ASA (Automated Security Analysis)

Galois’ ASA technology uses advanced static program analysis to automatically prove claims regarding confidentiality and integrity in C-based systems.

ASA aims to determine whether information flow in a real-world C codebases can be automatically deduced and communicated in an understandable way. Our research tool, CIFT (C Information Flow Tool) combines static code analysis and advanced visualization techniques to help users and evaluators identify defects that compromise confidentiality, integrity, and data separation.

Static analysis discovers all information flow between program storage locations using proven sound abstract interpretation techniques. For every deduced information path, CIFT tracks the code locations involved and displays the information flow graphically via a source code browser. The screenshot below shows an example of using CIFT to track information flow through the OpenSSH codebase.