Analysis of information flow security using software implementing business logic based on stored database program blocks

Russian Technological Journal Pub Date : 2024-04-05 DOI:10.32362/2500-316x-2024-12-2-16-27

A. А. Timakov

{"title":"Analysis of information flow security using software implementing business logic based on stored database program blocks","authors":"A. А. Timakov","doi":"10.32362/2500-316x-2024-12-2-16-27","DOIUrl":null,"url":null,"abstract":"Objectives. Verification of software security is typically performed using dynamic and static analysis tools. The corresponding types of analysis do not usually consider the business logic of the software and do not rely on data access control policies. A modern approach to resolving this problem is to implement language-based information flow control. Despite a large amount of research, mechanisms for information flow control in software are not widely used in practice. This is because they are complex and impose increased demands on developers. The aim of the work is to transfer information flow control from the language level to the level of formal verification. This will enable the functions of controlling data integrity and confidentiality in software to be isolated into a separate task, which can be resolved by information security analysts.Methods. The research is based on general formal security methods for computer systems and formal verification methods. The algorithm developed by the author for checking security specifications and resolving security violations uses temporal logic of actions.Results. The technology is presented as a step-by-step approach to resolving specific tasks, including the following: designing a database (DB) for storing and processing sensitive information; analyzing dependencies and identifying relevant sets of program blocks in the DB; generating TLA+ specifications for the identified program blocks; labeling specifications according to global security policy rules and additional constraints; applying the specification verification algorithm, and resolving security violations while providing recommendations for software developers. The procedure also involves analyzing labeled data, in order to control the spread of verified program block output values in external software modules.Conclusions. The technology presented herein does not require developers to include redundant annotations describing security policy rules. The function of analyzing information flows with reference to predefined access restrictions is moved to a separate stage of the software development life cycle.","PeriodicalId":282368,"journal":{"name":"Russian Technological Journal","volume":"23 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2024-04-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Russian Technological Journal","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.32362/2500-316x-2024-12-2-16-27","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 0

Abstract

Objectives. Verification of software security is typically performed using dynamic and static analysis tools. The corresponding types of analysis do not usually consider the business logic of the software and do not rely on data access control policies. A modern approach to resolving this problem is to implement language-based information flow control. Despite a large amount of research, mechanisms for information flow control in software are not widely used in practice. This is because they are complex and impose increased demands on developers. The aim of the work is to transfer information flow control from the language level to the level of formal verification. This will enable the functions of controlling data integrity and confidentiality in software to be isolated into a separate task, which can be resolved by information security analysts.Methods. The research is based on general formal security methods for computer systems and formal verification methods. The algorithm developed by the author for checking security specifications and resolving security violations uses temporal logic of actions.Results. The technology is presented as a step-by-step approach to resolving specific tasks, including the following: designing a database (DB) for storing and processing sensitive information; analyzing dependencies and identifying relevant sets of program blocks in the DB; generating TLA+ specifications for the identified program blocks; labeling specifications according to global security policy rules and additional constraints; applying the specification verification algorithm, and resolving security violations while providing recommendations for software developers. The procedure also involves analyzing labeled data, in order to control the spread of verified program block output values in external software modules.Conclusions. The technology presented herein does not require developers to include redundant annotations describing security policy rules. The function of analyzing information flows with reference to predefined access restrictions is moved to a separate stage of the software development life cycle.

查看原文本刊更多论文

利用基于存储数据库程序块的业务逻辑实施软件分析信息流安全

目的。验证软件安全性通常使用动态和静态分析工具。相应类型的分析通常不考虑软件的业务逻辑，也不依赖数据访问控制策略。解决这一问题的现代方法是实施基于语言的信息流控制。尽管进行了大量研究，但软件中的信息流控制机制在实践中并没有得到广泛应用。这是因为它们非常复杂，对开发人员的要求也越来越高。这项工作的目的是将信息流控制从语言层面转移到形式验证层面。这将使软件中的数据完整性和保密性控制功能分离出来，成为一项单独的任务，由信息安全分析人员解决。研究基于计算机系统的一般形式安全方法和形式验证方法。作者开发的用于检查安全规范和解决安全违规问题的算法使用了时态行动逻辑。该技术以逐步解决具体任务的方式呈现，包括以下内容：设计用于存储和处理敏感信息的数据库（DB）；分析依赖关系并确定数据库中的相关程序块集；为确定的程序块生成 TLA+ 规范；根据全局安全策略规则和附加约束对规范进行标注；应用规范验证算法，解决安全违规问题，同时为软件开发人员提供建议。该程序还包括分析标记数据，以控制经过验证的程序块输出值在外部软件模块中的传播。本文介绍的技术不需要开发人员加入描述安全策略规则的多余注释。参照预定义访问限制分析信息流的功能被转移到软件开发生命周期的一个单独阶段。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Russian Technological Journal

自引率

0.00%

发文量