Interprocedural analysis for privileged code placement and tainted variable detection

Lecture Notes in Computer Science

Volumn 3586, Issue , 2005, Pages 362-386

  Pistoia, Marco ^a   Flynn, Robert J ^b   Koved, Larry ^a   Sreedhar, Vugranam C ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b POLYTECHNIC UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

CODES (SYMBOLS); CONTROL SYSTEMS; DATABASE SYSTEMS; OBJECT ORIENTED PROGRAMMING;

CODE SLACK FRAMES; COMMON LANGUAGE RUNTIME (CLR); JAVA 2 (CO); JAVA BYTECODE;

JAVA PROGRAMMING LANGUAGE;

EID: 26444502057     PISSN: 03029743     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1007/11531142_16     Document Type: Conference Paper

References (41)

1. Ole Agesen. The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 2-26. Springer-Verlag, August 1995.
2. Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading, MA, USA, January 1986.
3. Ken Ashcraft and Dawson Engler. Using Programmer-Written Compiler Extensions to Catch Security Holes. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 143-159, Oakland, CA, USA, May 2002. IEEE Computer Society.
4. Anindya Banerjee and David A. Naumann. A Simple Semantics and Static Analysis for Java Security. Technical Report CS2001-1, Stevens Institute of Technology, Hoboken, NJ, USA, July 2001.
5. Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari. Static Analysis for Stack Inspection. In Proceedings of International Workshop on Concurrency and Coordination, Electronic Notes in Theoretical Computer Science, volume 54, Amsterdam, The Netherlands, 2001. Elsevier.
6. Massimo Bartoletti, Pierpaolo Degano, and Gian Luigi Ferrari. Stack Inspection and Secure Program Transformations. International Journal of Information Security, 2(3):187-217, August 2004.
7. Frédéric Besson, Tomasz Blanc, Cédric Fournet, and Andrew D. Gordon. From Stack Inspection to Access Control: A Security Analysis for Libraries. In Proceedings of the 17th IEEE Computer Security Foundations Workshop, pages 61-75, Pacific Grove, CA, USA, June 2004. IEEE Computer Society.
8. Drew Dean. The Security of Static Typing with Dynamic Linking. In Proceedings of the 4th ACM conference on Computer and Communications Security, pages 18-27, Zurich, Switzerland, 1997. ACM Press.
9. Drew Dean, Edward W. Felten, and Dan S. Wallach. Java Security: From HotJava to Netscape and beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 190-200, Silver Spring, MD, USA, 1996. IEEE Computer Society Press.
10. Drew Dean, Edward W. Felten, Dan S. Wallach, and Dirk Balfanz. Java Security: Web Browsers and Beyond. Technical Report 566-597, Princeton University, Princeton, NJ, USA, February 1997.
11. Jeffrey Dean, David Grove, and Craig Chambers. Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis. In Proceedings of the 9th European Conference on Object-Oriented Programming, pages 77-101, Aarhus, Denmark, August 1995. Springer-Verlag.
12. Richard Drews Dean. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, January 1999.
13. Eclipse Project, http://www.eclipse.org.
14. Ulfar Erlingsson and Fred B. Schneider. IRM Enforcement of Java Stack Inspection. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 246-255, Oakland, CA, USA, May 2000. IEEE Computer Society.
15. Jeffrey S. Foster, Tachio Terauchi, and Alex Aiken. Flow-Sensitive Type Qualifiers. In Proceedings of the 2002 ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 1-12, Berlin, Germany, June 2002.
16. Adam Freeman and Allen Jones. Programming .NET Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, June 2003.
17. Li Gong, Gary Ellison, and Mary Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, Reading, MA, USA, second edition, May 2003.
18. George Grätzer. General Lattice Theory. Birkhäuser, Boston, MA, USA, second edition, January 2003.
19. Sumit Gulwani and George C. Necula. Path-sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. In 11th Static Analysis Symposium, volume 3148 of LNCS, pages 328-343. Springer-Verlag, August 2004.
20. Thomas P. Jensen, Daniel Le Métayer, and Tommy Thorn. Verification of Control Flow Based Security Properties. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 89-103, Oakland, CA, USA, May 1999.
21. Paul A. Karger, IBM Thomas J. Watson Research Center, Yorktown Heights, NY, USA. Private communication, 17 December 2004.
22. Gary A. Kildall. A Unified Approach to Global Program Optimization. In Proceedings of the 1st Annual ACM SIGACT-SIGPLAN Symposium on Principles of Programming Languages, pages 194-206, Boston, MA, USA, 1973. ACM Press.
23. John F. Koegel, Rhonda M. Koegel, Zhiming Li, and Dattaram T. Miruke. A Security Analysis of VAX VMS. In ACM '85: Proceedings of the 1985 ACM Annual Conference on the Range of Computing: Mid-80's Perspective, pages 381-386. ACM Press, 1985.
24. Larry Koved, Marco Pistoia, and Aaron Kershenbaum. Access Rights Analysis for Java. In Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359-372, Seattle, WA, USA, November 2002. ACM Press.
25. Steven S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, June 1997.
26. Gleb Naumovich and Paolina Centonze. Static Analysis of Role-Based Access Control in J2EE Applications. SIGSOFT Software Engineering Notes, 29(5):1-10, September 2004.
27. James Newsome and Dawn Song. Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software. In Proceedings of the 12th Annual Network and Distributed System Security Symposium, San Diego, CA, USA, February 2005. IEEE Computer Society.
28. Marco Pistoia, Nataraj Nagaratnam, Larry Koved, and Anthony Nadalin. Enterprise Java Security. Addison-Wesley, Reading, MA, USA, February 2004.
29. Marco Pistoia, Duane Relier, Deepak Gupta, Milind Nagnur, and Ashok K. Ramani. Java 2 Network Security. Prentice Hall PTR, Upper Saddle River, NJ, USA, second edition, August 1999.
30. François Pottier, Christian Skalka, and Scott F. Smith. A Systematic Approach to Static Access Control. In Proceedings of the 10th European Symposium on Programming Languages and Systems, pages 30-45. Springer-Verlag, 2001.
31. Barbara G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In Proceedings of the 12th International Conference on Compiler Construction, pages 126-137, Warsaw, Poland, April 2003. Invited Paper.
32. Jerome H. Saltzer and Michael D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, volume 63, pages 1278-1308, September 1975.
33. Umesh Shankar, Kunal Talwar, Jeffrey S. Foster, and David Wagner. Detecting Format String Vulnerabilities with Type Qualifiers. In Proceedings of the 10th USENIX Security Symposium, Washington, DC, USA, August 2001.
34. Standard Performance Evaluation Corporation Java Business Benchmark 2000 (SPECjbb2000), http://www.spec.org.
35. Sun Microsystems, Security Code Guidelines, http://java.sun.com.
36. Frank Tip and T. B. Dinesh. A Slicing-based Approach for Locating Type Errors. ACM Transactions on Software Engineering and Methodology, 10(1):5-55, 2001.
37. Dennis Volpano, Cynthia Irvine, and Geoffrey Smith. A Sound Type System for Secure Flow Analysis. Journal of Computer Security, 4(2-3):167-187, January 1996.
38. Larry Wall, Tom Christiansen, and Jon Orwant. Programming Perl. O'Reilly & Associates, Inc., Sebastopol, CA, USA, third edition, July 2000.
39. Dan S. Wallach. A New Approach to Mobile-Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, January 1999.
40. Dan S. Wallach, Dirk Balfanz, Drew Dean, and Edward W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 116-128, Saint Malo, France, 1997. ACM Press.
41. Dan S. Wallach and Edward W. Felten. Understanding Java Stack Inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 52-63, Oakland, CA, USA, May 1998.