A method for controlling sensitive data propagation in information systems software
UDC: 004.056
DOI: -
Authors:
TIMAKOV A.A.
1
1 MIREA - Russian Technological University, Moscow, Russia
Keywords: information flow, control of information flows, static analysis, annotated data analysis, programming pattern
Annotation:
The author of the article considers a method for controlling the propagation of sensitive data in the software environment of an automated system, based on static analysis of annotated data and the use of a new programming pattern. The proposed method is aimed at cross-platform systems and involves protective measures implementation at various stages of the lifecycle. It places primary responsibilities on software developers who should follow the established recommendations and rules. The author of the article also provides an example of implementation of the new programming pattern "one-time storage" in Java. Experts in software vulnerability analysis and undisclosed capabilities play an important role in addressing the identified problem. For them, a library of queries in the CodeQL (Code Query Language) is developed in the context of controlling the dissemination of sensitive data, with detailed descriptions of the properties it verifies and examples of its use. The proposed method provides additional guarantees of confidentiality for the information processed in a complex automated system.
Bibliography:
1. Timakov A.A. TIFL – Universal'nyy yazyk opisaniya informatsionnykh potokov v programmnom obespechenii // Avtomatizatsiya i informatizatsiya TEK. – 2025. – № 2(619). – S. 67–73.
2. Hedin D., Sabelfeld A. A Perspective on Information-Flow Control // Software Safety and Security. Vol. 33. – IOS Press, 2012. – P. 319–347. – DOI: 10.3233/978-1-61499-028-4-319
3. Denning D.E. A lattice model of secure information flow // Communications of the ACM. – 1976. – Vol. 19, Issue 5. – P. 236–243. – DOI: 10.1145/360051.360056
4. Volpano D., Smith G.S., Irvine C. A Sound Type System for Secure Flow Analysis // J. of Computer Security. – 1996. – Vol. 4, Issue 2-3. – S. 167–187. – DOI: 10.3233/JCS-1996-42-304
5. Youn Dongjun, Lee Sungho, Ryu Sukyoung. Declarative static analysis for multilingual programs using CodeQL // Software: Practice and Experience. – 2023. – Vol. 53, Issue 7. – P. 1472–1495. – DOI: 10.1002/spe.3199
6. Polovinko V. Kiberbezopasnost' ob"ektov TEK v 2023 godu. – URL: https://www.itsec.ru/articles/kiberbezopasnost-obektov-tek-v-2023-godu
7. GOST R 53113.1-2008. Informatsionnaya tekhnologiya. Zashchita informatsionnykh tekhnologiy i avtomatizirovannykh sistem ot ugroz informatsionnoy bezopasnosti, realizuemykh s ispol'zovaniem skrytykh kanalov. Chast' 1. – Vved. 2009–10–01. – M.: Standartinform, 2009. – IV, 8 s.
8. URL: https://gitlab.fwkrr.ru/Freewalkr/vkr-dataflow-control
Back to issue