Featured Research

from universities, journals, and other organizations

For secure software: X-rays instead of passport control

Date:
August 21, 2014
Source:
Karlsruhe Institute of Technology
Summary:
Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting “identification documents” in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum.

Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting "identification documents" in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum. The analysis tool developed by Karlsruhe Institute of Technology (KIT) has already proved to work successfully in realistic test scenarios. In a next step, an industrial case study is planned.

"Established software certificates certify the manufacturer to be trustworthy. With JOANA, we can also check the real behavior of a program," says Gregor Snelting, who developed the analysis tool with his research group at the Chair of Programming Paradigms of KIT. In his opinion, this is important, because most weaknesses result from unintended programming errors. The scientists currently focus on mobile applications for Android smartphones. In principle, however, they can test any program written in JAVA, C or C++. First, software companies are to test their products before commercialization. As experts are required to set up and operate JOANA, it is less suited for private users.

JOANA checks all data channels of a software, through which information flows. In this way, it detects security gaps. "We distinguish between publicly visible channels that e.g. map the user interface and protected channels that cannot be accessed by users," Snelting explains. "To protect secret information, such as passwords or account numbers, these data have to be transmitted in protected channels exclusively. Where secret and public data flows cross, however, information may be exchanged in principle. Here, there is a risk of sensitive information being transmitted.

Scientists distinguish several types of security gaps: Directly readable copies of sensitive data may get out (explicit leak) or the patterns of their encryption only (implicit leak). Secret passwords may affect the probable order of visible information flows (probabilistic leak) from which they could be reconstructed. An example: The command to print a "red L" reaches the printer at the same time as the secret password for access authorization. If the password is AB, the information "L" mostly arrives shortly before the information "red." If the password is BA, it is just the opposite. JOANA reliably detects such security gaps, although they are more difficult to identify.

"Minimizing false alarms is at least as important as finding all security gaps," Snelting says. Many false alarms lead to a massively increased inspection effort or to the alarms being ignored. JOANA reduces the number of false alarms for all security gaps, even for probabilistic leaks. For this purpose, the KIT scientists developed a new computation method (Relaxed Low-Security Observational Determinism) that requires a fixed order of observable process steps at safety-critical points only. For the example above, this would mean that the information "red" has to reach the printer always before the information "L" irrespective of the password. "The challenge was to exclude safety-irrelevant processes from such strict requirements," Snelting emphasizes. Otherwise, the number of false alarms would increase, because any deviation would be classified as dangerous or executions of the program would have to be restricted considerably, such that it would hardly be usable anymore.

So far, JOANA is the only software analysis tool worldwide that does not only find all security gaps but also minimizes the number of false alarms without affecting the functioning of programs. With funds granted by the German Research Foundation, the KIT scientists have conducted research in this area for about 20 years now. "In the longer term, software inspected by JOANA might be given a new certificate that confirms security of the program code," Snelting says.


Story Source:

The above story is based on materials provided by Karlsruhe Institute of Technology. Note: Materials may be edited for content and length.


Cite This Page:

Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. ScienceDaily, 21 August 2014. <www.sciencedaily.com/releases/2014/08/140821090017.htm>.
Karlsruhe Institute of Technology. (2014, August 21). For secure software: X-rays instead of passport control. ScienceDaily. Retrieved October 21, 2014 from www.sciencedaily.com/releases/2014/08/140821090017.htm
Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. www.sciencedaily.com/releases/2014/08/140821090017.htm (accessed October 21, 2014).

Share This



More Computers & Math News

Tuesday, October 21, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Japanese Scientists Unveil Floating 3D Projection

Japanese Scientists Unveil Floating 3D Projection

Reuters - Innovations Video Online (Oct. 20, 2014) Scientists in Tokyo have demonstrated what they say is the world's first 3D projection that floats in mid air. A laser that fires a pulse up to a thousand times a second superheats molecules in the air, creating a spark which can be guided to certain points in the air to shape what the human eye perceives as an image. Matthew Stock reports. Video provided by Reuters
Powered by NewsLook.com
Apple Enters Mobile Payment Business

Apple Enters Mobile Payment Business

AP (Oct. 20, 2014) Apple is making a strategic bet with the launch of Apple Pay, the mobile pay service aimed at turning your iPhone into your wallet. (Oct. 20) Video provided by AP
Powered by NewsLook.com
Google To Protect Against Piracy ... At A Cost

Google To Protect Against Piracy ... At A Cost

Newsy (Oct. 20, 2014) Google is changing its search-engine results to protect content producers from piracy — for a price. Video provided by Newsy
Powered by NewsLook.com
What We Know About Microsoft's Rumored Smartwatch

What We Know About Microsoft's Rumored Smartwatch

Newsy (Oct. 20, 2014) Microsoft will reportedly release a smartwatch that works across different mobile platforms, has a two-day battery life and tracks heart rate. Video provided by Newsy
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:

Strange & Offbeat Stories


Space & Time

Matter & Energy

Computers & Math

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins