Control flow analysis in scheme
PLDI '88 Proceedings of the ACM SIGPLAN 1988 conference on Programming Language design and Implementation
Precise concrete type inference for object-oriented languages
OOPSLA '94 Proceedings of the ninth annual conference on Object-oriented programming systems, language, and applications
Fast static analysis of C++ virtual function calls
Proceedings of the 11th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Call graph construction in object-oriented languages
Proceedings of the 12th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
The security of static typing with dynamic linking
Proceedings of the 4th ACM conference on Computer and communications security
Extensible security architectures for Java
Proceedings of the sixteenth ACM symposium on Operating systems principles
Java security: Web browsers and beyond
Internet besieged
Advanced compiler design and implementation
Advanced compiler design and implementation
Inside Java 2 platform security architecture, API design, and implementation
Inside Java 2 platform security architecture, API design, and implementation
From system F to typed assembly language
ACM Transactions on Programming Languages and Systems (TOPLAS)
Practical virtual method call resolution for Java
OOPSLA '00 Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
Scalable propagation-based call graph construction algorithms
OOPSLA '00 Proceedings of the 15th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications
A framework for call graph construction algorithms
ACM Transactions on Programming Languages and Systems (TOPLAS)
A unified approach to global program optimization
POPL '73 Proceedings of the 1st annual ACM SIGACT-SIGPLAN symposium on Principles of programming languages
Mastering RMI: Developing Enterprise Applications in Java and EJB
Mastering RMI: Developing Enterprise Applications in Java and EJB
Java 2 Network Security
Optimization of Object-Oriented Programs Using Static Class Hierarchy Analysis
ECOOP '95 Proceedings of the 9th European Conference on Object-Oriented Programming
The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism
ECOOP '95 Proceedings of the 9th European Conference on Object-Oriented Programming
Java Security: From HotJava to Netscape and Beyond
SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
IRM Enforcement of Java Stack Inspection
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
Fast and effective optimization of statically typed object-oriented languages
Fast and effective optimization of statically typed object-oriented languages
Formal aspects of mobile code security
Formal aspects of mobile code security
A new approach to mobile code security
A new approach to mobile code security
USITS'97 Proceedings of the USENIX Symposium on Internet Technologies and Systems on USENIX Symposium on Internet Technologies and Systems
Runtime verification of authorization hook placement for the linux security modules framework
Proceedings of the 9th ACM conference on Computer and communications security
MOPS: an infrastructure for examining security properties of software
Proceedings of the 9th ACM conference on Computer and communications security
Using CQUAL for Static Analysis of Authorization Hook Placement
Proceedings of the 11th USENIX Security Symposium
A static type system for JVM access control
ICFP '03 Proceedings of the eighth ACM SIGPLAN international conference on Functional programming
Consistency analysis of authorization hook placement in the Linux security modules framework
ACM Transactions on Information and System Security (TISSEC)
SABER: smart analysis based error reduction
ISSTA '04 Proceedings of the 2004 ACM SIGSOFT international symposium on Software testing and analysis
Static analysis of role-based access control in J2EE applications
ACM SIGSOFT Software Engineering Notes
Validating structural properties of nested objects
OOPSLA '04 Companion to the 19th annual ACM SIGPLAN conference on Object-oriented programming systems, languages, and applications
Using build-integrated static checking to preserve correctness invariants
Proceedings of the 11th ACM conference on Computer and communications security
Interfaces for stack inspection
Journal of Functional Programming
A systematic approach to static access control
ACM Transactions on Programming Languages and Systems (TOPLAS)
Automatic placement of authorization hooks in the linux security modules framework
Proceedings of the 12th ACM conference on Computer and communications security
The essence of command injection attacks in web applications
Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Static check analysis for Java stack inspection
ACM SIGPLAN Notices
Role-Based access control consistency validation
Proceedings of the 2006 international symposium on Software testing and analysis
The case for analysis preserving language transformation
Proceedings of the 2006 international symposium on Software testing and analysis
NSPW '05 Proceedings of the 2005 workshop on New security paradigms
A static type system for JVM access control
ACM Transactions on Programming Languages and Systems (TOPLAS)
CMV: automatic verification of complete mediation for java virtual machines
Proceedings of the 2008 ACM symposium on Information, computer and communications security
Security enforcement aware software development
Information and Software Technology
Modular string-sensitive permission analysis with demand-driven precision
ICSE '09 Proceedings of the 31st International Conference on Software Engineering
From Public to Private to Absent: Refactoring Java Programs under Constrained Accessibility
Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming
Program Transformations under Dynamic Security Policies
Electronic Notes in Theoretical Computer Science (ENTCS)
Visualization of permission checks in java using static analysis
WISA'06 Proceedings of the 7th international conference on Information security applications: PartI
Program analysis for security and privacy
ECOOP'06 Proceedings of the 2006 conference on Object-oriented technology: ECOOP 2006 workshop reader
Proceedings of the 2010 ICSE Workshop on Software Engineering for Secure Systems
Automatic generation of history-based access control from information flow specification
ATVA'10 Proceedings of the 8th international conference on Automated technology for verification and analysis
Transactions on computational science XI
A security policy oracle: detecting security holes using multiple API implementations
Proceedings of the 32nd ACM SIGPLAN conference on Programming language design and implementation
RoleCast: finding missing security checks when you do not know what checks are
Proceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications
APLAS'05 Proceedings of the Third Asian conference on Programming Languages and Systems
Interprocedural analysis for privileged code placement and tainted variable detection
ECOOP'05 Proceedings of the 19th European conference on Object-Oriented Programming
SAFERPHP: finding semantic vulnerabilities in PHP applications
Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security
Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering
Recovering role-based access control security models from dynamic web applications
ICWE'12 Proceedings of the 12th international conference on Web Engineering
Hi-index | 0.00 |
Java 2 has a security architecture that protects systems from unauthorized access by mobile or statically configured code. The problem is in manually determining the set of security access rights required to execute a library or application. The commonly used strategy is to execute the code, note authorization failures, allocate additional access rights, and test again. This process iterates until the code successfully runs for the test cases in hand. Test cases usually do not cover all paths through the code, so failures can occur in deployed systems. Conversely, a broad set of access rights is allocated to the code to prevent authorization failures from occurring. However, this often leads to a violation of the "Principle of Least Privilege"This paper presents a technique for computing the access rights requirements by using a context sensitive, flow sensitive, interprocedural data flow analysis. By using this analysis, we compute at each program point the set of access rights required by the code. We model features such as multi-threading, implicitly defined security policies, the semantics of the Permission.implies method and generation of a security policy description. We implemented the algorithms and present the results of our analysis on a set of programs. While the analysis techniques described in this paper are in the context of Java code, the basic techniques are applicable to access rights analysis issues in non-Java-based systems.