Modular string-sensitive permission analysis with demand-driven precision

• Published in: 2009 IEEE 31st International Conference on Software Engineering pp. 177 - 187
• Main Authors: Geay, Emmanuel, Pistoia, Marco, Takaaki Tateishi, Ryder, Barbara G., Dolby, Julian
• Format: Conference Proceeding
• Language: English
• Published: Washington, DC, USA IEEE Computer Society 16.05.2009; IEEE
• Series: ACM Conferences
• Subjects: Algorithm design and analysis; Authorization; General and reference > Cross-computing tools and techniques > Reliability; Inspection; Java; Laboratories; Permission; Prototypes; Runtime environment; Security; Software and its engineering > Software notations and tools; Software and its engineering > Software organization and properties > Extra-functional properties > Software reliability; Testing
• ISBN: 9781424434534; 142443453X
• ISSN: 0270-5257
• DOI: 10.1109/ICSE.2009.5070519

In modern software systems, programs are obtained by dynamically assembling components. This has made it necessary to subject component providers to access-control restrictions. What permissions should be granted to each component? Too few permissions may cause run-time authorization failures, too many constitute a security hole. We have designed and implemented a composite algorithm for precise static permission analysis for Java and the CLR. Unlike previous work, the analysis is modular and fully integrated with a novel slicing-based string analysis that is used to statically compute the string values defining a permission and disambiguate permission propagation paths. The results of our research prototype on production-level Java code support the effectiveness, practicality, and precision of our techniques, and show outstanding improvement over previous work.