Paper Info
Title
Inference of Security-Sensitive Entities in Libraries
Abstract
Programming languages such as Java and C# execute code with different levels of trust in the same process, and rely on an access control model with fine-grained permissions to protect program code. Permissions are checked programmatically, and rely on programmer discipline. This can lead to subtle errors. To enable automatic security analysis about unauthorised access or information flow, it is necessary to reason about security-sensitive entities in libraries that must be protected by appropriate sanitisation/declassification via permission checks. Unfortunately, security-sensitive entities are not clearly identified. In this paper, we investigate security-sensitive entities used in Java-like languages, and develop a static program analysis technique to identify them in large codebases by analysing the patterns of permission checks. Although the technique is generic, our focus is on Java where checkPermission calls are used to guard potential security-sensitive entities. Our inference analysis uses two parameters called proximity and coverage to reduce false-positive and false-negative reports. The usefulness of the analysis is illustrated by the results obtained while checking the OpenJDK7-b147 for conformance to Java Secure Coding Guidelines that relate to the confidentiality and integrity requirements.
Year
DOI
Venue
2017
10.1109/SPW.2017.26
2017 IEEE Security and Privacy Workshops (SPW)
Keywords
Field
DocType
static analysis,Java security,permissions
Permission,Static program analysis,Information flow (information theory),Computer science,Computer security,Declassification,Security analysis,Access control,Secure coding,Java
Conference
ISBN
Citations 
PageRank 
978-1-5386-1969-8
0
0.34
References 
Authors
14
4
Name
Order
Citations
PageRank
Yi Lu1812.85
Sora Bae201.69
Padmanabhan Krishnan38114.10
K. R. Raghavendra400.34