Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code
Abstract—Information flow vulnerabilities in UML statecharts and C code are detrimental as they can cause data leakagesor unexpected program behavior. Detecting such vulnerabilitieswith static code analysis techniques is challenging because codeis usually not available during the software design phase andprevious knowledge about what should be annotated and trackedis needed. In this paper we propose textual annotations used tointroduce information flow constraints in UML state charts andcode which are afterwards automatically loaded by informationflow checkers that check if imposed constraints hold or not. Weevaluated our approach on 6 open source test cases availablein the National Institute of Standards and Technology (NIST)Juliet test suite for C/C++. Our results show that our approachis effective and can be further applied to other types of UMLmodels and programming languages as well, in order to detectdifferent types of vulnerabilities.
Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code
| Authors: | Paul Muntean, Adnan Rabbi, Andreas Ibing, and Claudia Eckert |
| Year/month: | 2015/8 |
| Booktitle: | International Conference on Software Quality, Reliability and Security Companion (QRS-C), Vancouver, Canada |
| Publisher: | IEEE Computer Society |
| Fulltext: | MVV_Automated_Detection_of_Information_Flow0AVulnerabilities_in_UML_State_Charts_and_C_Code.pdf |
Abstract |
|
| Abstract—Information flow vulnerabilities in UML statecharts and C code are detrimental as they can cause data leakagesor unexpected program behavior. Detecting such vulnerabilitieswith static code analysis techniques is challenging because codeis usually not available during the software design phase andprevious knowledge about what should be annotated and trackedis needed. In this paper we propose textual annotations used tointroduce information flow constraints in UML state charts andcode which are afterwards automatically loaded by informationflow checkers that check if imposed constraints hold or not. Weevaluated our approach on 6 open source test cases availablein the National Institute of Standards and Technology (NIST)Juliet test suite for C/C++. Our results show that our approachis effective and can be further applied to other types of UMLmodels and programming languages as well, in order to detectdifferent types of vulnerabilities. | |
Bibtex:
@conference {author = { Paul Muntean and Adnan Rabbi and Andreas Ibing and Claudia Eckert },
title = { Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code },
year = { 2015 },
month = { August },
booktitle = { International Conference on Software Quality, Reliability and Security Companion (QRS-C), Vancouver, Canada },
publisher = { IEEE Computer Society },
url = {https://www.sec.in.tum.de/i20/publications/automated-detection-of-information-flow-vulnerabilities-in-uml-state-charts-and-c-code/@@download/file/MVV_Automated_Detection_of_Information_Flow0AVulnerabilities_in_UML_State_Charts_and_C_Code.pdf}
}