A conservative algorithm for computing the flow of permissions in Java programs

Open distributed systems are becoming increasingly popular. Such systems include components that may be obtained from a number of different sources. For example, Java allows run-time loading of software components residing on remote machines. One unfortunate side-effect of this openness is the possibility that "hostile" software components may compromise the security of both the program and the system on which it runs. Java offers a built-in security mechanism, using which programmers can give permissions to distributed components and check these permissions at run-time. This security model is flexible, but using it is not straightforward, which may lead to insufficiently tight permission checking and therefore breaches of security.In this paper, we propose a data flow algorithm for automated analysis of the flow of permissions in Java programs. Our algorithm produces, for a given instruction in the program, a set of permissions that are checked on all possible executions up to this instruction. This information can be used in program understanding tools or directly for checking properties that assert what permissions must always be checked before access to certain functionality is allowed. The worst-case complexity of our algorithm is low-order polynomial in the number of program statements and permission types, while comparable previous approaches have exponential costs.

[1]  Tool Support for Planning the Restructuring of Data Abstractions in Large Systems , 1998, IEEE Trans. Software Eng..

[2]  Xavier Leroy,et al.  Security properties of typed applets , 1998, POPL '98.

[3]  Geoffrey Smith,et al.  A Sound Type System for Secure Flow Analysis , 1996, J. Comput. Secur..

[4]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .

[5]  Cornelia Pusch,et al.  Proving the Soundness of a Java Bytecode Verifier Specification in Isabelle/HOL , 1999, TACAS.

[6]  Zohar Manna,et al.  The Temporal Logic of Reactive and Concurrent Systems , 1991, Springer New York.

[7]  Martín Abadi,et al.  A type system for Java bytecode subroutines , 1999, TOPL.

[8]  Donglin Liang,et al.  Extending and evaluating flow-insenstitive and context-insensitive points-to analyses for Java , 2001, PASTE '01.

[9]  LaboratoriesLucent,et al.  The SLam Calculus : Programming with Security and IntegrityNevin HeintzeBell LaboratoriesLucent Technologies , 1998 .

[10]  Matthew S. Hecht,et al.  Flow Analysis of Computer Programs , 1977 .

[11]  Peter Bertelsen,et al.  Dynamic semantics of Java bytecode , 2000, Future Gener. Comput. Syst..

[12]  Geoffrey Smith,et al.  A Type-Based Approach to Program Security , 1997, TAPSOFT.

[13]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  Marco Pistoia,et al.  JAVA 2 Network Security , 1999 .

[15]  Gerard J. Holzmann,et al.  The Model Checker SPIN , 1997, IEEE Trans. Software Eng..

[16]  John Ulrich,et al.  Automated Analysis of Cryptographic Protocols Using Mur ' , 1997 .

[17]  John C. Mitchell,et al.  Automated analysis of cryptographic protocols using Mur/spl phi/ , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[18]  Barbara G. Ryder,et al.  Pointer-induced aliasing: a problem classification , 1991, POPL '91.

[19]  James C. Corbett,et al.  Evaluating Deadlock Detection Methods for Concurrent Software , 1996, IEEE Trans. Software Eng..

[20]  A. Joesang Security Protocol Verification Using SPIN , 1995 .

[21]  Luo Hong JAVA Security Architecture , 2000 .

[22]  ChinShiu-Kai High-confidence design for security , 1999 .

[23]  Clemens A. Szyperski,et al.  Component software - beyond object-oriented programming , 2002 .

[24]  Vitaly Shmatikov,et al.  Analysis of a Fair Exchange Protocol , 2000, NDSS.

[25]  Andrew C. Myers,et al.  Complete, safe information flow with decentralized labels , 1998, Proceedings. 1998 IEEE Symposium on Security and Privacy (Cat. No.98CB36186).

[26]  Zhenyu Qian,et al.  A formal specification of Java class loading , 2000, OOPSLA '00.

[27]  Eva Rose,et al.  Lightweight Bytecode Verification , 2004, Journal of Automated Reasoning.

[28]  Geoffrey Smith,et al.  Secure information flow in a multi-threaded imperative language , 1998, POPL '98.

[29]  Shiu-Kai Chin,et al.  High-confidence design for security: don't trust—verify , 1999, CACM.

[30]  Vitaly Shmatikov,et al.  Finite-State Analysis of SSL 3.0 , 1998, USENIX Security Symposium.

[31]  Hiroyuki Seki,et al.  Security verification of programs with stack inspection , 2001, SACMAT '01.

[32]  Michael Hind,et al.  Pointer analysis: haven't we solved this problem yet? , 2001, PASTE '01.

[33]  George S. Avrunin,et al.  Data flow analysis for checking properties of concurrent Java programs , 1999, Proceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002).

[34]  Leon J. Osterweil,et al.  Interprocedural static analysis of sequencing constraints , 1992, TSEM.

[35]  David Notkin,et al.  Improving efficiency of symbolic model checking for state-based system requirements , 1998, ISSTA '98.

[36]  Zhenyu Qian,et al.  A Formal Specification of Java TM Class Loading Zhenyu , 2000 .

[37]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[38]  Lori A. Clarke,et al.  Data flow analysis for verifying properties of concurrent programs , 1994, SIGSOFT '94.

[39]  Drew Dean,et al.  The security of static typing with dynamic linking , 1997, CCS '97.

[40]  Jens Palsberg,et al.  Scalable propagation-based call graph construction algorithms , 2000, OOPSLA '00.

[41]  David Grove,et al.  A framework for call graph construction algorithms , 2001, TOPL.

[42]  David L. Dill,et al.  The Murphi Verification System , 1996, CAV.