Conferences and supporting programme
Data and Control Coupling: Taint Analysis for Critical Embedded Applications
The CERT division of the Software Engineering Institute is The CERT Division is a leader in cybersecurity. Of their top 10 secure coding practices, two focus on the sanitization of untrusted data ? 'Validate input' and 'Sanitize data sent to other systems'. Follow any application inside a debugger and it is easy to see that information is being copied and modified all the time. Data that is input into this melting pot of moving data from an untrusted source is said to be 'tainted', and hence 'taint analysis' is a form of Information Flow Analysis, focused on untrusted data. As so often happens across software engineering sectors, many years ago an entirely separate development path established an approach to information flow analysis that was designed for use with critical embedded applications but is exactly relevant to this scenario. The DO-178C standard used in the aerospace industry leverages data and control coupling to 'provide a measurement and assurance of the correctness of software modules' interactions and dependencies. This presentation will explain the principles of data and control coupling analysis. It will explain their relevance in the context of data movement, and their relevance to secure coding with reference to CERT's 'top 10' secure coding practices, and its relationship to taint analysis. And it will argue that both are key tools in the fight against bad actors in the field of critical embedded applications, whatever the industrial sector.
--- Date: 26.02.2019 Time: 12:00 - 12:30 Location: Conference Counter NCC Ost