Internet Archive Scholar

Effective blame for information-flow violations

Dave King, Trent Jaeger, Somesh Jha, Sanjit A. Seshia
2008 Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering - SIGSOFT '08/FSE-16  

Preserved Fulltext

fulltext thumbnail
Web Archive Capture PDF (343.1 kB)
https://web.archive.org/web/20170813072033/http://www.cse.psu.edu/~trj1/papers/fse08.pdf

A copy of this work was available on the public web and has been preserved in the Wayback Machine. The capture dates from 2017; you can also visit the original URL. The file type is application/pdf.

Programs trusted with secure information should not release that information in ways contrary to system policy. However, when a program contains an illegal flow of information, current information-flow reporting techniques are inadequate for determining the cause of the error. Reasoning about information-flow errors can be difficult, as the flows involved can be quite subtle. We present a general model for information-flow blame that can explain the source of such security errors in code. This
more » ... odel is implemented by changing the information-flow verification procedure to: (1) generate supplementary information to reveal otherwise hidden program dependencies; (2) modify the constraint solver to construct a blame dependency graph; and (3) develop an explanation procedure that returns a complete and minimal error report. Our experiments show that information-flow errors can generally be explained and resolved by viewing only a small fraction of the total code.
doi:10.1145/1453101.1453135 dblp:conf/sigsoft/KingJJS08 fatcat:pdmipsonjrhupa7y7es3uut7v4
Citation

Dave King, Trent Jaeger, Somesh Jha, Sanjit A. Seshia. "Effective blame for information-flow violations." Proceedings of the 16th ACM SIGSOFT International Symposium on Foundations of software engineering - SIGSOFT '08/FSE-16 (2008) 250-260