Accurate Architectural Threat Elicitation From Source Code Through Hybrid Information Flow Analysis

Accurate Architectural Threat Elicitation From Source Code Through Hybrid Information Flow Analysis

연구 분야: Verification

학회: 2024 IEEE/ACM 46th International Conference on Software Engineering: Companion Proceedings (ICSE-Companion)

Software processes a vast amount of sensitive data. However, tracing information flows in complex programs and eliciting threats, which, for example, could lead to information leaks, pose significant challenges. The problem lies in the absence of suitable approaches to effectively address this issue. Symbolic verification is too restrictive for practical use, taint analysis faces challenges due to overapproximation, and fuzzers can only identify crashes and hangs. In my doctoral research, I introduce an approach for reconstructing and refining information flow graphs in order to elicit threats. Using static analysis, I automatically reconstruct an information flow graph. Subsequently, I refine the found information flows using information flow fuzzing and associate threats through a rule-based system. My approach provides a validated information flow graph of the software and a list of elicited threats.