论文信息 - Generating Permission-Based Security Policies

Generating Permission-Based Security Policies

For access control in Java or .NET web applications, methods on the runtime stack are examined by the runtime systems for granted permissions, to prohibit from executing untrusted codes. There are quite limited research work on automatically generating security policies for configuring application components. In practice, configuring a security policy of web applications almost relies on the expertise of developers. In this work, we present an approach to automatically generating permission-based security policies for Java applications to pass the runtime authorization. Our technique is based on context-sensitive static proram analysis in the framework of conditional weighted pushdown systems. To tackle with the challenges of access rights analysis such as to statically identify permissions to be examined at stack inspection points, we propose to apply a uniform abstract interpretation of program calling contexts which are used to glue various analysis modules involved in access rights analysis including points-to analysis, string analysis and policy generation analysis. As a result, we can statically identify relevant permissions at the stack inspection sites and perform context-sensitive policy generation analysis.

Xin Li | Julian Dolby | Yuxin Deng | Hua Vy Le Thanh

[1] Ondrej Lhoták,et al. Scaling Java Points-to Analysis Using SPARK , 2003, CC.

[2] Aske Simon Christensen,et al. Precise Analysis of String Expressions , 2003, SAS.

[3] Somesh Jha,et al. Weighted pushdown systems and their application to interprocedural dataflow analysis , 2003, Sci. Comput. Program..

[4] Marco Pistoia,et al. Access rights analysis for Java , 2002, OOPSLA '02.

[5] Marco Pistoia,et al. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection , 2005, ECOOP.

[6] Barbara G. Ryder,et al. Modular string-sensitive permission analysis with demand-driven precision , 2009, 2009 IEEE 31st International Conference on Software Engineering.

[7] Stefan Schwoon,et al. Model checking pushdown systems , 2002 .

[8] Monica S. Lam,et al. Cloning-based context-sensitive pointer alias analysis using binary decision diagrams , 2004, PLDI '04.

[9] Mizuhito Ogawa,et al. Conditional weighted pushdown systems and applications , 2010, PEPM '10.