Conferences in Research and Practice in Information Technology
  

Online Version - Last Updated - 20 Jan 2012

 

 
Home
 

 
Procedures and Resources for Authors

 
Information and Resources for Volume Editors
 

 
Orders and Subscriptions
 

 
Published Articles

 
Upcoming Volumes
 

 
Contact Us
 

 
Useful External Links
 

 
CRPIT Site Search
 
    

Data Flow Analysis of Embedded Program Expressions

Doble, C., Fidge, C. J. and Corney, D.

    Dataflow analysis techniques can be used to help assess threats to data confidentiality and integrity in security-critical program code. However, a fundamental weakness of static analysis techniques is that they overestimate the ways in which data may propagate at run time. Discounting large numbers of these false-positive dataflow paths wastes an information security evaluator's time and effort. Here we show how to automatically eliminate some false-positive dataflow paths by precisely modelling how classified data is blocked by certain expressions in embedded C code. We present a library of detailed dataflow models of individual expression elements and an algorithm for introducing these components into conventional dataflow graphs. The resulting models can be used to accurately trace byte-level or even bit-level dataflow through expressions that are normally treated as atomic. This allows us to identify expressions that safely downgrade their classified inputs and thereby eliminate false-positive dataflow paths from the security evaluation process. To validate the approach we have implemented and tested it in an existing dataflow analysis toolkit.
Cite as: Doble, C., Fidge, C. J. and Corney, D. (2012). Data Flow Analysis of Embedded Program Expressions. In Proc. Australasian Information Security Conference (AISC 2012) Melbourne, Australia. CRPIT, 125. Pieprzyk, J.and Thomborson, C. Eds., ACS. 71-82
pdf (from crpit.com) pdf (local if available) BibTeX EndNote GS