Static Analysis of Information Release in Interactive Programs

Authors

  • Adedayo Adetoye
  • Nikolaos Papanikolaou

DOI:

https://doi.org/10.14279/tuj.eceasst.35.544

Abstract

In this paper we present a model for analysing information release (or leakage) in programs written in a simple imperative language. We present the se- mantics of the language, an attacker model, and the notion of an information release policy. Our key contribution is the static analysis technique to compute information release of programs and to verify it against a policy. We demonstrate our approach by analysing information released to an attacker by faulty password checking pro- grams; our example is inspired by a known flaw in versions of OpenSSH distributed with various Unix, Linux, and OpenBSD operating systems.

Downloads

Published

2011-04-14

How to Cite

[1]
A. Adetoye and N. Papanikolaou, “Static Analysis of Information Release in Interactive Programs”, eceasst, vol. 35, Apr. 2011.

Issue

Vol. 35 (2010): Automated Verification of Critical Systems 2010

Section

Articles

License

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.