Information Flow Analysis of Component-Structured Applications
-
Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund
-
E-Mail: Peter.Herrmann@cs.tu-dortmund.de
Abstract
Software component technology facilitates the cost-effective development of specialized applications.
Nevertheless, due to the high number of principals involved in a component-structured system, it
introduces special security problems which have to be tackled by a thorough security analysis. In
particular, the diversity and complexity of information flows between components hold the danger of leaking
information. Since information flow analysis, however, tends to be expensive and error-prone, we apply our
object-oriented security analysis and modeling approach. It employs UML-based object-oriented modeling
techniques and graph rewriting in order to make the analysis easier and to assure its quality even for large
systems. Information flow is modeled based on Myers' and Liskov's decentralized label model combining
label-based read access policy models and declassification of information with static analysis. We report on
the principles of information flow analysis of component-based systems, clarify its application by means
of an example, and outline the corresponding tool-support.
Published in
Proceedings of the 17th Annual Computer Security Applications
Conference (ACSAC'2001), ACM SIGSAC, pages 45-54,
New Orleans, IEEE Computer Society Press, December 2001.
Obtaining the paper
Due to the copyright agreement between the publisher and the authors we are
not allowed to make the paper available online. If you have problems to
obtain it,
please call us.
Peter Herrmann, January 24, 2002
-- digital media copyright