Featured Research

from universities, journals, and other organizations

For secure software: X-rays instead of passport control

Date:
August 21, 2014
Source:
Karlsruhe Institute of Technology
Summary:
Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting “identification documents” in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum.

Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting "identification documents" in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum. The analysis tool developed by Karlsruhe Institute of Technology (KIT) has already proved to work successfully in realistic test scenarios. In a next step, an industrial case study is planned.

Related Articles


"Established software certificates certify the manufacturer to be trustworthy. With JOANA, we can also check the real behavior of a program," says Gregor Snelting, who developed the analysis tool with his research group at the Chair of Programming Paradigms of KIT. In his opinion, this is important, because most weaknesses result from unintended programming errors. The scientists currently focus on mobile applications for Android smartphones. In principle, however, they can test any program written in JAVA, C or C++. First, software companies are to test their products before commercialization. As experts are required to set up and operate JOANA, it is less suited for private users.

JOANA checks all data channels of a software, through which information flows. In this way, it detects security gaps. "We distinguish between publicly visible channels that e.g. map the user interface and protected channels that cannot be accessed by users," Snelting explains. "To protect secret information, such as passwords or account numbers, these data have to be transmitted in protected channels exclusively. Where secret and public data flows cross, however, information may be exchanged in principle. Here, there is a risk of sensitive information being transmitted.

Scientists distinguish several types of security gaps: Directly readable copies of sensitive data may get out (explicit leak) or the patterns of their encryption only (implicit leak). Secret passwords may affect the probable order of visible information flows (probabilistic leak) from which they could be reconstructed. An example: The command to print a "red L" reaches the printer at the same time as the secret password for access authorization. If the password is AB, the information "L" mostly arrives shortly before the information "red." If the password is BA, it is just the opposite. JOANA reliably detects such security gaps, although they are more difficult to identify.

"Minimizing false alarms is at least as important as finding all security gaps," Snelting says. Many false alarms lead to a massively increased inspection effort or to the alarms being ignored. JOANA reduces the number of false alarms for all security gaps, even for probabilistic leaks. For this purpose, the KIT scientists developed a new computation method (Relaxed Low-Security Observational Determinism) that requires a fixed order of observable process steps at safety-critical points only. For the example above, this would mean that the information "red" has to reach the printer always before the information "L" irrespective of the password. "The challenge was to exclude safety-irrelevant processes from such strict requirements," Snelting emphasizes. Otherwise, the number of false alarms would increase, because any deviation would be classified as dangerous or executions of the program would have to be restricted considerably, such that it would hardly be usable anymore.

So far, JOANA is the only software analysis tool worldwide that does not only find all security gaps but also minimizes the number of false alarms without affecting the functioning of programs. With funds granted by the German Research Foundation, the KIT scientists have conducted research in this area for about 20 years now. "In the longer term, software inspected by JOANA might be given a new certificate that confirms security of the program code," Snelting says.


Story Source:

The above story is based on materials provided by Karlsruhe Institute of Technology. Note: Materials may be edited for content and length.


Cite This Page:

Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. ScienceDaily, 21 August 2014. <www.sciencedaily.com/releases/2014/08/140821090017.htm>.
Karlsruhe Institute of Technology. (2014, August 21). For secure software: X-rays instead of passport control. ScienceDaily. Retrieved October 25, 2014 from www.sciencedaily.com/releases/2014/08/140821090017.htm
Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. www.sciencedaily.com/releases/2014/08/140821090017.htm (accessed October 25, 2014).

Share This



More Computers & Math News

Saturday, October 25, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Real-Life Transformer Robot Walks, Then Folds Into a Car

Real-Life Transformer Robot Walks, Then Folds Into a Car

Buzz60 (Oct. 24, 2014) — Brave Robotics and Asratec teamed with original Transformers toy company Tomy to create a functional 5-foot-tall humanoid robot that can march and fold itself into a 3-foot-long sports car. Jen Markham has the story. Video provided by Buzz60
Powered by NewsLook.com
Microsoft Riding High On Strong Surface, Cloud Performance

Microsoft Riding High On Strong Surface, Cloud Performance

Newsy (Oct. 24, 2014) — Microsoft's Q3 earnings showed its tablets and cloud services are really hitting their stride. Video provided by Newsy
Powered by NewsLook.com
The Best Apps to Organize Your Life

The Best Apps to Organize Your Life

Buzz60 (Oct. 23, 2014) — Need help organizing your bills, schedules and other things? Ko Im (@konakafe) has the best apps to help you stay on top of it all! Video provided by Buzz60
Powered by NewsLook.com
Nike And Apple Team Up To Create Wearable ... Something

Nike And Apple Team Up To Create Wearable ... Something

Newsy (Oct. 23, 2014) — For those looking for wearable tech that's significantly less nerdy than Google Glass, Nike CEO Mark Parker says don't worry, It's on the way. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
 
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:  

Breaking News:

Strange & Offbeat Stories

 

Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:  

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile iPhone Android Web
Follow Facebook Twitter Google+
Subscribe RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins