Abstract: Described is a system for session workflow information flow analysis. The system labels a session identification (ID) in a session workflow as high confidentiality, such that the session ID remains only in confidential channels. Non-owner channels and authorization server channels are labeled as public channels. The session ID is type checked with a security type system, and security of the session ID is verified.

Abstract: Described is a system for session workflow information flow analysis. The system automatically checks security of an existing software that controls session identifications (IDs). If a security error is identified in the existing software, then security of the existing software is improved by labeling a session ID in a session workflow as high confidentiality, such that the session ID remains only in confidential channels. Non-owner channels and authorization server channels are labeled as public channels. The session ID is type checked with a security type system, and security of the session ID is verified.

Abstract: Described is a system and method for monitoring and enforcing information flow security in software systems. The system maintains security tags and reference counts for objects in computer memory. When an object or a portion of an object in the computer memory is being modified, the system arbitrarily performs operations of updating a security tag for the object being modified; updating reference counts for all objects that the portion of the object in the computer memory being modified pointed to immediately prior to modification; and updating reference counts for all objects that the portion of the object in the computer memory being modified points to immediately after the modification. Subsequently, the system examines the security tags and if the examination reveals a potential information flow security violation, a corrective action is performed.

Abstract: Described is a system for translating security objectives to properties of software code. The system receives a software code and a description of user security objectives written in a high-level language. Using a set of inference rules, the user security objective is translated into a formal security objective. The formal security objective is adapted into a low-level property to fit a target program having software code. Finally, it is determined whether the user objective has been satisfied by analyzing the software code with respect to the low-level property.

Abstract: Described is a language-based system for detecting function calls. The system detects missing authorization and authentication functionality in computer software source code via typechecking. New classes of software vulnerability in the computer software source code are detected.

Abstract: The present invention relates to a system for detecting source code security flaws through analysis of code history. First, the system obtains a previously inferred information flow policy, the previously inferred informational flow policy being based on a previous source code revision. The system then determines changes in source code between a previous source code revision and a current source code revision. Finally, a current inferred information flow policy is generated by modifying the previously inferred information flow policy to reflect the changes in source code. If the changes in the source code do not comply with the previously inferred information flow policy, then the changes are reported to a developer.

Abstract: Described is a system and method for monitoring and enforcing information flow security in software systems. The system maintains security tags and reference counts for objects in computer memory. When an object or a portion of an object in the computer memory is being modified, the system arbitrarily performs operations of updating a security tag for the object being modified; updating reference counts for all objects that the portion of the object in the computer memory being modified pointed to immediately prior to modification; and updating reference counts for all objects that the portion of the object in the computer memory being modified points to immediately after the modification. Subsequently, the system examines the security tags and if the examination reveals a potential information flow security violation, a corrective action is performed.

Abstract: The present invention relates to a system for information flow security inference through program slicing. In operation, the system receives an information flow security policy for source code security, refines the information flow security policy, and analyzes the source code to provide refinements as constraints, such that if there is a source code violation of the constraints, the source code is identified for inspection and removal.

Abstract: Described is a system, method, and computer program product for preventing security flaws in untrusted computer source code by implementing information flow security in an existing programming language through use of an information flow security library. Confidentiality and integrity are encoded separately into the security information flow library. A security policy written in the host programming language is typechecked with a host programming language typechecker algorithm. Additionally, an untrusted module written in a restricted subset of the host programming language is typechecked with the host programming language typechecker algorithm. The untrusted modules cannot access confidential data in the host programming language. Typechecking of the untrusted modules enforces the security policy with the security information flow library.

Abstract: A method and apparatus is disclosed herein for using a module system for polymorphic ?-calculus. In one embodiment, the method comprises receiving a formal specification of a software program; and performing automatic analysis on the formal specification using a module system fitted with processes of the polymorphic ?-calculus processes.