ABSTRACT
Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications to execute native calls or modify private class variables without authorization. Previous techniques for static verification of authorization enforcement rely on manually specified policies or attempt to infer the policy by code-mining. Neither approach guarantees that the policy used for verification is correct.
In this paper, we exploit the fact that many modern APIs have multiple, independent implementations. Our flow- and context-sensitive analysis takes as input an API, multiple implementations thereof, and the definitions of security checks and security-sensitive events. For each API entry point, the analysis computes the security policies enforced by the checks before security-sensitive events such as native method calls and API returns, compares these policies across implementations, and reports the differences. Unlike code-mining, this technique finds missing checks even if they are part of a rare pattern. Security-policy differencing has no intrinsic false positives: implementations of the same API must enforce the same policy, or at least one of them is wrong!
Our analysis finds 20 new, confirmed security vulnerabilities and 11 interoperability bugs in the Sun, Harmony, and Classpath implementations of the Java Class Library, many of which were missed by prior analyses. These problems manifest in 499 entry points in these mature, well-studied libraries. Multiple API implementations are proliferating due to cloud-based software services and standardization of library interfaces. Comparing software implementations for consistency is a new approach to discovering "deep" bugs in them.
- Amazon-CloudAmazon. Amazon Web Services. http://aws.amazon.com/.Google Scholar
- G. Ammons, R. Bodík, and J. R. Larus. Mining specifications. In ACM Symposium on the Principles of Programming Languages, pages 4--16, 2002. Google ScholarDigital Library
- B. S. Baker. On finding duplication and near-duplication in large software systems. In IEEE Working Conference on Reverse Engineering, pages 86--95, 1995. Google ScholarDigital Library
- T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis. In ACM Symposium on the Principles of Programming Languages, pages 1--3, 2002. Google ScholarDigital Library
- T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM European Conference on Computer Systems, pages 73--85, 2006. Google ScholarDigital Library
- D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar. The software model checker BLAST. International Journal on Software Tools for Technology Transfer, 9 (5--6): 505--525, 2007. Google ScholarDigital Library
- H. Chen and D. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Conference on Computer and Communications Security, pages 235--244, 2002. Google ScholarDigital Library
- E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8 (2): 244--263, 1986. Google ScholarDigital Library
- C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, pages 119--129, 2000.Google Scholar
- I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In ACM Conference on Programming Language Design and Implementation, pages 435--445, 2007. Google ScholarDigital Library
- A. Diwan, K. S. McKinley, and J. E. B. Moss. Using types to analyze and optimize object-oriented programs. ACM Transactions on Programming Languages and Systems, 23 (1): 30--72, 2001. Google ScholarDigital Library
- S. Ducasse, M. Rieger, and S. Demeyer. A language independent approach for detecting duplicated code. In IEEE International Conference on Software Maintenance, pages 109--118, 1999. Google ScholarDigital Library
- E. A. Emerson and E. M. Clarke. Characterizing correctness properties of parallel programs using fixpoints. In Colloquium on Automata, Languages and Programming, pages 169--181, 1980. Google ScholarDigital Library
- D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In ACM Symposium on Operating Systems Principles, pages 57--72, 2001. Google ScholarDigital Library
- V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security-sensitive operations in legacy code using concept analysis. In ACM International Conference on Software Engineering, pages 458--467, 2007. Google ScholarDigital Library
- Google-CloudGoogle. Google Apps. http://www.google.com/apps/.Google Scholar
- D. Grove and L. Torczon. Interprocedural constant propagation: A study of jump function implementations. In ACM Conference on Programming Language Design and Implementation, pages 90--99, 1993. Google ScholarDigital Library
- S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Science of Computer Programming, 58 (1--2): 83--114, 2005. Google ScholarDigital Library
- D. Hovemeyer and W. Pugh. Finding bugs is easy. In ACM OOPSLA Onward!, pages 92--106, 2004. Google ScholarDigital Library
- IBM-CloudIBM. Cloud Computing. http://ibm.com/developerworks/cloud/.Google Scholar
- S. Kim, K. Pan, and E. E. J. Whitehead, Jr. Memories of bug fixes. In ACM Symposium on the Foundations of Software Engineering, pages 35--45, 2006. Google ScholarDigital Library
- L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359--372, 2002. Google ScholarDigital Library
- J. Krinke. Identifying similar code with program dependence graphs. In IEEE Working Conference on Reverse Engineering, pages 301--309, 2001. Google ScholarDigital Library
- A. M. Leitao. Detection of redundant code using R2D2. Software Quality Control, 12 (4): 361--382, 2004. Google ScholarDigital Library
- O. Lhoták and L. Hendren. Context-sensitive points-to analysis: Is it worth it? In International Conference on Compiler Construction, pages 47--64, 2006. Google ScholarDigital Library
- Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, and C. Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 25--33, 2006. Google ScholarDigital Library
- T. J. Marlowe and B. G. Ryder. Properties of data flow frameworks. Acta Informatics (ACTA), 28 (2): 121--163, 1990. Google ScholarDigital Library
- M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In European Conference on Object-Oriented Programming, pages 362--386, 2005. Google ScholarDigital Library
- Salesforce-CloudSalesforce. Salesforce Platform. http://www.salesforce.com/platform/.Google Scholar
- A. P. Sistla, V. N. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ACM Symposium on Information, Computer and Communications Security, pages 100--111, 2008. Google ScholarDigital Library
- V. Srivastava. Vulnerabilities submitted to Classpath, Dec 2009-Jan 2010. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42390.Google Scholar
- V. Srivastava. Vulnerabilities submitted to Harmony, Nov 2009. https://issues.apache.org/jira/browse/HARMONY-6367.Google Scholar
- V. Srivastava. Vulnerabilities submitted to Sun JDK, Jan-Oct 2010. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6914460.Google Scholar
- :V. Sundaresan, L. Hendren, C. Razafimahefa, R. Vallée-Rai, P. Lam, E. Gagnon, and C. Godin. Practical virtual method call resolution for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 264--280, 2000. Google ScholarDigital Library
- L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security Symposium, pages 379--394, 2008. Google ScholarDigital Library
- M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. ACM Transactions on Programming Languages and Systems, 13 (2): 181--210, 1991. Google ScholarDigital Library
- J. Whaley, M. C. Martin, and M. S. Lam. Automatic extraction of object-oriented component interfaces. In ACM International Symposium on Software Testing and Analysis, pages 218--228, July 2002. Google ScholarDigital Library
- R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In ACM Conference on Programming Language Design and Implementation, pages 1--12, 1995. Google ScholarDigital Library
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. Communications of the ACM, 53 (1): 91--99, 2010. Google ScholarDigital Library
Index Terms
- A security policy oracle: detecting security holes using multiple API implementations
Recommendations
A security policy oracle: detecting security holes using multiple API implementations
PLDI '11Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications ...
Role-Based access control consistency validation
ISSTA '06: Proceedings of the 2006 international symposium on Software testing and analysisModern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for ...
Java Security: A Ten Year Retrospective
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications ConferenceThe first edition of Java (both the language and the platform) was released in 1995, which contained the all-or-nothing security access model. A mid-1997 paper I published in IEEE Micro laid out a vision for the future of Java security, which notably ...
Comments