Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection

  • Marco Pistoia
  • Robert J. Flynn
  • Larry Koved
  • Vugranam C. Sreedhar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3586)

Abstract

In Java 2 and Microsoft .NET Common Language Runtime (CLR), trusted code has often been programmed to perform access-restricted operations not explicitly requested by its untrusted clients. Since an untrusted client will be on the call stack when access control is enforced, an access-restricted operation will not succeed unless the client is authorized. To avoid this, a portion of the trusted code can be made “privileged.” When access control is enforced, privileged code causes the stack traversal to stop at the trusted code frame, and the untrusted code stack frames will not be checked for authorization. For large programs, manually understanding which portions of code should be made privileged is a difficult task. Developers must understand which authorizations will implicitly be extended to client code and make sure that the values of the variables used by the privileged code are not “tainted” by client code. This paper presents an interprocedural analysis for Java bytecode to automatically identify which portions of trusted code should be made privileged, ensure that there are no tainted variables in privileged code, and detect “unnecessary” and “redundant” privileged code. We implemented the algorithm and present the results of our analyses on a set of large programs. While the analysis techniques are in the context of Java code, the basic concepts are also applicable to non-Java systems with a similar authorization model.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Agesen, O.: The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism. In: Olthoff, W. (ed.) ECOOP 1995. LNCS, vol. 952, pp. 2–26. Springer, Heidelberg (1995)Google Scholar
  2. 2.
    Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading (1986)Google Scholar
  3. 3.
    Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, Oakland, CA, USA, may 2002, pp. 143–159. IEEE Computer Society Press, Los Alamitos (2002)CrossRefGoogle Scholar
  4. 4.
    Banerjee, A., Naumann, D.A.: A Simple Semantics and Static Analysis for Java Security. Technical Report CS2001-1, Stevens Institute of Technology, Hoboken, NJ, USA (July 2001)Google Scholar
  5. 5.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Static Analysis for Stack Inspection. In: Proceedings of International Workshop on Concurrency and Coordination, Amsterdam, The Netherlands. Electronic Notes in Theoretical Computer Science, vol. 54. Elsevier, Amsterdam (2001)Google Scholar
  6. 6.
    Bartoletti, M., Degano, P., Ferrari, G.L.: Stack Inspection and Secure Program Transformations. International Journal of Information Security 2(3), 187–217 (2004)CrossRefGoogle Scholar
  7. 7.
    Besson, F., Blanc, T., Fournet, C., Gordon, A.D.: From Stack Inspection to Access Control: A Security Analysis for Libraries. In: Proceedings of the 17th IEEE Computer Security Foundations Workshop, Pacific Grove, CA, USA, June 2004, pp. 61–75. IEEE Computer Society Press, Los Alamitos (2004)CrossRefGoogle Scholar
  8. 8.
    Dean, D.: The Security of Static Typing with Dynamic Linking. In: Proceedings of the 4th ACM conference on Computer and Communications Security, Zurich, Switzerland, pp. 18–27. ACM Press, New York (1997)CrossRefGoogle Scholar
  9. 9.
    Dean, D., Felten, E.W., Wallach, D.S.: Java Security: From HotJava to Netscape and beyond. In: Proceedings of the 1996 IEEE Symposium on Security and Privacy, Silver Spring, MD, USA, pp. 190–200. IEEE Computer Society Press, Los Alamitos (1996)CrossRefGoogle Scholar
  10. 10.
    Dean, D., Felten, E.W., Wallach, D.S., Balfanz, D.: Java Security: Web Browsers and Beyond. Technical Report 566-597, Princeton University, Princeton, NJ, USA (February 1997)Google Scholar
  11. 11.
    Dean, J., Grove, D., Chambers, C.: Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In: Proceedings of the 9th European Conference on Object-Oriented Programming, Aarhus, Denmark, August 1995, pp. 77–101. Springer, Heidelberg (1995)Google Scholar
  12. 12.
    Dean, R.D.: Formal Aspects of Mobile Code Security. PhD thesis, Princeton University, Princeton, NJ, USA (January 1999)Google Scholar
  13. 13.
    Eclipse Project, http://www.eclipse.org
  14. 14.
    Erlingsson, Ú., Schneider, F.B.: IRM Enforcement of Java Stack Inspection. In: Proceedings of the 2000 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2000, pp. 246–255. IEEE Computer Society, Los Alamitos (2000)CrossRefGoogle Scholar
  15. 15.
    Foster, J.S., Terauchi, T., Aiken, A.: Flow-Sensitive Type Qualifiers. In: Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation, Berlin, Germany, june 2002, pp. 1–12 (2002)Google Scholar
  16. 16.
    Freeman, A., Jones, A.: Programming.NET Security, June 2003. O’Reilly & Associates, Inc., Sebastopol (2003)Google Scholar
  17. 17.
    Gong, L., Ellison, G., Dageforde, M.: Inside Java 2 Platform Security: Architecture, API Design, and Implementation, 2nd edn., May 2003. Addison-Wesley, Reading (2003)Google Scholar
  18. 18.
    Grätzer, G.: General Lattice Theory, 2nd edn. Birkhäuser, Basel (2003)MATHGoogle Scholar
  19. 19.
    Gulwani, S., Necula, G.C.: Path-sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. In: Giacobazzi, R. (ed.) SAS 2004. LNCS, vol. 3148, pp. 328–343. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  20. 20.
    Jensen, T.P., Métayer, D.L., Thorn, T.: Verification of Control Flow Based Security Properties. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1999, pp. 89–103 (1999)Google Scholar
  21. 21.
    Karger, P.A.: IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA. Private communication, 17 December (2004)Google Scholar
  22. 22.
    Kildall, G.A.: A Unified Approach to Global Program Optimization. In: Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, Boston, MA, USA, pp. 194–206. ACM Press, New York (1973)CrossRefGoogle Scholar
  23. 23.
    Koegel, J.F., Koegel, R.M., Li, Z., Miruke, D.T.: A Security Analysis of VAX VMS. In: ACM 1985: Proceedings of the 1985 ACM Annual Conference on the Range of Computing: Mid-80’s Perspective, pp. 381–386. ACM Press, New York (1985)CrossRefGoogle Scholar
  24. 24.
    Koved, L., Pistoia, M., Kershenbaum, A.: Access Rights Analysis for Java. In: Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, Seattle, WA, USA, November 2002, pp. 359–372. ACM Press, New York (2002)CrossRefGoogle Scholar
  25. 25.
    Muchnick, S.S.: Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers Inc., San Francisco (1997)Google Scholar
  26. 26.
    Naumovich, G., Centonze, P.: Static Analysis of Role-Based Access Control in J2EE Applications. SIGSOFT Software Engineering Notes 29(5), 1–10 (2004)CrossRefGoogle Scholar
  27. 27.
    Newsome, J., Song, D.: Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In: Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, Feb 2005. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  28. 28.
    Pistoia, M., Nagaratnam, N., Koved, L., Nadalin, A.: Enterprise Java Security. Addison-Wesley, Reading (2004)Google Scholar
  29. 29.
    Pistoia, M., Reller, D., Gupta, D., Nagnur, M., Ramani, A.K.: Java 2 Network Security, 2nd edn. Prentice Hall PTR, Upper Saddle River (1999)Google Scholar
  30. 30.
    Pottier, F., Skalka, C., Smith, S.F.: A Systematic Approach to Static Access Control. In: Sands, D. (ed.) ESOP 2001. LNCS, vol. 2028, pp. 30–45. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  31. 31.
    Ryder, B.G.: Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In: Proceedings of the 12th International Conference on Compiler Construction, Warsaw, Poland, April 2003, pp. 126–137 (2003) (Invited Paper)Google Scholar
  32. 32.
    Saltzer, J.H., Schroeder, M.D.: The Protection of Information in Computer Systems. In: Proceedings of the IEEE, september 1975, vol. 63, pp. 1278–1308 (1975)Google Scholar
  33. 33.
    Shankar, U., Talwar, K., Foster, J.S., Wagner, D.: Detecting Format String Vulnerabilities with Type Qualifiers. In: Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA (August 2001)Google Scholar
  34. 34.
    Standard Performance Evaluation Corporation Java Business Benchmark 2000 (SPECjbb2000), http://www.spec.org.
  35. 35.
    Sun Microsystems, Security Code Guidelines, http://java.sun.com
  36. 36.
    Tip, F., Dinesh, T.B.: A Slicing-based Approach for Locating Type Errors. ACM Transactions on Software Engineering and Methodology 10(1), 5–55 (2001)CrossRefGoogle Scholar
  37. 37.
    Volpano, D., Irvine, C., Smith, G.: A Sound Type System for Secure Flow Analysis. Journal of Computer Security 4(2-3), 167–187 (1996)Google Scholar
  38. 38.
    Wall, L., Christiansen, T., Orwant, J.: Programming Perl, 3rd edn. O’Reilly & Associates, Inc., Sebastopol (2000)MATHGoogle Scholar
  39. 39.
    Dan, S.: Wallach. A New Approach to Mobile-Code Security. PhD thesis, Princeton University, Princeton, NJ, USA (January 1999)Google Scholar
  40. 40.
    Wallach, D.S., Balfanz, D., Dean, D., Felten, E.W.: Extensible Security Architectures for Java. In: Proceedings of the 16th ACM Symposium on Operating Systems Principles, Saint Malo, France, pp. 116–128. ACM Press, New York (1997)CrossRefGoogle Scholar
  41. 41.
    Wallach, D.S., Felten, E.W.: Understanding Java Stack Inspection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 1998, pp. 52–63 (1998)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Marco Pistoia
    • 1
  • Robert J. Flynn
    • 2
  • Larry Koved
    • 1
  • Vugranam C. Sreedhar
    • 1
  1. 1.IBM Watson Research CenterYorktown HeightsUSA
  2. 2.Polytechnic UniversityBrooklynUSA

Personalised recommendations