More Web Proxy on the site http://driver.im/

research-article

A security policy oracle: detecting security holes using multiple API implementations

Authors:

Varun Srivastava,

Michael D. Bond,

Kathryn S. McKinley,

Vitaly ShmatikovAuthors Info & Claims

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

Pages 343 - 354

https://doi.org/10.1145/1993498.1993539

Published: 04 June 2011 Publication History

Abstract

Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications to execute native calls or modify private class variables without authorization. Previous techniques for static verification of authorization enforcement rely on manually specified policies or attempt to infer the policy by code-mining. Neither approach guarantees that the policy used for verification is correct.

In this paper, we exploit the fact that many modern APIs have multiple, independent implementations. Our flow- and context-sensitive analysis takes as input an API, multiple implementations thereof, and the definitions of security checks and security-sensitive events. For each API entry point, the analysis computes the security policies enforced by the checks before security-sensitive events such as native method calls and API returns, compares these policies across implementations, and reports the differences. Unlike code-mining, this technique finds missing checks even if they are part of a rare pattern. Security-policy differencing has no intrinsic false positives: implementations of the same API must enforce the same policy, or at least one of them is wrong!

Our analysis finds 20 new, confirmed security vulnerabilities and 11 interoperability bugs in the Sun, Harmony, and Classpath implementations of the Java Class Library, many of which were missed by prior analyses. These problems manifest in 499 entry points in these mature, well-studied libraries. Multiple API implementations are proliferating due to cloud-based software services and standardization of library interfaces. Comparing software implementations for consistency is a new approach to discovering "deep" bugs in them.

References

[1]

Amazon-CloudAmazon. Amazon Web Services. http://aws.amazon.com/.

[2]

G. Ammons, R. Bodík, and J. R. Larus. Mining specifications. In ACM Symposium on the Principles of Programming Languages, pages 4--16, 2002.

Digital Library

[3]

B. S. Baker. On finding duplication and near-duplication in large software systems. In IEEE Working Conference on Reverse Engineering, pages 86--95, 1995.

Digital Library

[4]

T. Ball and S. K. Rajamani. The SLAM project: Debugging system software via static analysis. In ACM Symposium on the Principles of Programming Languages, pages 1--3, 2002.

Digital Library

[5]

T. Ball, E. Bounimova, B. Cook, V. Levin, J. Lichtenberg, C. McGarvey, B. Ondrusek, S. K. Rajamani, and A. Ustuner. Thorough static analysis of device drivers. In ACM European Conference on Computer Systems, pages 73--85, 2006.

Digital Library

[6]

D. Beyer, T. A. Henzinger, R. Jhala, and R. Majumdar. The software model checker BLAST. International Journal on Software Tools for Technology Transfer, 9 (5--6): 505--525, 2007.

Digital Library

[7]

H. Chen and D. Wagner. MOPS: An infrastructure for examining security properties of software. In ACM Conference on Computer and Communications Security, pages 235--244, 2002.

Digital Library

[8]

E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8 (2): 244--263, 1986.

Digital Library

[9]

C. Cowan, P. Wagle, C. Pu, S. Beattie, and J. Walpole. Buffer overflows: Attacks and defenses for the vulnerability of the decade. In DARPA Information Survivability Conference and Exposition, pages 119--129, 2000.

[10]

I. Dillig, T. Dillig, and A. Aiken. Static error detection using semantic inconsistency inference. In ACM Conference on Programming Language Design and Implementation, pages 435--445, 2007.

Digital Library

[11]

A. Diwan, K. S. McKinley, and J. E. B. Moss. Using types to analyze and optimize object-oriented programs. ACM Transactions on Programming Languages and Systems, 23 (1): 30--72, 2001.

Digital Library

[12]

S. Ducasse, M. Rieger, and S. Demeyer. A language independent approach for detecting duplicated code. In IEEE International Conference on Software Maintenance, pages 109--118, 1999.

Digital Library

[13]

E. A. Emerson and E. M. Clarke. Characterizing correctness properties of parallel programs using fixpoints. In Colloquium on Automata, Languages and Programming, pages 169--181, 1980.

Digital Library

[14]

D. Engler, D. Y. Chen, S. Hallem, A. Chou, and B. Chelf. Bugs as deviant behavior: A general approach to inferring errors in systems code. In ACM Symposium on Operating Systems Principles, pages 57--72, 2001.

Digital Library

[15]

V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security-sensitive operations in legacy code using concept analysis. In ACM International Conference on Software Engineering, pages 458--467, 2007.

Digital Library

[16]

Google-CloudGoogle. Google Apps. http://www.google.com/apps/.

[17]

D. Grove and L. Torczon. Interprocedural constant propagation: A study of jump function implementations. In ACM Conference on Programming Language Design and Implementation, pages 90--99, 1993.

Digital Library

[18]

S. Z. Guyer and C. Lin. Error checking with client-driven pointer analysis. Science of Computer Programming, 58 (1--2): 83--114, 2005.

Digital Library

[19]

D. Hovemeyer and W. Pugh. Finding bugs is easy. In ACM OOPSLA Onward!, pages 92--106, 2004.

Digital Library

[20]

IBM-CloudIBM. Cloud Computing. http://ibm.com/developerworks/cloud/.

[21]

S. Kim, K. Pan, and E. E. J. Whitehead, Jr. Memories of bug fixes. In ACM Symposium on the Foundations of Software Engineering, pages 35--45, 2006.

Digital Library

[22]

L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359--372, 2002.

Digital Library

[23]

J. Krinke. Identifying similar code with program dependence graphs. In IEEE Working Conference on Reverse Engineering, pages 301--309, 2001.

Digital Library

[24]

A. M. Leitao. Detection of redundant code using R2D2. Software Quality Control, 12 (4): 361--382, 2004.

Digital Library

[25]

O. Lhoták and L. Hendren. Context-sensitive points-to analysis: Is it worth it? In International Conference on Compiler Construction, pages 47--64, 2006.

Digital Library

[26]

Z. Li, L. Tan, X. Wang, S. Lu, Y. Zhou, and C. Zhai. Have things changed now? An empirical study of bug characteristics in modern open source software. In Workshop on Architectural and System Support for Improving Software Dependability (ASID), pages 25--33, 2006.

Digital Library

[27]

T. J. Marlowe and B. G. Ryder. Properties of data flow frameworks. Acta Informatics (ACTA), 28 (2): 121--163, 1990.

Digital Library

[28]

M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural analysis for privileged code placement and tainted variable detection. In European Conference on Object-Oriented Programming, pages 362--386, 2005.

Digital Library

[29]

Salesforce-CloudSalesforce. Salesforce Platform. http://www.salesforce.com/platform/.

[30]

A. P. Sistla, V. N. Venkatakrishnan, M. Zhou, and H. Branske. CMV: Automatic verification of complete mediation for Java Virtual Machines. In ACM Symposium on Information, Computer and Communications Security, pages 100--111, 2008.

Digital Library

[31]

V. Srivastava. Vulnerabilities submitted to Classpath, Dec 2009-Jan 2010. http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42390.

[32]

V. Srivastava. Vulnerabilities submitted to Harmony, Nov 2009. https://issues.apache.org/jira/browse/HARMONY-6367.

[33]

V. Srivastava. Vulnerabilities submitted to Sun JDK, Jan-Oct 2010. http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6914460.

[34]

:V. Sundaresan, L. Hendren, C. Razafimahefa, R. Vallée-Rai, P. Lam, E. Gagnon, and C. Godin. Practical virtual method call resolution for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 264--280, 2000.

Digital Library

[35]

L. Tan, X. Zhang, X. Ma, W. Xiong, and Y. Zhou. AutoISES: Automatically inferring security specifications and detecting violations. In USENIX Security Symposium, pages 379--394, 2008.

Digital Library

[36]

M. N. Wegman and F. K. Zadeck. Constant propagation with conditional branches. ACM Transactions on Programming Languages and Systems, 13 (2): 181--210, 1991.

Digital Library

[37]

J. Whaley, M. C. Martin, and M. S. Lam. Automatic extraction of object-oriented component interfaces. In ACM International Symposium on Software Testing and Analysis, pages 218--228, July 2002.

Digital Library

[38]

R. P. Wilson and M. S. Lam. Efficient context-sensitive pointer analysis for C programs. In ACM Conference on Programming Language Design and Implementation, pages 1--12, 1995.

Digital Library

[39]

B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native Client: A sandbox for portable, untrusted x86 native code. Communications of the ACM, 53 (1): 91--99, 2010.

Digital Library

Cited By

Gao ZJiang LXia XLo DGrundy J(2021)Checking Smart Contracts With Structural Code EmbeddingIEEE Transactions on Software Engineering10.1109/TSE.2020.297148247:12(2874-2891)Online publication date: 1-Dec-2021
https://doi.org/10.1109/TSE.2020.2971482
Cerny TWalker ASvacina JBushong VDas DFrajtak KBures MTisnovsky P(2020)Mapping Study on Constraint Consistency Checking in Distributed Enterprise SystemsProceedings of the International Conference on Research in Adaptive and Convergent Systems10.1145/3400286.3418257(167-174)Online publication date: 13-Oct-2020
https://dl.acm.org/doi/10.1145/3400286.3418257
Johnson BBrun YMeliou ARothermel GBae D(2020)Causal testingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380377(87-99)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380377
Show More Cited By

Index Terms

Recommendations

A security policy oracle: detecting security holes using multiple API implementations
PLDI '11

Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications ...
Role-Based access control consistency validation
ISSTA '06: Proceedings of the 2006 international symposium on Software testing and analysis

Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for ...
Java Security: A Ten Year Retrospective
ACSAC '09: Proceedings of the 2009 Annual Computer Security Applications Conference

The first edition of Java (both the language and the platform) was released in 1995, which contained the all-or-nothing security access model. A mid-1997 paper I published in IEEE Micro laid out a vision for the future of Java security, which notably ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

PLDI '11: Proceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation

June 2011

668 pages

ISBN:9781450306638

DOI:10.1145/1993498

General Chair:
Mary Hall
University of Utah
,
Program Chair:
David Padua
University of Illinois at Urbana-Champaign

ACM SIGPLAN Notices Volume 46, Issue 6
PLDI '11
June 2011
652 pages
ISSN:0362-1340
EISSN:1558-1160
DOI:10.1145/1993316
Issue’s Table of Contents

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGPLAN: ACM Special Interest Group on Programming Languages

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 June 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

PLDI '11

Sponsor:

SIGPLAN

PLDI '11: ACM SIGPLAN Conference on Programming Language Design and Implementation

June 4 - 8, 2011

California, San Jose, USA

Acceptance Rates

Overall Acceptance Rate 406 of 2,067 submissions, 20%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
648
Total Downloads

Downloads (Last 12 months)32
Downloads (Last 6 weeks)1

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gao ZJiang LXia XLo DGrundy J(2021)Checking Smart Contracts With Structural Code EmbeddingIEEE Transactions on Software Engineering10.1109/TSE.2020.297148247:12(2874-2891)Online publication date: 1-Dec-2021
https://doi.org/10.1109/TSE.2020.2971482
Cerny TWalker ASvacina JBushong VDas DFrajtak KBures MTisnovsky P(2020)Mapping Study on Constraint Consistency Checking in Distributed Enterprise SystemsProceedings of the International Conference on Research in Adaptive and Convergent Systems10.1145/3400286.3418257(167-174)Online publication date: 13-Oct-2020
https://dl.acm.org/doi/10.1145/3400286.3418257
Johnson BBrun YMeliou ARothermel GBae D(2020)Causal testingProceedings of the ACM/IEEE 42nd International Conference on Software Engineering10.1145/3377811.3380377(87-99)Online publication date: 27-Jun-2020
https://dl.acm.org/doi/10.1145/3377811.3380377
Cao MHou XWang TQu HZhou YBai XWang FCavallaro LKinder JWang XKatz J(2019)Different is GoodProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3345654(1883-1897)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3345654
Motwani MBrun YAtlee JBultan TWhittle J(2019)Automatically generating precise Oracles from structured natural language specificationsProceedings of the 41st International Conference on Software Engineering10.1109/ICSE.2019.00035(188-199)Online publication date: 25-May-2019
https://dl.acm.org/doi/10.1109/ICSE.2019.00035
Walker ASvacina JSimmons JCerny T(2019)On Automated Role-Based Access Control Assessment in Enterprise SystemsInformation Science and Applications10.1007/978-981-15-1465-4_38(375-385)Online publication date: 19-Dec-2019
https://doi.org/10.1007/978-981-15-1465-4_38
Vinesh NSethumadhavan M(2019)ConFuzz—A Concurrency FuzzerFirst International Conference on Sustainable Technologies for Computational Intelligence10.1007/978-981-15-0029-9_53(667-691)Online publication date: 2-Nov-2019
https://doi.org/10.1007/978-981-15-0029-9_53
Monshizadeh MNaldurg PVenkatakrishnan VBertino ESandhu RPretschner A(2016)Patching Logic Vulnerabilities for Web Applications using LogicPatcherProceedings of the Sixth ACM Conference on Data and Application Security and Privacy10.1145/2857705.2857727(73-84)Online publication date: 9-Mar-2016
https://dl.acm.org/doi/10.1145/2857705.2857727
Prokhorenko VChoo KAshman H(2016)Context-oriented web application protection modelApplied Mathematics and Computation10.1016/j.amc.2016.03.026285:C(59-78)Online publication date: 20-Jul-2016
https://dl.acm.org/doi/10.1016/j.amc.2016.03.026
Yamaguchi FMaier AGascon HRieck K(2015)Automatic Inference of Search Patterns for Taint-Style VulnerabilitiesProceedings of the 2015 IEEE Symposium on Security and Privacy10.1109/SP.2015.54(797-812)Online publication date: 17-May-2015
https://dl.acm.org/doi/10.1109/SP.2015.54
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents