Combining static and dynamic analysis for automatic identification of precise access-control policies

Proceedings - Annual Computer Security Applications Conference, ACSAC

Volumn , Issue , 2007, Pages 292-301

  Centonze, Paolina ^a   Flynn, Robert J ^b   Pistoia, Marco ^a  

^a IBM T J WATSON RESEARCH CENTER   (United States)

^b POLYTECHNIC UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ACCESS CONTROL; AUTOMATION; CHLORINE COMPOUNDS; CODES (STANDARDS); CODES (SYMBOLS); COMPUTER APPLICATIONS; COMPUTER PROGRAMMING LANGUAGES; COMPUTER SOFTWARE; CONCURRENCY CONTROL; CONTROL SYSTEM ANALYSIS; CONTROL SYSTEMS; CONTROL THEORY; DYNAMIC ANALYSIS; ELECTRIC LOAD SHEDDING; ELECTRONIC DATA INTERCHANGE; FAILURE ANALYSIS; JAVA PROGRAMMING LANGUAGE; QUALITY ASSURANCE; RELIABILITY; RISK ANALYSIS; RISK ASSESSMENT; SECURITY OF DATA; SECURITY SYSTEMS; STATIC ANALYSIS;

ACCESS RIGHTS; ANALYSIS TOOLS; AUTOMATIC DETERMINATION; AUTOMATIC IDENTIFICATION; CLIENT CODES; COMMON LANGUAGE RUNTIME; COMPONENT-BASED; COMPUTER SECURITY APPLICATIONS; CONTROL POLICIES; JAVA PROGRAMS; LEAST PRIVILEGE; MULTI-THREADED; STACK-BASED ACCESS CONTROL; STATIC AND DYNAMIC; TEST CASES; UNDERLYING SYSTEMS;

IDENTIFICATION (CONTROL SYSTEMS);

EID: 43449135873     PISSN: 10639527     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ACSAC.2007.39     Document Type: Conference Paper

References (37)

1. A. V. Aho, R. Sethi, and J. D. Ullman. Compilers: Principles, Techniques, and Tools. Addison-Wesley, Reading, MA, USA, Jan. 1986.
2. L. O. Andersen. Program Analysis and Specialization for the C Programming Language. PhD thesis, University of Copenhagen, May 1994.
3. M. Bartoletti, P. Degano, and G. L. Ferrari. Static Analysis for Stack Inspection. In Proceedings of International Workshop on Concurrency and Coordination, Electronic Notes in Theoretical Computer Science, volume 54, Amsterdam, The Netherlands, 2001. Elsevier.
4. H. Chen, D. Wagner, and D. Dean. Setuid Demystified. In Proceedings of the 11th USENIX Security Symposium, pages 171-190, Berkeley, CA, USA, August 2002. USENIX Association.
5. D. Dean. The Security of Static Typing with Dynamic Linking. In Proceedings of the 4th ACM conference on Computer and Communications Security, pages 18-27, Zurich, Switzerland, 1997. ACM Press.
6. D. Dean, E. W. Felten, and D. S. Wallach. Java Security: From HotJava to Netscape and beyond. In Proceedings of the 1996 IEEE Symposium on Security and Privacy, pages 190-200, Silver Spring, MD, USA, 1996. IEEE Computer Society Press.
7. D. Dean, E. W. Felten, D. S. Wallach, and D. Balfanz. Java Security: Web Browsers and Beyond. Technical Report 566-597, Princeton University, Princeton, NJ, USA, February 1997.
8. R. D. Dean. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, Jan. 1999.
9. Eclipse Project, http://www.eclipse.org.
10. Equinox Project, http://www.eclipse.org/equinox.
11. U. Erlingsson and F. B. Schneider. IRM Enforcement of Java Stack Inspection. In Proceedings of the 2000 IEEE Symposium on Security and Privacy, pages 246-255, Oakland, CA, USA, May 2000. IEEE Computer Society.
12. M. D. Ernst. Static and Dynamic Analysis: Synergy and Duality. In Proceedings of the Program Analysis for Software Tools and Engineering (PASTE 2004) Workshop, pages 24-27, June 2004.
13. A. Freeman and A. Jones. Programming .NET Security. O'Reilly & Associates, Inc., Sebastopol, CA, USA, June 2003.
14. L. Gong, G. Ellison, and M. Dageforde. Inside Java 2 Platform Security: Architecture, API Design, and Implementation. Addison-Wesley, Reading, MA, USA, second edition, May 2003.
15. G. Grätzer. General Lattice Theory. Birkhäuser, Boston, MA, USA, second edition, January 2003.
16. D. Grove and C. Chambers. A Framework for Call Graph Construction Algorithms. ACM Trans. Program. Lang. Syst., 23(6):685-746, November 2001.
17. H. Inoue and S. Forrest. Inferring Java Security Policies Through Dynamic Sandboxing. In International Conference on Programming Languages and Compilers, Las Vegas, NE, USA, June 2005.
18. T. P. Jensen, D. L. Mëtayer, and T. Thorn. Verification of Control Flow Based Security Properties. In Proceedings of the 1999 IEEE Symposium on Security and Privacy, pages 89-103, Oakland, CA, USA, May 1999.
19. J. F. Koegel, R. M. Koegel, Z. Li, and D. T. Miruke. A Security Analysis of VAX VMS. In ACM '85: Proceedings of the 1985 ACM Annual Conference on the Range of Computing: Mid-80's Perspective, pages 381-386. ACM Press, 1985.
20. L. Koved, M. Pistoia, and A. Kershenbaum. Access Rights Analysis for Java. In Proceedings of the 17th ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pages 359-372, Seattle, WA, USA, November 2002. ACM Press.
21. B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In Proceedings of the 3rd Asian Symposium on Programming Languages and Systems, pages 139-160, Nov. 2005.
22. S. S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, June 1997.
23. A. Orso, M. J. Harrold, and G. Vigna. MASSA: Mobile Agents Security through Static/Dynamic Analysis. In Proceedings of the First ICSE Workshop on Software Engineering and Mobility (WSEM 2001), Toronto, Canada, April 2001.
24. OSGi Specification, http://www.osgi.org.
25. M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond Stack Inspection: A Unified Access Control and Information Flow Security Model. In 28th IEEE Symposium on Security and Privacy, pages 149-163, Oakland, CA, USA, May 2007.
26. M. Pistoia, R. J. Flynn, L. Koved, and V. C. Sreedhar. Interprocedural Analysis for Privileged Code Placement and Tainted Variable Detection. In Proceedings of the 19th European Conference on Object-Oriented Programming, pages 362-386, Glasgow, Scotland, UK, July 2005. Springer-Verlag.
27. M. Pistoia, N. Nagaratnam, L. Koved, and A. Nadalin. Enterprise Java Security. Addison-Wesley, Reading, MA, USA, February 2004.
28. M. Pistoia, D. Reller, D. Gupta, M. Nagnur, and A. K. Ramani. Java 2 Network Security. Prentice Hall PTR, Upper Saddle River, NJ, USA, second edition, August 1999.
29. F. Pottier, C. Skalka, and S. F. Smith. A Systematic Approach to Static Access Control. In Proceedings of the 10th European Symposium on Programming Languages and Systems, pages 30-45. Springer-Verlag, 2001.
30. B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In Proceedings of the 12th International Conference on Compiler Construction, pages 126-137, Warsaw, Poland, April 2003. Invited Paper.
31. J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, volume 63, pages 1278-1308, Sept. 1975.
32. SourceForge.net, http://www.sourceforge.net.
33. Sun Microsystems, Java™ Technology, http://java.sun.com.
34. D. S. Wallach. A New Approach to Mobile-Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, Jan. 1999.
35. D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In Proceedings of the 16th ACM Symposium on Operating Systems Principles, pages 116-128, Saint Malo, France, 1997. ACM Press.
36. D. S. Wallach and E. W. Felten. Understanding Java Stack Inspection. In Proceedings of the 1998 IEEE Symposium on Security and Privacy, pages 52-63, Oakland, CA, USA, May 1998.
37. X. Zhang, L. Koved, M. Pistoia, S. Weber, T. Jaeger, G. Marceau, and L. Zeng. The Case for Analysis Preserving Language Transformation. In Proceedings of the ACM SIGSOFT 2006 International Symposium on Software Testing and Analysis (ISSTA). ACM Press, July 2006.