Position Paper: Static Flow-Sensitive & Context-Sensitive Information-flow Analysis for Software Product Lines

Eric | April 22, 2012

In our recent paper accepted at the SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS), we demonstrate how inter-procedural information-flow analyses for regular programs can be transparently lifted to software product lines (SPLs), so that they can deal with conditional-compilation constructs such as #ifdef. Out approach is based on the IFDS/IDE framework by Reps, Horwitz and Sagiv. Currently, our approach is constrained to direct information flow, but we are already considering an extension to indirect flow as well.

Read the full abstract and paper here:

A software product line encodes a potentially large variety of software products as variants of some common code base, e.g., through the use of #ifdef statements or other forms of conditional compilation. Traditional information-flow analyses cannot cope with such constructs. Hence, to check for possibly insecure information flow in a product line, one currently has to analyze each resulting product separately, of which there may be thousands, making this task intractable.

We report about ongoing work that will instead enable users to check the security of information flows in entire software product lines in one single pass, without having to generate individual products from the product line. Executing the analysis on the product line promises to be orders of magnitude more faster than analyzing products individually.

We discuss the design of our information-flow analysis and our ongoing implementation using the IFDS/IDE framework by Reps, Horwitz and Sagiv.

Download the paper here