Static Information Flow Analysis for Java Yin Liu Ana Milanova Unexpected information flow can result in vulnerabilities that can compromise the security and availability of software; this can have serious financial, legal and ethical consequences. Current programming languages such as Java do not provide effective mechanisms for preventing unexpected information flow and it is important to develop such mechanisms and advance their usage in software practice. This paper proposes run-time information flow models, and new static information flow inference analysis. The analysis is context-sensitive, cubic, and works both on complete programs and software components. We perform experiments on several Java components which show that the analysis is precise and practical. Thus, the analysis can be incorporated in program understanding and verification tools and help verify security properties in a light-weight, practical manner. Supersedes cs-08-03. Department of Computer Science, Rensselaer Polytechnic Institute cs-08-06
Static Information Flow Analysis for Java
Yin Liu
Ana Milanova
Unexpected information flow can result in vulnerabilities that can compromise the security and availability of software; this can have serious financial, legal and ethical consequences. Current programming languages such as Java do not provide effective mechanisms for preventing unexpected information flow and it is important to develop such mechanisms and advance their usage in software practice. This paper proposes run-time information flow models, and new static information flow inference analysis. The analysis is context-sensitive, cubic, and works both on complete programs and software components. We perform experiments on several Java components which show that the analysis is precise and practical. Thus, the analysis can be incorporated in program understanding and verification tools and help verify security properties in a light-weight, practical manner.
Supersedes cs-08-03.
Department of Computer Science, Rensselaer Polytechnic Institute
cs-08-06