Larry Koved

Access rights analysis for Java

Java 2 has a security architecture that protects systems from unauthorized access by mobile or statically configured code. The problem is in manually determining the set of security access rights required to execute a library or application. The commonly used strategy is to execute the code, note authorization failures, allocate additional access rights, and test again. This process iterates until the code successfully runs for the test cases in hand. Test cases usually do not cover all paths through the code, so failures can occur in deployed systems. Conversely, a broad set of access rights is allocated to the code to prevent authorization failures from occurring. However, this often leads to a violation of the Principle of Least PrivilegeThis paper presents a technique for computing the access rights requirements by using a context sensitive, flow sensitive, interprocedural data flow analysis. By using this analysis, we compute at each program point the set of access rights required by the code. We model features such as multi-threading, implicitly defined security policies, the semantics of the Permission.implies method and generation of a security policy description. We implemented the algorithms and present the results of our analysis on a set of programs. While the analysis techniques described in this paper are in the context of Java code, the basic techniques are applicable to access rights analysis issues in non-Java-based systems.

User authentication and authorization in the Java/sup TM/ platform

Java/sup TM/ security technology originally focused on creating a safe environment in which to run potentially untrusted code downloaded from the public network. With the latest release of the Java/sup TM/ platform (the Java/sup TM/ 2 Software Development Kit, v 1.2), fine-grained access controls can be placed upon critical resources with regard to the identity of the running applets and applications, which are distinguished by where the code came from and who signed it. However, the Java platform still lacks the means to enforce access controls based on the identity of the user who runs the code. In this paper we describe the design and implementation of the Java/sup TM/ Authentication and Authorization Service (JAAS), a framework and programming interface that augments the Java/sup TM/ platform with both user-based authentication and access control capabilities.

Embedded menus: selecting items in context

In many situations, embedded menus represent an attractive alternative to the more traditional explicit menus, particularly in touchtext, spelling checkers, language-based program editors, and graphics-based systems.

Interprocedural analysis for privileged code placement and tainted variable detection

In Java 2 and Microsoft .NET Common Language Runtime (CLR), trusted code has often been programmed to perform access-restricted operations not explicitly requested by its untrusted clients. Since an untrusted client will be on the call stack when access control is enforced, an access-restricted operation will not succeed unless the client is authorized. To avoid this, a portion of the trusted code can be made “privileged.” When access control is enforced, privileged code causes the stack traversal to stop at the trusted code frame, and the untrusted code stack frames will not be checked for authorization. For large programs, manually understanding which portions of code should be made privileged is a difficult task. Developers must understand which authorizations will implicitly be extended to client code and make sure that the values of the variables used by the privileged code are not “tainted” by client code. This paper presents an interprocedural analysis for Java bytecode to automatically identify which portions of trusted code should be made privileged, ensure that there are no tainted variables in privileged code, and detect “unnecessary” and “redundant” privileged code. We implemented the algorithm and present the results of our analyses on a set of large programs. While the analysis techniques are in the context of Java code, the basic concepts are also applicable to non-Java systems with a similar authorization model.

Biometric authentication on a mobile device: a study of user effort, error and task disruption

We examine three biometric authentication modalities -- voice, face and gesture -- as well as password entry, on a mobile device, to explore the relative demands on user time, effort, error and task disruption. Our laboratory study provided observations of user actions, strategies, and reactions to the authentication methods. Face and voice biometrics conditions were faster than password entry. Speaking a PIN was the fastest for biometric sample entry, but short-term memory recall was better in the face verification condition. None of the authentication conditions were considered very usable. In conditions that combined two biometric entry methods, the time to acquire the biometric samples was shorter than if acquired separately but they were very unpopular and had high memory task error rates. These quantitative results demonstrate cognitive and motor differences between biometric authentication modalities, and inform policy decisions in selecting authentication methods.

Security challenges for enterprise Java in an e-business environment

As e-business matures, companies require enterprise-scalable functionality for their corporate Internet and intranet environments. To support the expansion of their computing boundaries, businesses have embraced Web application servers. These servers support servlets, JavaServer PagesTM, and Enterprise JavaBeansTM technologies, providing simplified development and flexible deployment of Web-based applications. However, securing this malleable model presents a challenge. Successful companies recognize that their security infrastructures need to address the e-business challenge. They are aware of the types of attacks that malevolent entities can launch against their servers and can plan appropriate defenses.

SABER: smart analysis based error reduction

In this paper, we present an approach to automatically detect high impact coding errors in large Java applications which use frameworks. These high impact errors cause serious performance degradation and outages in real world production environments, are very time-consuming to detect, and potentially cost businesses thousands of dollars. Based on 3 years experience working with IBM customer production systems, we have identified over 400 high impact coding patterns, from which we have been able to distill a small set of pattern detection algorithms. These algorithms use deep static analysis, thus moving problem detection earlier in the development cycle from production to development. Additionally, we have developed an automatic false positive filtering mechanism based on domain specific knowledge to achieve a level of usability acceptable to IBM field engineers. Our approach also provides necessary contextual information around the sources of the problems to help in problem remediation. We outline how our approach to problem determination can be extended to multiple programming models and domains. We have implemented this problem determination approach in the SABER tool and have used it successfully to detect many serious code defects in several large commercial applications. This paper shows results from four such applications that had over 60 coding defects.

GROOP: an object-oriented toolkit for animated 3D graphics

GROOP is an object-oriented toolkit for creating 3D computer graphics applications. It is designed for application developers who are not familiar with computer graphics, but are familiar with object-oriented programming. While application programmers are able to quickly create animated 3D graphical objects, the toolkit is also sophisticated enough for experience programmers. In addition to creating stationary 3D objects, the toolkit is used to construct animated objects. Sophisticated reusable articulated objects have been created for use in a variety of applications, similar to static 2D and 3D clip art available today.

Elements of visual language

The authors propose a structural classification and vocabulary for visual languages. The visual grammars that comprises the elements of such a language is defined. The usual elements are composed of: (1) the visual alphabet, a set of visual primitives in a visual language; (2) the visual syntax, compositions of primitives to form visual statements; (3) interaction, user-to-system communications; and (4) structure, rules combining sublanguages into a language. The classification of the visual elements is viewed as a linguistic description of visual language.<<ETX>>

The case for analysis preserving language transformation

Static analysis has gained much attention over the past few years in applications such as bug finding and program verification. As software becomes more complex and componentized, it is common for software systems and applications to be implemented in multiple languages. There is thus a strong need for developing analysis tools for multi-language software. We introduce a technique called Analysis Preserving Language Transformation (aplt) that enables the analysis of multi-language software, and also allows analysis tools for one language to be applied to programs written in another. aplt preserves data and control flow information needed to perform static analyses, but allows the translation to deviate from the original programs semantics in ways that are not pertinent to the particular analysis. We discuss major technical difficulties in building such a translator, using a C-to-Java translator as an example. We demonstrate the feasibility and effectiveness of aplt using two usage cases: analysis of the Java runtime native methods and reuse of Java analysis tools for C. Our preliminary results show that a control- and data-flow equivalent model for native methods can eliminate unsoundness and produce reliable results, and that aplt enables seamless reuse of analysis tools for checking high-level program properties.