Abstract
Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications to execute native calls or modify private class variables without authorization. Previous techniques for static verification of authorization enforcement rely on manually specified policies or attempt to infer the policy by code-mining. Neither approach guarantees that the policy used for verification is correct.
In this paper, we exploit the fact that many modern APIs have multiple, independent implementations. Our flow- and context-sensitive analysis takes as input an API, multiple implementations thereof, and the definitions of security checks and security-sensitive events. For each API entry point, the analysis computes the security policies enforced by the checks before security-sensitive events such as native method calls and API returns, compares these policies across implementations, and reports the differences. Unlike code-mining, this technique finds missing checks even if they are part of a rare pattern. Security-policy differencing has no intrinsic false positives: implementations of the same API must enforce the same policy, or at least one of them is wrong!
Our analysis finds 20 new, confirmed security vulnerabilities and 11 interoperability bugs in the Sun, Harmony, and Classpath implementations of the Java Class Library, many of which were missed by prior analyses. These problems manifest in 499 entry points in these mature, well-studied libraries. Multiple API implementations are proliferating due to cloud-based software services and standardization of library interfaces. Comparing software implementations for consistency is a new approach to discovering "deep" bugs in them.
- Amazon-CloudAmazon. Amazon Web Services. http://aws.amazon.com/.Google Scholar
- G. Ammons, R. Bodík, and J. R. Larus. Mining specifications. In ACM Symposium on the Principles of Programming Languages, pages 4--16, 2002. Google Scholar
Digital Library
- B. S. Baker. On finding duplication and near-duplication in large software systems. In IEEE Working Conference on Reverse Engineering, pages 86--95, 1995. Google Scholar
Digital Library
- T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis. In ACM Symposium on the Principles of Programming Languages, pages 1--3, 2002. Google Scholar
Digital Library
- T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM European Conference on Computer Systems, pages 73--85, 2006. Google Scholar
Digital Library
- D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar. The software model checker BLAST. International Journal on Software Tools for Technology Transfer, 9 (5--6): 505--525, 2007. Google Scholar
Digital Library
- H. Chen and D. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Conference on Computer and Communications Security, pages 235--244, 2002. Google Scholar
Digital Library
- E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8 (2): 244--263, 1986. Google Scholar
Digital Library
- C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, pages 119--129, 2000.Google Scholar
- I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In ACM Conference on Programming Language Design and Implementation, pages 435--445, 2007. Google Scholar
Digital Library
- A. Diwan, K. S. McKinley, and J. E. B. Moss. Using types to analyze and optimize object-oriented programs. ACM Transactions on Programming Languages and Systems, 23 (1): 30--72, 2001. Google Scholar
Digital Library
- S. Ducasse, M. Rieger, and S. Demeyer. A language independent approach for detecting duplicated code. In IEEE International Conference on Software Maintenance, pages 109--118, 1999. Google Scholar
Digital Library
- E. A. Emerson and E. M. Clarke. Characterizing correctness properties of parallel programs using fixpoints. In Colloquium on Automata, Languages and Programming, pages 169--181, 1980. Google Scholar
Digital Library
- D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In ACM Symposium on Operating Systems Principles, pages 57--72, 2001. Google Scholar
Digital Library
- V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security-sensitive operations in legacy code using concept analysis. In ACM International Conference on Software Engineering, pages 458--467, 2007. Google Scholar
Digital Library
- Google-CloudGoogle. Google Apps. http://www.google.com/apps/.Google Scholar
- D. Grove and L. Torczon. Interprocedural constant propagation: A study of jump function implementations. In ACM Conference on Programming Language Design and Implementation, pages 90--99, 1993. Google Scholar
Digital Library
- S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Science of Computer Programming, 58 (1--2): 83--114, 2005. Google Scholar
Digital Library
- D. Hovemeyer and W. Pugh. Finding bugs is easy. In ACM OOPSLA Onward!, pages 92--106, 2004. Google Scholar
- IBM-CloudIBM. Cloud Computing. http://ibm.com/developerworks/cloud/.Google Scholar
- S. Kim, K. Pan, and E. E. J. Whitehead, Jr. Memories of bug fixes. In ACM Symposium on the Foundations of Software Engineering, pages 35--45, 2006. Google Scholar
Digital Library
- L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359--372, 2002. Google Scholar
Digital Library
- J. Krinke. Identifying similar code with program dependence graphs. In IEEE Working Conference on Reverse Engineering, pages 301--309, 2001. Google Scholar
Digital Library
- A. M. Leitao. Detection of redundant code using R2D2. Software Quality Control, 12 (4): 361--382, 2004. Google Scholar
Digital Library
- O. Lhoták and L. Hendren. Context-sensitive points-to analysis: Is it worth it? In International Conference on Compiler Construction, pages 47--64, 2006. Google Scholar
Digital Library
- Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, and C. Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 25--33, 2006. Google Scholar
Digital Library
- T. J. Marlowe and B. G. Ryder. Properties of data flow frameworks. Acta Informatics (ACTA), 28 (2): 121--163, 1990. Google Scholar
Digital Library
- M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In European Conference on Object-Oriented Programming, pages 362--386, 2005. Google Scholar
Digital Library
- Salesforce-CloudSalesforce. Salesforce Platform. http://www.salesforce.com/platform/.Google Scholar
- A. P. Sistla, V. N. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ACM Symposium on Information, Computer and Communications Security, pages 100--111, 2008. Google Scholar
Digital Library
- V. Srivastava. Vulnerabilities submitted to Classpath, Dec 2009-Jan 2010. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42390.Google Scholar
- V. Srivastava. Vulnerabilities submitted to Harmony, Nov 2009. https://issues.apache.org/jira/browse/HARMONY-6367.Google Scholar
- V. Srivastava. Vulnerabilities submitted to Sun JDK, Jan-Oct 2010. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6914460.Google Scholar
- :V. Sundaresan, L. Hendren, C. Razafimahefa, R. Vallée-Rai, P. Lam, E. Gagnon, and C. Godin. Practical virtual method call resolution for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 264--280, 2000. Google Scholar
Digital Library
- L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security Symposium, pages 379--394, 2008. Google Scholar
Digital Library
- M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. ACM Transactions on Programming Languages and Systems, 13 (2): 181--210, 1991. Google Scholar
Digital Library
- J. Whaley, M. C. Martin, and M. S. Lam. Automatic extraction of object-oriented component interfaces. In ACM International Symposium on Software Testing and Analysis, pages 218--228, July 2002. Google Scholar
Digital Library
- R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In ACM Conference on Programming Language Design and Implementation, pages 1--12, 1995. Google Scholar
Digital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. Communications of the ACM, 53 (1): 91--99, 2010. Google Scholar
Digital Library
Index Terms
A security policy oracle: detecting security holes using multiple API implementations
Recommendations
A security policy oracle: detecting security holes using multiple API implementations
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationEven experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications ...
Java Security: A Ten Year Retrospective
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications ConferenceThe first edition of Java (both the language and the platform) was released in 1995, which contained the all-or-nothing security access model. A mid-1997 paper I published in IEEE Micro laid out a vision for the future of Java security, which notably ...
Role-Based access control consistency validation
ISSTA '06: Proceedings of the 2006 international symposium on Software testing and analysisModern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for ...







Comments