论文信息 - Using standard verifier to check secure information flow in Java bytecode

Using standard verifier to check secure information flow in Java bytecode

When an applet is sent over the internet, Java Virtual Machine code is transmitted and remotely executed. Because untrusted code can be executed on the local computer running the web browser security problems may arise. We present a method to check illicit flows in Java bytecode, that exploits the type-level abstract interpretation of bytecode verification. We present an algorithm transforming a bytecode into another one that, when abstractly executed by the standard bytecode verifier, reveals illicit information flows. We show an example of application of the method.

Nicoletta De Francesco | Giuseppe Lettieri | Cinzia Bernardeschi

[1] Jean-Louis Lanet,et al. Checking Secure Interactions of Smart Card Applets , 2000, ESORICS.

[2] Roberto Barbuti,et al. Checking security of Java bytecode by abstract interpretation , 2002, SAC '02.

[3] Frank Yellin,et al. The Java Virtual Machine Specification , 1996 .

[4] Peter J. Denning,et al. Certification of programs for secure information flow , 1977, CACM.

[5] Dorothy E. Denning,et al. A lattice model of secure information flow , 1976, CACM.

[6] Eva Rose,et al. Lightweight Bytecode Verification , 2004, Journal of Automated Reasoning.

[7] Nicoletta De Francesco,et al. Combining Abstract Interpretation and Model Checking for Analysing Security Properties of Java Bytecode , 2002, VMCAI.

[8] Xavier Leroy. Java Bytecode Verification: An Overview , 2001, CAV.

[9] Thomas Ball,et al. What's in a region?: or computing control dependence regions in near-linear time for reducible control flow , 1993, LOPL.

[10] Roberto Barbuti,et al. Abstract interpretation of operational semantics for secure information flow , 2002, Inf. Process. Lett..

[11] Gregory R. Andrews,et al. An Axiomatic Approach to Information Flow in Programs , 1980, TOPL.

[12] Geoffrey Smith,et al. A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..