research-article

A security policy oracle: detecting security holes using multiple API implementations

Authors:
Varun Srivastava

Yahoo!, Sunnyvale, CA, USA

Yahoo!, Sunnyvale, CA, USA
View Profile

,
Michael D. Bond

The Ohio State University, Columbus, OH, USA

The Ohio State University, Columbus, OH, USA
View Profile

,
Kathryn S. McKinley

The University of Texas at Austin, Austin, TX, USA

The University of Texas at Austin, Austin, TX, USA
View Profile

,
Vitaly Shmatikov

The University of Texas at Austin, Austin, TX, USA

The University of Texas at Austin, Austin, TX, USA
View Profile

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and ImplementationJune 2011Pages 343–354https://doi.org/10.1145/1993498.1993539

Published:04 June 2011Publication History

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 343–354

ABSTRACT

Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications to execute native calls or modify private class variables without authorization. Previous techniques for static verification of authorization enforcement rely on manually specified policies or attempt to infer the policy by code-mining. Neither approach guarantees that the policy used for verification is correct.

In this paper, we exploit the fact that many modern APIs have multiple, independent implementations. Our flow- and context-sensitive analysis takes as input an API, multiple implementations thereof, and the definitions of security checks and security-sensitive events. For each API entry point, the analysis computes the security policies enforced by the checks before security-sensitive events such as native method calls and API returns, compares these policies across implementations, and reports the differences. Unlike code-mining, this technique finds missing checks even if they are part of a rare pattern. Security-policy differencing has no intrinsic false positives: implementations of the same API must enforce the same policy, or at least one of them is wrong!

Our analysis finds 20 new, confirmed security vulnerabilities and 11 interoperability bugs in the Sun, Harmony, and Classpath implementations of the Java Class Library, many of which were missed by prior analyses. These problems manifest in 499 entry points in these mature, well-studied libraries. Multiple API implementations are proliferating due to cloud-based software services and standardization of library interfaces. Comparing software implementations for consistency is a new approach to discovering "deep" bugs in them.

References

Amazon-CloudAmazon. Amazon Web Services. http://aws.amazon.com/.Google Scholar
G. Ammons, R. Bodík, and J. R. Larus. Mining specifications. In ACM Symposium on the Principles of Programming Languages, pages 4--16, 2002. Google ScholarDigital Library
B. S. Baker. On finding duplication and near-duplication in large software systems. In IEEE Working Conference on Reverse Engineering, pages 86--95, 1995. Google ScholarDigital Library
T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis. In ACM Symposium on the Principles of Programming Languages, pages 1--3, 2002. Google ScholarDigital Library
T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM European Conference on Computer Systems, pages 73--85, 2006. Google ScholarDigital Library
D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar. The software model checker BLAST. International Journal on Software Tools for Technology Transfer, 9 (5--6): 505--525, 2007. Google ScholarDigital Library
H. Chen and D. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Conference on Computer and Communications Security, pages 235--244, 2002. Google ScholarDigital Library
E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8 (2): 244--263, 1986. Google ScholarDigital Library
C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, pages 119--129, 2000.Google Scholar
I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In ACM Conference on Programming Language Design and Implementation, pages 435--445, 2007. Google ScholarDigital Library
A. Diwan, K. S. McKinley, and J. E. B. Moss. Using types to analyze and optimize object-oriented programs. ACM Transactions on Programming Languages and Systems, 23 (1): 30--72, 2001. Google ScholarDigital Library
S. Ducasse, M. Rieger, and S. Demeyer. A language independent approach for detecting duplicated code. In IEEE International Conference on Software Maintenance, pages 109--118, 1999. Google ScholarDigital Library
E. A. Emerson and E. M. Clarke. Characterizing correctness properties of parallel programs using fixpoints. In Colloquium on Automata, Languages and Programming, pages 169--181, 1980. Google ScholarDigital Library
D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In ACM Symposium on Operating Systems Principles, pages 57--72, 2001. Google ScholarDigital Library
V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security-sensitive operations in legacy code using concept analysis. In ACM International Conference on Software Engineering, pages 458--467, 2007. Google ScholarDigital Library
Google-CloudGoogle. Google Apps. http://www.google.com/apps/.Google Scholar
D. Grove and L. Torczon. Interprocedural constant propagation: A study of jump function implementations. In ACM Conference on Programming Language Design and Implementation, pages 90--99, 1993. Google ScholarDigital Library
S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Science of Computer Programming, 58 (1--2): 83--114, 2005. Google ScholarDigital Library
D. Hovemeyer and W. Pugh. Finding bugs is easy. In ACM OOPSLA Onward!, pages 92--106, 2004. Google ScholarDigital Library
IBM-CloudIBM. Cloud Computing. http://ibm.com/developerworks/cloud/.Google Scholar
S. Kim, K. Pan, and E. E. J. Whitehead, Jr. Memories of bug fixes. In ACM Symposium on the Foundations of Software Engineering, pages 35--45, 2006. Google ScholarDigital Library
L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359--372, 2002. Google ScholarDigital Library
J. Krinke. Identifying similar code with program dependence graphs. In IEEE Working Conference on Reverse Engineering, pages 301--309, 2001. Google ScholarDigital Library
A. M. Leitao. Detection of redundant code using R2D2. Software Quality Control, 12 (4): 361--382, 2004. Google ScholarDigital Library
O. Lhoták and L. Hendren. Context-sensitive points-to analysis: Is it worth it? In International Conference on Compiler Construction, pages 47--64, 2006. Google ScholarDigital Library
Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, and C. Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 25--33, 2006. Google ScholarDigital Library
T. J. Marlowe and B. G. Ryder. Properties of data flow frameworks. Acta Informatics (ACTA), 28 (2): 121--163, 1990. Google ScholarDigital Library
M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In European Conference on Object-Oriented Programming, pages 362--386, 2005. Google ScholarDigital Library
Salesforce-CloudSalesforce. Salesforce Platform. http://www.salesforce.com/platform/.Google Scholar
A. P. Sistla, V. N. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ACM Symposium on Information, Computer and Communications Security, pages 100--111, 2008. Google ScholarDigital Library
V. Srivastava. Vulnerabilities submitted to Classpath, Dec 2009-Jan 2010. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42390.Google Scholar
V. Srivastava. Vulnerabilities submitted to Harmony, Nov 2009. https://issues.apache.org/jira/browse/HARMONY-6367.Google Scholar
V. Srivastava. Vulnerabilities submitted to Sun JDK, Jan-Oct 2010. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6914460.Google Scholar
:V. Sundaresan, L. Hendren, C. Razafimahefa, R. Vallée-Rai, P. Lam, E. Gagnon, and C. Godin. Practical virtual method call resolution for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 264--280, 2000. Google ScholarDigital Library
L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security Symposium, pages 379--394, 2008. Google ScholarDigital Library
M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. ACM Transactions on Programming Languages and Systems, 13 (2): 181--210, 1991. Google ScholarDigital Library
J. Whaley, M. C. Martin, and M. S. Lam. Automatic extraction of object-oriented component interfaces. In ACM International Symposium on Software Testing and Analysis, pages 218--228, July 2002. Google ScholarDigital Library
R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In ACM Conference on Programming Language Design and Implementation, pages 1--12, 1995. Google ScholarDigital Library
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. Communications of the ACM, 53 (1): 91--99, 2010. Google ScholarDigital Library

Index Terms

Recommendations

A security policy oracle: detecting security holes using multiple API implementations
PLDI '11

Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications ...
Read More
Role-Based access control consistency validation
ISSTA '06: Proceedings of the 2006 international symposium on Software testing and analysis

Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for ...
Read More
Java Security: A Ten Year Retrospective
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

The first edition of Java (both the language and the platform) was released in 1995, which contained the all-or-nothing security access model. A mid-1997 paper I published in IEEE Micro laid out a vision for the future of Java security, which notably ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation
June 2011
668 pages
ISBN:9781450306638
DOI:10.1145/1993498
General Chair:
Mary Hall
University of Utah
,
Program Chair:
David Padua
University of Illinois at Urbana-Champaign
ACM SIGPLAN Notices Volume 46, Issue 6
PLDI '11
June 2011
652 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1993316
Issue’s Table of Contents
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 4 June 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
access control
authorization
java class libraries
security
static analysis
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate406of2,067submissions,20%
Upcoming Conference
PLDI '24

Sponsor:

sigplan

ACM SIGPLAN Conference on Programming Language Design and Implementation

June 24 - 28, 2024

Copenhagen , Denmark
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 35
  Total Citations
  View Citations
- 636
  Total Downloads
- Downloads (Last 12 months)28
- Downloads (Last 6 weeks)5
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

A security policy oracle: detecting security holes using multiple API implementations

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

ABSTRACT

References

Cited By

Index Terms

Recommendations

A security policy oracle: detecting security holes using multiple API implementations

Role-Based access control consistency validation

Java Security: A Ten Year Retrospective