Software Tool Plugs Security Leaks

Aug 01, 2007

Often when you make an Internet transaction, symbols on the Web page assure you that your transaction will be secure and that private information about you, such as passwords, bank account or credit card numbers, will not be intercepted by a third party.

Such assurances mean safe passage along the information highway. But is your private information secure after it enters a merchant's computer?

Not necessarily, says a University of Illinois at Chicago computer-security expert who is developing a software tool that will help keep private information from falling under prying eyes.

"There are many ways software can leak information, and often programmers are clueless about how to prevent it," said V.N. Venkatakrishnan, assistant professor of computer science and co-director of UIC's Center for Research and Instruction in Technologies for Electronic Security.

"Programmers need tools and techniques to write good code that safeguards private data," he said. "It is important to address end-user privacy concerns during software development."

The problem focuses on the massive number of computer programs written in C, the language most widely used for building systems software for applications such as mail agents, calendars and web browsers.

Building on previous research findings, Venkatakrishnan has developed a software tool to break up private, protected data-entering programs written in C, separating it from information that is open to public access, such as via an Internet link. The tool automatically identifies what Venkatakrishnan calls the program's public and private zones, monitoring the program while running, checking the information flow almost like a gatekeeper dividing attention between these two zones.

"Taken together, the public and private zones replace the original functionality of the program," he said. "It enables you to enforce different policies on these zones. For instance, the public zone is not allowed to read sensitive data, and the private zone is not allowed network access, which addresses end-user privacy concerns."

Venkatakrishnan has already developed a prototype tool and has successfully tested it on medium-scale software programs. He just received a two-year, $250,000 single-investigator grant from the National Science Foundation to create a way to scale-up the tool for use on large-scale programs, such as mail readers and Web browsers.

The tool will be easy for programmers to use, and applicable to a wide range of programs, Venkatakrishnan said. He expects to have it tested and ready for public release within two years.

"The prototype is there. It will be fairly easy for us to build on it."

Source: University of Illinois at Chicago

Explore further: Earthquake simulation tops one quadrillion flops

add to favorites email to friend print save as pdf

Related Stories

'Heartbleed' bug a critical Internet illness

Apr 11, 2014

The "Heartbleed" flaw in Internet security is as critical as the name implies and wider spread than first believed. Warnings about the danger exposed early this week reached widening circles on Thursday, with everyone from website o ...

Heartbleed bug causes major security headache (Update 3)

Apr 09, 2014

A confounding computer bug called "Heartbleed" is causing major security headaches across the Internet as websites scramble to fix the problem and Web surfers wonder whether they should change their passwords to prevent the ...

Recommended for you

Freight train industry to miss safety deadline

28 minutes ago

The U.S. freight railroad industry says only one-fifth of its track will be equipped with mandatory safety technology to prevent most collisions and derailments by the deadline set by Congress.

IBM posts lower 1Q earnings amid hardware slump

1 hour ago

IBM's first-quarter earnings fell and revenue came in below Wall Street's expectations amid an ongoing decline in its hardware business, one that was exasperated by weaker demand in China and emerging markets.

Microsoft CEO is driving data-culture mindset

2 hours ago

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

User comments : 0

More news stories

Freight train industry to miss safety deadline

The U.S. freight railroad industry says only one-fifth of its track will be equipped with mandatory safety technology to prevent most collisions and derailments by the deadline set by Congress.

Microsoft CEO is driving data-culture mindset

(Phys.org) —Microsoft's future strategy: is all about leveraging data, from different sources, coming together using one cohesive Microsoft architecture. Microsoft CEO Satya Nadella on Tuesday, both in ...

IBM posts lower 1Q earnings amid hardware slump

IBM's first-quarter earnings fell and revenue came in below Wall Street's expectations amid an ongoing decline in its hardware business, one that was exasperated by weaker demand in China and emerging markets.

Down's chromosome cause genome-wide disruption

The extra copy of Chromosome 21 that causes Down's syndrome throws a spanner into the workings of all the other chromosomes as well, said a study published Wednesday that surprised its authors.

Ebola virus in Africa outbreak is a new strain

The Ebola virus that has killed scores of people in Guinea this year is a new strain—evidence that the disease did not spread there from outbreaks in some other African nations, scientists report.