ECOOP 2015
Sun 5 - Fri 10 July 2015 Prague, Czech Republic
Wed 8 Jul 2015 17:30 - 18:00 at Bohemia - Analysis I Chair(s): Werner Dietl

Modern software development and runtime environments, such as Java, the Microsoft .NET Common Language Runtime (CLR) and Android, have adopted a declarative form of access control. Permissions are granted to code providers, and during execution, the runtime verifies compatibility between the permissions required by a security-sensitive operation and those granted to the executing code. While convenient, configuring the access-control policy of a program is not easy. If a code component is not granted sufficient permissions, authorization failures may occur. Thus, security administrators tend to define overly permissive policies, which violate the Principle of Least Privilege (PLP).

A considerable body of research has been devoted to building program-analysis tools for computing the optimal policy for a program. However, Java, CLR and Android also allow executing a program’s security-sensitive operations under the authority of a subject (user or service), and no program-analysis solution has addressed the challenges of determining the policy of a program in the presence of subject-executed code.

In response, this paper introduces Subject Access Rights Analysis (SARA), a novel analysis algorithm for statically computing the permissions required by subjects at run time. We have applied SARA to 348 libraries in a commercial enterprise application server written in Java that consists of >2 million lines of code and is required to support the Java permission- and subject-based security model. SARA detected 263 PLP violations, 219 cases of policies with missing permissions, and 29 bugs that led code to be unnecessarily executed under the authority of a subject. SARA corrected all these vulnerabilities automatically, and additionally synthesized fresh and provably correct policies for all the libraries, with 0 false negatives, a false-positive rate of 5%, and an average running time of 103 seconds per library. SARA enabled the application server to receive the Common Criteria for Information Technology Security Evaluation Assurance Level 4 certification.