skip to main content
10.1145/1542452.1542474acmconferencesArticle/Chapter ViewAbstractPublication PagescpsweekConference Proceedingsconference-collections
research-article

Integrating hardware and software information flow analyses

Authors Info & Claims
Published:19 June 2009Publication History

ABSTRACT

Security-critical communications devices must be evaluated to the highest possible standards before they can be deployed. This process includes tracing potential information flow through the device's electronic circuitry, for each of the device's operating modes. Increasingly, however, security functionality is being entrusted to embedded software running on microprocessors within such devices, so new strategies are needed for integrating information flow analyses of embedded program code with hardware analyses. Here we show how standard compiler principles can augment high-integrity security evaluations to allow seamless tracing of information flow through both the hardware and software of embedded systems. This is done by unifying input/output statements in embedded program execution paths with the hardware pins they access, and by associating significant software states with corresponding operating modes of the surrounding electronic circuitry.

References

  1. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, California, USA, 1986. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. M. Avvenuti, C. Bernardeschi, and N. De Francesco. Java bytecode verification for secure information flow. ACM SIGPLAN Notices, 38(12):20--27, December 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. R. A. Ballance, A. B. Maccabe, and K. J. Ottenstein. The program dependence web: A representation supporting control-, data-, and demand-driven interpretation of imperative languages. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'90), New York, USA, June 20--22, 1990, pages 257--271. ACM, 1990. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. K. Banks. Tips for checking schematics. Embedded Systems, 16(6):36--38, June 2003.Google ScholarGoogle Scholar
  5. H. Bar-El, H. Choukri, D. Naccache, M. Tunstall, and C. Whelan. The sorcerer's apprentice guide to fault attacks. Proceedings of the IEEE, 94(2):370--382, February 2006.Google ScholarGoogle ScholarCross RefCross Ref
  6. D. Clark, C. Hankin, and S. Hunt. Information flow for ALGOL-like languages. Computer Languages, 28(1):3--28, April 2002. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. A. W. Dent and J. Malone-Lee. The physically observable security of signature schemes. In N. P. Smart, editor, Cryptography and Coding -- Tenth IMA International Conference, volume 3796 of Lecture Notes in Computer Science, pages 220--232, Cirencester, United Kingdom, 19--21 December 2005. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. J. Ferrante, K. J. Ottenstein, and J. D. Warren. The Program Dependence Graph and its use in optimization. ACM Transactions on Programming Languages and Systems, 9(3):319--349, July 1987. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. S. Horwitz and T. Reps. The use of program dependence graphs in software engineering. In Proceedings of the Fourteenth International Conference on Software Engineering (ICSE'92), pages 392--411, Melbourne, Australia, 11--15 May 1992. ACM Press, New York. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. R. Joshi and K. R. M. Leino. A semantic approach to secure information flow. Science of Computer Programming, 37(1--3):113--138, May 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. V. Lotz, V. Kessler, and G. H. Walter. A formal security model for microprocessor hardware. IEEE Transactions on Software Engineering, 26(8):702--712, August 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. A. Mahalingam, B. P. Butz, and M. Duarte. An intelligent circuit analysis module to analyze student queries in the Universal Virtual Laboratory. In W. Oakes, D. Voltmer, and C. Yokomoto, editors, Proceedings of the 35th ASEE/IEEE Frontiers in Education Conference (FIE'05), pages F4E-1-F4E-6, Indianapolis, USA, 19--22 October 2005. Institute of Electrical and Electronics Engineers, New Jersey, USA.Google ScholarGoogle ScholarCross RefCross Ref
  13. T. McComb and L. P. Wildman. SIFA: A tool for evaluation of high-grade security devices. In C. Boyd and J. Nieto, editors, Proceedings of the Tenth Australasian Conference on Information Security and Privacy (ACISP 2005), volume 3574 of Lecture Notes in Computer Science, pages 230--241, Brisbane, Australia, 4--6 July 2005. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. T. McComb and L. P. Wildman. Verifying abstract information flow properties in fault tolerant security devices. In Z. Liu and J. He, editors, Proceedings of the Eighth International Conference on Formal Engineering Methods (ICFEM 2006), volume 4260 of Lecture Notes in Computer Science, pages 621--638, Macao, China, 1--3 November 2006. Springer-Verlag, Berlin. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. A. C. Myers, A. Sabelfeld, and S. Zdancewic. Enforcing robust declassification and qualified robustness. Journal of Computer Security, 14(2):157--196, 2006. Google ScholarGoogle ScholarCross RefCross Ref
  16. K. R. O'Neill, M. R. Clarkson, and S. Chong. Information-flow security for interactive programs. In Proceedings of the 19th IEEE Computer Security Foundations Workshop (CSFW'06), pages 190--201, Venice, Italy, 5--7 July 2006. IEEE Computer Society, Washington, DC, USA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. M. Pistoia, S. Chandra, S. J. Fink, and E. Yahav. A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Systems Journal, 46(2):265--288, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. A. J. Rae and C. J. Fidge. Information flow analysis for fail-secure devices. The Computer Journal, 48(1):17--26, January 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. A. Sabelfeld and A. C. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications, 21(1):1--15, January 2003. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. B. Schlich, M. Rohrbach, M. Weber, and S. Kowalewski. Model checking software for microcontrollers. Technical Report AIB-2006-11, Department of Computer Science, RWTH Aachen University, Germany, 2006.Google ScholarGoogle Scholar
  21. G. Snelting, T. Robschink, and J. Krinke. Efficient path conditions in dependence graphs for software safety analysis. ACM Transactions on Software Engineering and Methodology, 15(5):410--457, October 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. The Common Criteria Project Sponsoring Organisations. Common Criteria for Information Technology Security Evaluation. International Organization for Standardization, Geneva, August 1999.Google ScholarGoogle Scholar

Index Terms

  1. Integrating hardware and software information flow analyses

          Recommendations

          Comments

          Login options

          Check if you have access through your login credentials or your institution to get full access on this article.

          Sign in
          • Published in

            cover image ACM Conferences
            LCTES '09: Proceedings of the 2009 ACM SIGPLAN/SIGBED conference on Languages, compilers, and tools for embedded systems
            June 2009
            188 pages
            ISBN:9781605583563
            DOI:10.1145/1542452
            • cover image ACM SIGPLAN Notices
              ACM SIGPLAN Notices  Volume 44, Issue 7
              LCTES '09
              July 2009
              176 pages
              ISSN:0362-1340
              EISSN:1558-1160
              DOI:10.1145/1543136
              Issue’s Table of Contents

            Copyright © 2009 ACM

            Publisher

            Association for Computing Machinery

            New York, NY, United States

            Publication History

            • Published: 19 June 2009

            Permissions

            Request permissions about this article.

            Request Permissions

            Check for updates

            Qualifiers

            • research-article

            Acceptance Rates

            LCTES '09 Paper Acceptance Rate18of81submissions,22%Overall Acceptance Rate116of438submissions,26%

          PDF Format

          View or Download as a PDF file.

          PDF

          eReader

          View online with eReader.

          eReader
          About Cookies On This Site

          We use cookies to ensure that we give you the best experience on our website.

          Learn more

          Got it!