Qualitative and Quantitative Analysis of Information Leakage in Java Source Code

摘要

Java is a kind of type-safe language, it introduces access control mechanism into bytecode and application layer, so as to guarantee the system resource and running environment avoid the invasion of the malicious code. However, in some information systems, information leakage is not due to the faultiness of the security model, but the absence of the information flow control policy and implementation of that in the source code. So, it is necessary to analyze how information leaks through the source code. This paper surveys information leakage in Java source code by qualitative analysis, and after defining conditional information entropy of the variables, quantitative analysis of information-leak in code is given. Language-based software security researches, new direction in the development of high trusted software, are introduced finally.