Accurate Architectural Threat Elicitation From Source Code Through Hybrid Information Flow Analysis

Software processes a vast amount of sensitive data. However, tracing information flows in complex programs and eliciting threats, which, for example, could lead to information leaks, pose significant challenges. The problem lies in the absence of suitable approaches to effectively address this issue...

Full description

Saved in:
Bibliographic Details
Published in2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion) pp. 139 - 141
Main Author Gruner, Bernd
Format Conference Proceeding
LanguageEnglish
Published ACM 14.04.2024
Subjects
architectural threat analysis
Computer crashes
Fuzzing
information flow
Medical services
Refining
security
Software
software architecture reconstruction
Source coding
static & dynamic analysis
Static analysis
Online AccessGet full text

Cover

More Information
Summary:Software processes a vast amount of sensitive data. However, tracing information flows in complex programs and eliciting threats, which, for example, could lead to information leaks, pose significant challenges. The problem lies in the absence of suitable approaches to effectively address this issue. Symbolic verification is too restrictive for practical use, taint analysis faces challenges due to overapproximation, and fuzzers can only identify crashes and hangs. In my doctoral research, I introduce an approach for reconstructing and refining information flow graphs in order to elicit threats. Using static analysis, I automatically reconstruct an information flow graph. Subsequently, I refine the found information flows using information flow fuzzing and associate threats through a rule-based system. My approach provides a validated information flow graph of the software and a list of elicited threats.
ISSN:2574-1934
DOI:10.1145/3639478.3639795