executed but also how many timesteps after x. If y is not standard control dependent on x, but time-sensitively control dependent, then y will always be executed after x, but the execution time between x and y varies. This allows us to discover, e.g., timing leaks in security-critical software. We systematically develop properties and algorithms for time-sensitive CDs, as well as for nontermination-sensitive CDs. These work not only for standard control flow graphs (CFGs) but also for CFGs lacking a unique exit node (e.g., reactive systems). We show that Cytron’s efficient algorithm for dominance frontiers [10] can be generalized to allow efficient computation not just of classical CDs but also of time-sensitive and nontermination-sensitive CDs. We then use time-sensitive CDs and time-sensitive slicing to discover cache timing leaks in an AES implementation. Performance measurements demonstrate scalability of the approach

Flow-sensitive, context-sensitive, and object-sensitive information flow control based on program dependance graphs

Information flow control (IFC) checks whether a program can leak secret data to public ports, or whether critical computations can be influenced from outside. But many IFC analyses are imprecise, as they are flow-insensitive, context-insensitive, or object-insensitive; resulting in false alarms. We argue that IFC must better exploit modern program analysis technology, and present an approach based on pro-gram dependence graphs (PDG). PDGs have been developed over the last 20 years as a standard device to represent information flow in a program, and today can handle realistic programs. In particular, our dependence graph generator for full Java bytecode is used as the basis for an IFC implementation which is more precise and needs less annotations than traditional approaches. We explain PDGs for sequential and multi-threaded pro-grams, and explain precision gains due to flow-, context-, and object-sensitivity. We then augment PDGs with a lattice of security levels and introduce the flow equations for IFC. We describe algorithms for flow computation in detail and prove their correctness. We then extend flow equations to handle declassification, and prove that our algorithm respects monotonicity of release. Finally, examples demonstrate that our implementation can check realistic sequential programs in full Java bytecode

Software Security in Virtualized Infrastructures. The Smart Meter Example

Future infrastructures for energy, traffic, and computing will be virtualized:They will consist of decentralized, self-organizing, dynamically adaptive, and open collections of physical resources such as virtual power plants or computing clouds.Challenges to software dependability, in particular software security will be enourmous. While the problems in this domain transcend any specific instantiation, we use the example of smart power meters to discuss advanced technologies for the protection of integrity and confidentiality of software and data in virtualized infrastructures.We show that approaches based on homomorphic encryption, deductive verification, information flow control, and runtime verification are promising candidates for providing solutions to a plethora of representative challenges in the domain of virtualized infrastructures

Combining Slicing and Constraint Solving for Validation of Measurement Software

We show how to combine program slicing and constraint solving in order to obtain better slice accuracy. The method is used in a program analysis tool for the validation of computer-controlled measurement systems. It will be used by the Physikalisch-Technische Bundesanstalt for verification of legally required calibration standards. The paper describes how to generate and simplify path conditions based on program slices. An example shows that the technique can indeed increase slice precision and reveal manipulations of the so-called calibration path