Modular string-sensitive permission analysis with demand-driven precision

Author

Geay, Emmanuel ; Pistoia, Marco ; Tateishi, Takaaki ; Ryder, Barbara G. ; Dolby, Julian

Author_Institution

IBM T. J. Watson Res. Center, Hawthorne, NY

fYear

2009

fDate

16-24 May 2009

Firstpage

177

Lastpage

187

Abstract

In modern software systems, programs are obtained by dynamically assembling components. This has made it necessary to subject component providers to access-control restrictions. What permissions should be granted to each component? Too few permissions may cause run-time authorization failures, too many constitute a security hole. We have designed and implemented a composite algorithm for precise static permission analysis for Java and the CLR. Unlike previous work, the analysis is modular and fully integrated with a novel slicing-based string analysis that is used to statically compute the string values defining a permission and disambiguate permission propagation paths. The results of our research prototype on production-level Java code support the effectiveness, practicality, and precision of our techniques, and show outstanding improvement over previous work.

Keywords

Java; authorisation; object-oriented programming; program slicing; CLR; Java; access control restrictions; component assembling; composite algorithm; demand-driven precision; modern software systems; modular string-sensitive permission analysis; run-time authorization failures; security hole; slicing-based string analysis; static permission analysis; Algorithm design and analysis; Authorization; Inspection; Java; Laboratories; Permission; Prototypes; Runtime environment; Security; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Software Engineering, 2009. ICSE 2009. IEEE 31st International Conference on

Conference_Location

Vancouver, BC

ISSN

0270-5257

Print_ISBN

978-1-4244-3453-4

Type

conf

DOI

10.1109/ICSE.2009.5070519

Filename

5070519