Slicing for security of code

Benjamin Monate; Julien Signoles

doi:10.1007/978-3-540-68979-9_10

Slicing for security of code

Benjamin Monate, Julien Signoles

LIST-DTSI-SLA CEA

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

Original language	English
Title of host publication	Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings
Pages	133-142
Number of pages	10
DOIs	https://doi.org/10.1007/978-3-540-68979-9_10
Publication status	Published - 27 Oct 2008
Externally published	Yes
Event	1st International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008 - Villach, Austria Duration: 11 Mar 2008 → 12 Mar 2008

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	4968 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	1st International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008
Country/Territory	Austria
City	Villach
Period	11/03/08 → 12/03/08

Access to Document

10.1007/978-3-540-68979-9_10

Cite this

Monate, B., & Signoles, J. (2008). Slicing for security of code. In Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings (pp. 133-142). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4968 LNCS). https://doi.org/10.1007/978-3-540-68979-9_10

Monate, Benjamin ; Signoles, Julien. / Slicing for security of code. Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings. 2008. pp. 133-142 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{6ed9684dfd66499b921bac8d4e6d90d8,

title = "Slicing for security of code",

abstract = "Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.",

author = "Benjamin Monate and Julien Signoles",

year = "2008",

month = oct,

day = "27",

doi = "10.1007/978-3-540-68979-9\_10",

language = "English",

isbn = "3540689788",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

pages = "133--142",

booktitle = "Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings",

note = "1st International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008 ; Conference date: 11-03-2008 Through 12-03-2008",

}

Monate, B & Signoles, J 2008, Slicing for security of code. in Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 4968 LNCS, pp. 133-142, 1st International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Villach, Austria, 11/03/08. https://doi.org/10.1007/978-3-540-68979-9_10

Slicing for security of code. / Monate, Benjamin; Signoles, Julien.
Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings. 2008. p. 133-142 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 4968 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Slicing for security of code

AU - Monate, Benjamin

AU - Signoles, Julien

PY - 2008/10/27

Y1 - 2008/10/27

N2 - Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

AB - Bugs in programs implementing security features can be catastrophic: for example they may be exploited by malign users to gain access to sensitive data. These exploits break the confidentiality of information. All security analyses assume that softwares implementing security features correctly implement the security policy, i.e. are security bug-free. This assumption is almost always wrong and IT security administrators consider that any software that has no security patches on a regular basis should be replaced as soon as possible. As programs implementing security features are usually large, manual auditing is very error prone and testing techniques are very expensive. This article proposes to reduce the code that has to be audited by applying a program reduction technique called slicing. Slicing transforms a source code into an equivalent one according to a set of criteria. We show that existing slicing criteria do not preserve the confidentiality of information. We introduce a new automatic and correct source-to-source method properly preserving the confidentiality of information i.e. confidentiality is guaranteed to be exactly the same in the original program and in the sliced program.

U2 - 10.1007/978-3-540-68979-9_10

DO - 10.1007/978-3-540-68979-9_10

M3 - Conference contribution

AN - SCOPUS:54249092520

SN - 3540689788

SN - 9783540689782

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 133

EP - 142

BT - Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings

T2 - 1st International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008

Y2 - 11 March 2008 through 12 March 2008

ER -

Monate B, Signoles J. Slicing for security of code. In Trusted Computing - Challenges and Applications - First International Conference on Trusted Computing and Trust in Information Technologies, TRUST 2008, Proceedings. 2008. p. 133-142. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-540-68979-9_10

Slicing for security of code

Abstract

Publication series

Conference

Access to Document

Fingerprint

Cite this