Given the increasing importance of security, privacy, and related properties, classical approaches such as cryptography and certificates are necessary but insufficient to find different issues to these properties because they do not analyze source code. Thus, these properties should be checked also in the source code.

    Furthermore, it is important to guarantee these properties for emergent modules, that is, when developers use potentially dangerous classes (e.g. File or Logger), when they submit their contributions to the main repository, or when features interact between them.

    Often, potentially dangerous classes, code contributions, and feature interactions are reviewed in order to avoid privacy and security violations. Manual code review is a common way to detect such problems, but it is expensive, error-prone, and time-consuming. Other automatic static analysis approaches are either designed for specific technical domains, such as Android platform, which means that they are not useful for other technical domains, or demand significant effort from developers in order to execute this analysis.

    To reduce these problems, we propose a new policy language named Salvum to allow developers to specify constraints that help protecting sensitive information from these classes, code contributions, and feature interactions. Our language implementation automatically checks source code’s adherence to the specification of Salvum constraints, which might be written by software architects, for example.

    In our in-progress evaluation, we assess our proposal using four selected software projects. Basically, we investigate whether Salvum can be used to find relevant illegal information flow for classes, code contributions, and features. Furthermore, we intend to evaluate whether Salvum helps to reduce the time to find violations, and increase precision and recall for finding these violations.

Source code

I use github to store our source code:

I made some changes in JOANA and WALA. Therefore, I provide my own version in the link above. However, official JOANA website is available as well as WALA's. All the instructions to reproduce and use Salvum is at this link. The main change regards including WALA IMethod to the corresponding SDG node generated by JOANA. This was necessary to avoid missing the source line numbers where the instructions of a method were extracted. We use this line numbers information to automatically label SDG nodes.