Slicing for Security of Code

Authors:
Benjamin Monate;Julien Signoles
Affiliations:
Software Reliability Labs, CEA LIST, Gif-sur-Yvette Cedex, France 91191;Software Reliability Labs, CEA LIST, Gif-sur-Yvette Cedex, France 91191
Venue:
Trust '08 Proceedings of the 1st international conference on Trusted Computing and Trust in Information Technologies: Trusted Computing - Challenges and Applications
Year:
2008

Citing 9
Cited 0

The program dependence graph and its use in optimization

ACM Transactions on Programming Languages and Systems (TOPLAS)
Semantics of programming languages: structures and techniques

Semantics of programming languages: structures and techniques
The formal semantics of programming languages: an introduction

The formal semantics of programming languages: an introduction
Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints

POPL '77 Proceedings of the 4th ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Program slicing

ICSE '81 Proceedings of the 5th international conference on Software engineering
The program dependence graph in a software development environment

SDE 1 Proceedings of the first ACM SIGSOFT/SIGPLAN software engineering symposium on Practical software development environments
Program slices: formal, psychological, and practical investigations of an automatic program abstraction method

Program slices: formal, psychological, and practical investigations of an automatic program abstraction method
A brief survey of program slicing

ACM SIGSOFT Software Engineering Notes
Some thoughts on security after ten years of qmail 1.0

Proceedings of the 2007 ACM workshop on Computer security architecture

Quantified Score

Hi-index	0.00

Visualization

Abstract

Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e.are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do notpreserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e.confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.