Journal of Digital Convergence (디지털융복합연구)

The Society of Digital Policy and Management (한국디지털정책학회)
권호 표지
DOI QR코드

DOI QR Code

Security Analysis of Information Flow using SAT

SAT를 이용한 정보흐름의 안전성 분석

  • Kim, Je-Min (Dept. of Computer and Information Engineering, Inha University) ;
  • Kouh, Hoon-Joon (Dept. of Video Broadcasting, Kyung-In Women's University)
  • 김제민 (인하대학교 컴퓨터공학과) ;
  • 고훈준 (경인여자대학교 영상방송과)
  • Received : 2016.04.25
  • Accepted : 2016.06.20
  • Published : 2016.06.28
Download PDF
⟨ Previous Next ⟩

Abstract

As many people use internet through the various programs of PC and mobile devices, the possibility of private data leak is increasing. A program should be used after checking security of information flow. Security analysis of information flow is a method that analyzes security of information flow in program. If the information flow is secure, there is no leakage of personal information. If the information flow not secure, there may be a leakage of personal information. This paper proposes a method of analyzing information flow that facilitates SAT solver. The method translates a program that includes variables where security level is set into propositional formula representing control and information flow. The satisfiability of the formula translated is determined by using SAT solver. The security of program is represented through the result. Counter-example is generated if the program is not secure.

PC 와 모바일 기기에 있는 다양한 프로그램을 이용하여 인터넷을 이용하는 사람들이 늘어날수록 프로그램에서 개인정보 등이 유출될 가능성은 매우 높아지고 있다. 따라서 인터넷을 사용하는 프로그램에서 정보흐름의 안전성 분석을 한 후에 개인정보의 유출이 없는 안전한 프로그램을 사용해야 한다. 정보흐름의 안전성 분석은 프로그램 내에서 정보의 흐름이 안전한지 분석하는 방법으로 정보흐름이 안전하면 개인정보 유출이 없고 안전하지 않으면 개인정보 유출이 발생할 수 있다. 본 논문에서는 SAT 해결기를 활용하여 정보흐름 분석을 수행하는 방법을 제시한다. 이 방법은 보안 수준이 설정된 변수를 포함하는 프로그램을 제어와 정보흐름을 나타내는 명제 논리식으로 변환하고, SAT 해결기를 이용해 명제 논리식으로부터 만족가능성 여부를 판단한다. 판단된 결과를 통해 프로그램에서 정보흐름이 안전한지 알 수 있으며, 안전하지 않은 경우 반례를 생성하여 어느 부분에서 안전하지 않은 지 알 수 있다.

Keywords

References

  1. A. Sabelfeld and A. C. Myers, "Language-based information-flow security," IEEE J.Sel.A.Commun., vol. 21, no. 1 , pp. 5-19, Sep. 2006.
  2. R. Cytron, J. Ferrante, B. K. Rosen, M. N. Wegman, and F. K. Zadeck, "Efficiently computing static single assignment form and the control dependence graph," ACM Trans. Program. Lang. Syst., vol. 13, no. 4 , pp. 451-490, Oct. 1991. https://doi.org/10.1145/115372.115320
  3. Myung-Seong Yim, "Understanding the Factors that influence Website Retention and Privacy Unconcern After the Disclosure of Privacy Information," Journal of Digital convergence, The Korea Society of Digital Policy and Management, vol, 11, no 1, pp. 107-119, Jan. 2013.
  4. D. E. Denning, "A lattice model of secure information flow," Commun ACM, vol. 19, no. 5, pp. 236-243, May. 1976. https://doi.org/10.1145/360051.360056
  5. D. E. Denning and P. J. Denning, "Certification of programs for secure information flow," Commun ACM, vol. 20, no. 7, pp. 504-513, Jul. 1977. https://doi.org/10.1145/359636.359712
  6. K. G. Doh and S. C. Shin, "Detection of information leak by data flow analysis," SIGPLAN Not., vol. 37, no. 8, pp. 66-71, Aug. 2002. https://doi.org/10.1145/596992.597005
  7. D. M. Volpano and G. Smith, "A Type-Based Approach to Program Security," in Proceedings of the 7th International Joint Conference CAAP/FASE on Theory and Practice of Software Development: Springer-Verlag, pp. 607-621, 1997.
  8. S. Hunt and D. Sands, "On flow-sensitive security types," SIGPLAN Not., vol. 41, no. 1, pp. 79-90, Jan. 2006. https://doi.org/10.1145/1111320.1111045
  9. Y. Liu and A. Milanova, "Static analysis for inference of explicit information flow," in Proceedings of the 8th ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, Atlanta, Georgia, pp. 50-56, 2008.
  10. R. Joshi and K. R. M. Leino, "A semantic approach to secure information flow," Science of Computer Programming, vol. 37, no. 1, pp. 113. 2000. https://doi.org/10.1016/S0167-6423(99)00024-6
  11. T. Amtoft and A. Banerjee, "A logic for information flow analysis with an application to forward slicing of simple imperative programs," Sci.Comput.Program., vol. 64, no. 1, pp. 3-28, Jan. 2007. https://doi.org/10.1016/j.scico.2006.03.002
  12. T. Amtoft and A. Banerjee, "Verification condition generation for conditional information flow," in Proceedings of the 2007 ACM workshop on Formal methods in security engineering, Fairfax, Virginia, USA, pp. 2-11, 2007.
  13. D'Silva, Vijay, Leopold Haller, and Daniel Kroening. "Satisfiability Solvers are Static Analysers," Eds. Antoine Mine and David Schmidt. Berlin, Heidelberg: Springer Berlin Heidelberg, 2012.
  14. Gergo. Barany, "Hybrid Information Flow Analysis for Programs with Array," Workshop on Verification and Program Transformation, 2016.
  15. Ono, Masahiro, et al. "SMART: A Propositional Logic-Based Trade Analysis and Risk Assessment Tool for a Complex Mission," Aerospace Conference, IEEE , pp. 1-15, 2015.
  16. Walch, Martin, Rouven Walter, and Wolfgang Kuchlin. "Formal Analysis of the Linux Kernel Configuration with SAT Solving," in Proceedings of the 17th International Configuration Workshop. 2015.
  17. R. Sen and Y. N. Srikant. Executable analysis using abstract interpretation with circular linear progressions. In Proceedings of the Fifth IEEE/ACM International Conference on Formal Methods and Models for Codesign, pages 39-48. IEEE, 2007.
  18. Sik-Wan Cho, Won-Jun Jang, Hyung-Woo Lee, "Development of User Oriented Vulnerability Analysis Application on Smart Phone", Journal of the Korea Convergence Society, Vol. 3, No. 2, pp. 7-12, 2012.
  19. Seung-Soo Shin, "A Study on Multi-Media Contents Security Using Android Phone", Journal of the Korea Convergence Society, Vol. 3, No. 1, pp. 19-25, 2012.