Featured Research

from universities, journals, and other organizations

For secure software: X-rays instead of passport control

Date:
August 21, 2014
Source:
Karlsruhe Institute of Technology
Summary:
Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting “identification documents” in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum.

Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting "identification documents" in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum. The analysis tool developed by Karlsruhe Institute of Technology (KIT) has already proved to work successfully in realistic test scenarios. In a next step, an industrial case study is planned.

"Established software certificates certify the manufacturer to be trustworthy. With JOANA, we can also check the real behavior of a program," says Gregor Snelting, who developed the analysis tool with his research group at the Chair of Programming Paradigms of KIT. In his opinion, this is important, because most weaknesses result from unintended programming errors. The scientists currently focus on mobile applications for Android smartphones. In principle, however, they can test any program written in JAVA, C or C++. First, software companies are to test their products before commercialization. As experts are required to set up and operate JOANA, it is less suited for private users.

JOANA checks all data channels of a software, through which information flows. In this way, it detects security gaps. "We distinguish between publicly visible channels that e.g. map the user interface and protected channels that cannot be accessed by users," Snelting explains. "To protect secret information, such as passwords or account numbers, these data have to be transmitted in protected channels exclusively. Where secret and public data flows cross, however, information may be exchanged in principle. Here, there is a risk of sensitive information being transmitted.

Scientists distinguish several types of security gaps: Directly readable copies of sensitive data may get out (explicit leak) or the patterns of their encryption only (implicit leak). Secret passwords may affect the probable order of visible information flows (probabilistic leak) from which they could be reconstructed. An example: The command to print a "red L" reaches the printer at the same time as the secret password for access authorization. If the password is AB, the information "L" mostly arrives shortly before the information "red." If the password is BA, it is just the opposite. JOANA reliably detects such security gaps, although they are more difficult to identify.

"Minimizing false alarms is at least as important as finding all security gaps," Snelting says. Many false alarms lead to a massively increased inspection effort or to the alarms being ignored. JOANA reduces the number of false alarms for all security gaps, even for probabilistic leaks. For this purpose, the KIT scientists developed a new computation method (Relaxed Low-Security Observational Determinism) that requires a fixed order of observable process steps at safety-critical points only. For the example above, this would mean that the information "red" has to reach the printer always before the information "L" irrespective of the password. "The challenge was to exclude safety-irrelevant processes from such strict requirements," Snelting emphasizes. Otherwise, the number of false alarms would increase, because any deviation would be classified as dangerous or executions of the program would have to be restricted considerably, such that it would hardly be usable anymore.

So far, JOANA is the only software analysis tool worldwide that does not only find all security gaps but also minimizes the number of false alarms without affecting the functioning of programs. With funds granted by the German Research Foundation, the KIT scientists have conducted research in this area for about 20 years now. "In the longer term, software inspected by JOANA might be given a new certificate that confirms security of the program code," Snelting says.


Story Source:

The above story is based on materials provided by Karlsruhe Institute of Technology. Note: Materials may be edited for content and length.


Cite This Page:

Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. ScienceDaily, 21 August 2014. <www.sciencedaily.com/releases/2014/08/140821090017.htm>.
Karlsruhe Institute of Technology. (2014, August 21). For secure software: X-rays instead of passport control. ScienceDaily. Retrieved September 18, 2014 from www.sciencedaily.com/releases/2014/08/140821090017.htm
Karlsruhe Institute of Technology. "For secure software: X-rays instead of passport control." ScienceDaily. www.sciencedaily.com/releases/2014/08/140821090017.htm (accessed September 18, 2014).

Share This



More Computers & Math News

Thursday, September 18, 2014

Featured Research

from universities, journals, and other organizations


Featured Videos

from AP, Reuters, AFP, and other news services

Let's Review Apple's Latest iPhone Reviews

Let's Review Apple's Latest iPhone Reviews

Newsy (Sep. 17, 2014) The tech press has shared its thoughts on the latest iterations of Apple's iPhone. We summarize the reactions to help you decide: iPhone 6 or 6 Plus? Video provided by Newsy
Powered by NewsLook.com
Facebook Reportedly Building Another New Photo Sharing App

Facebook Reportedly Building Another New Photo Sharing App

Newsy (Sep. 17, 2014) Sources tell TechCrunch Facebook is working on Moments, an app for sharing photos with close friends and family. But why develop yet another new app? Video provided by Newsy
Powered by NewsLook.com
What Not To Do When Installing iOS 8

What Not To Do When Installing iOS 8

Newsy (Sep. 17, 2014) Several sites are warning early adopters not to enable Apple’s new iCloud Drive feature during the installation process. Video provided by Newsy
Powered by NewsLook.com
2K Drafts Face-Mapping Tech for New Game

2K Drafts Face-Mapping Tech for New Game

AP (Sep. 17, 2014) "NBA 2K15" is angling for a slam dunk with an innovative new way to put players in the game. Gamers will be able to digitally graft lifelike 3D renditions of their faces onto virtual players using the PlayStation 4 and Xbox One cameras. (Sept. 17) Video provided by AP
Powered by NewsLook.com

Search ScienceDaily

Number of stories in archives: 140,361

Find with keyword(s):
Enter a keyword or phrase to search ScienceDaily for related topics and research stories.

Save/Print:
Share:

Breaking News:
from the past week

In Other News

... from NewsDaily.com

Science News

Health News

Environment News

Technology News



Save/Print:
Share:

Free Subscriptions


Get the latest science news with ScienceDaily's free email newsletters, updated daily and weekly. Or view hourly updated newsfeeds in your RSS reader:

Get Social & Mobile


Keep up to date with the latest news from ScienceDaily via social networks and mobile apps:

Have Feedback?


Tell us what you think of ScienceDaily -- we welcome both positive and negative comments. Have any problems using the site? Questions?
Mobile: iPhone Android Web
Follow: Facebook Twitter Google+
Subscribe: RSS Feeds Email Newsletters
Latest Headlines Health & Medicine Mind & Brain Space & Time Matter & Energy Computers & Math Plants & Animals Earth & Climate Fossils & Ruins