Information-flow analyses allow security analysts to discover the flow of data through software applications, or more generally the flow of information about that data. This is useful, for instance, to discover accidental or malicious leakages of private information, or conversely to detect vulnerabilities granting attackers the possibility to modify input data such as to cause the application under attack to leak its application data or to process it incorrectly. SQL-injection attacks fall into the latter category.In the past, researchers have mostly focused on data-flow and information-flow analyses for single software components or even for only single execution threads. This model, while allowing for relatively effective algorithm and tools, is comparatively limited. Especially modern operating systems for mobile devices are built around a model of small, highly inter-connected applications (apps), which fulfill user stories by exchanging commands and data. On such operating systems, malicious code can base exploits on this inter-process communication. Some well-known malware apps, for instance, use inter-process communication to extort private data from other badly programmed and thus vulnerable applications.To address this problem, the project InterFlow will develop novel algorithm, methods and tools with which data flows can be tracked across process boundaries, both using static code analysis, i.e., without executing the applications in question, and dynamically during the applications' execution. Past research has shown that the combination of both techniques can yield systems that are both highly effective and efficient. A particular feature of the envisioned solution is that it should go completely without any modifications to the mobile operating system. This will allow end users to deploy the mechanisms with ease, and on a wide range of devices. While motivated through this practical problem, this restriction will yield interesting research challenges, as the solution will not be able to rely on special trust anchors such as trusted kernels or Trusted Platform Modules to ensure a secure runtime.The analyses developed within the project InterFlow will allow software engineers to reliably pinpoint vulnerabilities which occur through the interaction of data-flow problems involving multiple applications, and will allow them to detect malware that exploits exactly such vulnerabilities.

DFG Programme Priority Programmes

Subproject of SPP 1496:  Reliably Secure Software Systems

Ehemaliger Antragsteller Professor Dr. Eric Bodden, until 2/2016