Access-rights Analysis in the Presence of Subjects (ECOOP 2015 - Research Track)

Sun 5 - Fri 10 July 2015 Prague, Czech Republic

Who

Paolina Centonze, Marco Pistoia, Omer Tripp

Track

ECOOP 2015 Research Track

Time Zone

The program is currently displayed in (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna.

Use conference time zone: (GMT+02:00) Amsterdam, Berlin, Bern, Rome, Stockholm, ViennaSelect other time zone

The GMT offsets shown reflect the offsets at the moment of the conference.

Time Band

By setting a time band, the program will dim events that are outside this time window. This is useful for (virtual) conferences with a continuous program (with repeated sessions).
The time band will also limit the events that are included in the personal iCalendar subscription service.

Display full programSpecify a time band

Save

When

Wed 8 Jul 2015 17:30 - 18:00 at Bohemia - Analysis I Chair(s): Werner Dietl

Abstract

Modern software development and runtime environments, such as Java, the Microsoft .NET Common Language Runtime (CLR) and Android, have adopted a declarative form of access control. Permissions are granted to code providers, and during execution, the runtime verifies compatibility between the permissions required by a security-sensitive operation and those granted to the executing code. While convenient, configuring the access-control policy of a program is not easy. If a code component is not granted sufficient permissions, authorization failures may occur. Thus, security administrators tend to define overly permissive policies, which violate the Principle of Least Privilege (PLP).

A considerable body of research has been devoted to building program-analysis tools for computing the optimal policy for a program. However, Java, CLR and Android also allow executing a program’s security-sensitive operations under the authority of a subject (user or service), and no program-analysis solution has addressed the challenges of determining the policy of a program in the presence of subject-executed code.

In response, this paper introduces Subject Access Rights Analysis (SARA), a novel analysis algorithm for statically computing the permissions required by subjects at run time. We have applied SARA to 348 libraries in a commercial enterprise application server written in Java that consists of >2 million lines of code and is required to support the Java permission- and subject-based security model. SARA detected 263 PLP violations, 219 cases of policies with missing permissions, and 29 bugs that led code to be unnecessarily executed under the authority of a subject. SARA corrected all these vulnerabilities automatically, and additionally synthesized fresh and provably correct policies for all the libraries, with 0 false negatives, a false-positive rate of 5%, and an average running time of 103 seconds per library. SARA enabled the application server to receive the Common Criteria for Information Technology Security Evaluation Assurance Level 4 certification.

Paolina Centonze

Iona College

Italy

Marco Pistoia

IBM Research

Italy

Omer Tripp

IBM Thomas J. Watson Research Center