Instead of trusting "identification documents" in the form of certificates, JOANA, the new software analysis tool, examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA ( http://pp.ipd.kit.edu/projects/joana/ ) reduces the number of false alarms to a minimum. The analysis tool developed by Karlsruhe Institute of Technology (KIT) has already proved to work successfully in realistic test scenarios. In a next step, an industrial case study is planned.
"Established software certificates certify the manufacturer to be trustworthy. With JOANA, we can also check the real behavior of a program," says Gregor Snelting, who developed the analysis tool with his research group at the Chair of Programming Paradigms of KIT. In his opinion, this is important, because most weaknesses result from unintended programming errors. The scientists currently focus on mobile applications for Android smartphones. In principle, however, they can test any program written in JAVA, C or C++. First, software companies are to test their products before commercialization. As experts are required to set up and operate JOANA, it is less suited for private users.
[Software Overview]: http://pp.ipd.kit.edu/uploads/folien/joana-overview.pdf [PDF]
http://www.eurekalert.org/pub_releases/2014-08/kift-fss082114.php
(Score: 4, Insightful) by MrGuy on Friday August 22 2014, @12:35PM
We've had those for years. Maybe this has some new rules, which is great - some tools aren't great for checking specifically for security issues (as opposed to code style), but I don't see the revolution.
Also, the PDF is marketing material. Heavy on breathless prose (favorite line: "Sound IFC guarantees to find all leaks!"), light on technical details about how it does it (other than an overwrought airport X-Ray scanner metaphor).
This is soyvertisement. Call me back when they can substantiate their claims or explain why they're that different from what I'm already running.
(Score: 1, Funny) by Anonymous Coward on Friday August 22 2014, @12:56PM
Sound IFC guarantees to find all leaks!
1. Craft leak
2. Sue them
3. Profit
(Score: 1) by hendrikboom on Friday August 22 2014, @08:27PM
It takes user annotations as to where information is allowed to flow.
Then it does data flow analysis to see if it can ascertain that data cannot flow elsewhere.
Assuming the user is allowed to provide the annotations she needs, it may actually be possible to do what they claim in terms of securing data flow.
-- hendrik
(Score: 3, Interesting) by No.Limit on Friday August 22 2014, @09:25PM
Does it protect against covert channel attacks [wikipedia.org]?
Probably not, so those are pretty outrageous claims, particularly coming from an academic institute.
Nevertheless going through the slides it sounds pretty interesting and it looks like they've really pushed static analysis regarding information flow forward significantly.
Also note that while they guarantee no false positives (JOANA says program is secure, but it's not), they still have false negatives (JOANA says program is insecure, but it's actually secure) though apparently only a few.
(Score: 0) by Anonymous Coward on Saturday August 23 2014, @07:23AM
And does it protect against compiler quirks? unintended behavior is unintended.
(Score: 2) by tibman on Friday August 22 2014, @04:21PM
So is JOANA finding the problems? Or some experts are using JOANA to find problems? There is a large difference. If JOANA is a collection of people using tools then it is far less valuable than a program called JOANA that people are using. That sentence sucked, sorry : )
SN won't survive on lurkers alone. Write comments.
(Score: 2) by frojack on Friday August 22 2014, @04:56PM
Probably the software sucks as well.
First it only works for a few languages, second it doesn't even seem to address the largest risk items like database servers.
No, you are mistaken. I've always had this sig.
(Score: 1, Interesting) by Anonymous Coward on Saturday August 23 2014, @02:14PM
There is no license I can see...