| Hi-index | 0.00 |
The purpose of this thesis is to build a mathematical framework for statically representing the execution of software programs and the flow of security information in those programs. This thesis shows how the result of this mathematical analysis can be used to automatically identify security properties of software and evaluate security policies. In particular, this work presents a mathematical model for Stack-Based Access Control (SBAC) systems, such as Java 2, Standard Edition (J2SE) and Microsoft .NET Common Language Runtime (CLR), and for Role-Based Access Control (RBAC) systems, such as Java 2, Enterprise Edition (J2EE) and CLR. The model is based on the mathematical theories of graphs and lattices, and allows static problem detection and security policy evaluation. This thesis proves that this mathematical model is correct and that the algorithms used to build it converge in polynomial time. The mathematical model presented in this thesis has been implemented and used extensively to analyze and detect security vulnerabilities in large production-level programs.