Research & Development World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • Call for Nominations: The 2025 R&D 100 Awards
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
    • Explore the 2024 R&D 100 award winners and finalists
  • Resources
    • Research Reports
    • Digital Issues
    • R&D Index
    • Subscribe
    • Video
    • Webinars
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE

For Secure Software: X-rays instead of Passport Control

By R&D Editors | August 27, 2014

So far, JOANA is the only software analysis tool worldwide that does not only find all security gaps but also minimizes the number of false alarms without affecting the functioning of programs.Trust is good, control is better. This also applies to the security of computer programs. Instead of trusting “identification documents” in the form of certificates, the JOANA software analysis tool examines the source text (code) of a program. In this way, it detects leaks, via which secret information may get out or strangers may enter the system from outside. At the same time, JOANA reduces the number of false alarms to a minimum. Developed by Karlsruhe Institute of Technology (KIT), the tool has already proved to work successfully in realistic test scenarios. In a next step, an industrial case study is planned.

“Established software certificates certify the manufacturer to be trustworthy. With JOANA, we can also check the real behavior of a program,” says Gregor Snelting, who developed the analysis tool with his research group at the Chair of Programming Paradigms of KIT. In his opinion, this is important, because most weaknesses result from unintended programming errors. The scientists currently focus on mobile applications for Android smartphones. In principle, however, they can test any program written in JAVA, C or C++. First, software companies are to test their products before commercialization. As experts are required to set up and operate JOANA, it is less suited for private users.

JOANA checks all data channels of a software through which information flows. In this way, it detects security gaps. “We distinguish between publicly visible channels that e.g. map the user interface and protected channels that cannot be accessed by users,” Snelting explains. “To protect secret information, such as passwords or account numbers, these data have to be transmitted in protected channels exclusively. Where secret and public data flows cross, however, information may be exchanged in principle. Here, there is a risk of sensitive information being transmitted.”

Scientists distinguish several types of security gaps:

  • Directly readable copies of sensitive data may get out (explicit leak) or the patterns of their encryption only (implicit leak).
  • Secret passwords may affect the probable order of visible information flows (probabilistic leak) from which they could be reconstructed. An example: The command to print a “red L” reaches the printer at the same time as the secret password for access authorization. If the password is AB, the information “L” mostly arrives shortly before the information “red”. If the password is BA, it is just the opposite.

JOANA reliably detects such security gaps, although they are more difficult to identify.

“Minimizing false alarms is at least as important as finding all security gaps,” Snelting says.

Many false alarms lead to a massively increased inspection effort or to the alarms being ignored. JOANA reduces the number of false alarms for all security gaps, even for probabilistic leaks. For this purpose, the KIT scientists developed a new computation method (Relaxed Low-Security Observational Determinism) that requires a fixed order of observable process steps at safety-critical points only. For the example above, this would mean that the information “red” has to reach the printer always before the information “L” irrespective of the password.

”The challenge was to exclude safety-irrelevant processes from such strict requirements,” Snelting emphasizes.

Otherwise, the number of false alarms would increase, because any deviation would be classified as dangerous or executions of the program would have to be restricted considerably, such that it would hardly be usable anymore.

So far, JOANA is the only software analysis tool worldwide that does not only find all security gaps but also minimizes the number of false alarms without affecting the functioning of programs. With funds granted by the German Research Foundation, the KIT scientists have conducted research in this area for about 20 years now.

“In the longer term, software inspected by JOANA might be given a new certificate that confirms security of the program code,” Snelting says.

Interested experts may download JOANA as an open source software: http://pp.ipd.kit.edu/projects/joana 

About KIT

Karlsruhe Institute of Technology (KIT) is a public corporation according to the legislation of the state of Baden-Württemberg. It fulfills the mission of a university and the mission of a national research center of the Helmholtz Association. Research activities focus on energy, the natural and built environment, as well as on society and technology and cover the whole range extending from fundamental aspects to application. With about 9400 employees, including more than 6000 staff members in the science and education sector, and 24500 students, KIT is one of the biggest research and education institutions in Europe. Work of KIT is based on the knowledge triangle of research, teaching, and innovation.

Related Articles Read More >

From solar system simulations to SaaS savings, how Codeium’s AI agent empowers non-coders and scientists alike
Aardvark AI forecasts rival supercomputer simulations while using over 99.9% less compute
Quantum Brilliance, Pawsey integrate room-temp quantum with HPC on NVIDIA GH200
Frontier supercomputer reveals new detail in nuclear structure
rd newsletter
EXPAND YOUR KNOWLEDGE AND STAY CONNECTED
Get the latest info on technologies, trends, and strategies in Research & Development.
RD 25 Power Index

R&D World Digital Issues

Fall 2024 issue

Browse the most current issue of R&D World and back issues in an easy to use high quality format. Clip, share and download with the leading R&D magazine today.

Research & Development World
  • Subscribe to R&D World Magazine
  • Enews Sign Up
  • Contact Us
  • About Us
  • Drug Discovery & Development
  • Pharmaceutical Processing
  • Global Funding Forecast

Copyright © 2025 WTWH Media LLC. All Rights Reserved. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of WTWH Media
Privacy Policy | Advertising | About Us

Search R&D World

  • R&D World Home
  • Topics
    • Aerospace
    • Automotive
    • Biotech
    • Careers
    • Chemistry
    • Environment
    • Energy
    • Life Science
    • Material Science
    • R&D Management
    • Physics
  • Technology
    • 3D Printing
    • A.I./Robotics
    • Software
    • Battery Technology
    • Controlled Environments
      • Cleanrooms
      • Graphene
      • Lasers
      • Regulations/Standards
      • Sensors
    • Imaging
    • Nanotechnology
    • Scientific Computing
      • Big Data
      • HPC/Supercomputing
      • Informatics
      • Security
    • Semiconductors
  • R&D Market Pulse
  • R&D 100
    • Call for Nominations: The 2025 R&D 100 Awards
    • R&D 100 Awards Event
    • R&D 100 Submissions
    • Winner Archive
    • Explore the 2024 R&D 100 award winners and finalists
  • Resources
    • Research Reports
    • Digital Issues
    • R&D Index
    • Subscribe
    • Video
    • Webinars
  • Global Funding Forecast
  • Top Labs
  • Advertise
  • SUBSCRIBE