Accurate Architectural Threat Elicitation From Source Code Through Hybrid Information Flow Analysis
Software processes a vast amount of sensitive data. However, tracing information flows in complex programs and eliciting threats, which for example could lead to information leaks, pose significant challenges. The problem lies in the absence of suitable approaches to effectively address this issue. Symbolic verification is too restrictive for practical use, taint analysis is limited to the program under test, and fuzzers can only identify crashes and hangs.
In my doctoral research, I introduce an approach for reconstructing and refining information flow graphs in order to elicit threats. Using static analysis, I automatically reconstruct an information flow graph. Subsequently, I refine the found information flows using information flow fuzzing and associate threats through a rule-based system. My approach provides a validated information flow graph of the software and a list of elicited threats.
Tue 16 AprDisplayed time zone: Lisbon change
11:00 - 12:30 | Paper Presentations IDoctoral Symposium at Fernando Pessoa Chair(s): Betty H.C. Cheng Michigan State University, Westley Weimer University of Michigan | ||
11:00 25mTalk | Accurate Architectural Threat Elicitation From Source Code Through Hybrid Information Flow Analysis Doctoral Symposium Bernd Gruner German Aerospace Center (DLR) Pre-print | ||
11:25 25mTalk | Aiding Developer Understanding of Software Changes via Symbolic Execution-based Semantic Differencing Doctoral Symposium Johann Glock University of Klagenfurt Pre-print Media Attached File Attached | ||
11:50 25mTalk | Sustaining Scientific Open-Source Software Ecosystems: Challenges, Practices, and Opportunities Doctoral Symposium Jiayi Sun University of Toronto | ||