Securing Java: getting down to business with mobile code
Securing Java: getting down to business with mobile code
Using production grammars in software testing
Proceedings of the 2nd conference on Domain-specific languages
Java Virtual Machine Specification
Java Virtual Machine Specification
Java Bytecode Verification: Algorithms and Formalizations
Journal of Automated Reasoning
A Type System for the Java Bytecode Language and Verifier
Journal of Automated Reasoning
Software Abstractions: Logic, Language, and Analysis
Software Abstractions: Logic, Language, and Analysis
A static type system for JVM access control
ACM Transactions on Programming Languages and Systems (TOPLAS)
A semantics-based approach to malware detection
ACM Transactions on Programming Languages and Systems (TOPLAS)
Lightweight modeling of java virtual machine security constraints
ABZ'10 Proceedings of the Second international conference on Abstract State Machines, Alloy, B and Z
| Hi-index | 0.00 |
The Java programming language has been widely described as secure by design. Nevertheless, a number of serious security vulnerabilities have been discovered in Java, particularly in the Bytecode Verifier, a critical component used to verify class semantics before loading is complete. This paper describes a method for representing Java security constraints using the Alloy modeling language. It further describes a system for performing a security analysis on any block of Java bytecodes by converting these bytecodes into relation initializers in Alloy. Any counterexamples found by the Alloy analyzer correspond directly to potentially insecure code. Analysis of the approach is provided in the context of known security exploits, including type confusion attacks, invalid memory accesses and control flow misdirection. This type of analysis represents a significant departure from standard malware analysis methods based on signatures or anomaly detection.