Paolina Centonze

Static analysis of role-based access control in J2EE applications

This work describes a new technique for analysis of Java 2, Enterprise Edition (J2EE) applications. In such applications, Enterprise Java Beans (EJBs) are commonly used to encapsulate the core computations performed on Web servers. Access to EJBs is protected by application servers, according to role-based access control policies that may be created either at development or deployment time. These policies may prohibit some types of users from accessing specific EJB methods.We present a static technique for analyzing J2EE access control policies with respect to security-sensitive fields of EJBs and other server-side objects. Our technique uses points-to analysis to determine which object fields are accessed by which EJB methods, directly or indirectly. Based on this information, J2EE access control policies are analyzed to identify potential inconsistencies that may lead to security holes.

Role-Based access control consistency validation

Modern enterprise systems support Role-Based Access Control (RBAC). Although RBAC allows restricting access to privileged operations, a deployer may actually intend to restrict access to privileged data. This paper presents a theoretical foundation for correlating an operation-based RBAC policy with a data-based RBAC policy. Relying on a location consistency property, this paper shows how to infer whether an operation-based RBAC policy is equivalent to any databased RBAC policy. We have built a static analysis tool for Java Platform, Enterprise Edition (Java EE) called Static Analysis for Validation of Enterprise Security (SAVES). Relying on interprocedural pointer analysis and dataflow analysis, SAVES analyzes Java EE bytecode to determine if the associated RBAC policy is location consistent, and reports potential security flaws where location consistency does not hold. The experimental results obtained by using SAVES on a number of production-level Java EE codes have identified several security flaws with no false positive reports.

Combining Static and Dynamic Analysis for Automatic Identification of Precise Access-Control Policies

Given a large component-based program, it may be very complex to identify an optimal access-control policy, allowing the program to execute with no authorization failures and no violations of the principle of least privilege. This paper presents a novel combination of static and dynamic analysis for automatic determination of precise access-control policies for programs that will be executed on stack-based access control systems, such as Java and the Common Language Runtime (CLR). The static analysis soundly models the execution of the program taking into account native methods, reflection, and multi-threaded code. The dynamic analysis interactively refines the potentially conservative results of the static analysis, with no need for writing or generating test cases or for restarting the system if an authorization failure occurs during testing, and no risk of corrupting the underlying system on which the analysis is performed. We implemented the analysis framework presented by this paper in an analysis tool for Java programs, called Access-Control Explorer (ACE). ACE allows for automatic, safe, and precise identification of access-right requirements and library-code locations that should be made privilege-asserting to prevent client code from requiring unnecessary access rights. This paper presents experimental results obtained on large production-level applications.

Carbon management in assembly manufacturing logistics

In this paper, we present the IBM Carbon Analyzer Tool, a software solution that models and quantifies carbon emissions and explores ways to reduce emissions through advanced analytics. The tool is designed to manage carbon emissions associated with the support logistics for an assembly manufacturing operation. The tool has four analytical modules. A shipment analysis module calculates carbon emissions from transportation activities and analyzes opportunities for reducing emissions by changing fuel types of vehicles and using larger vehicles that permit consolidated shipments. A sourcing analysis module compares sourcing alternatives, including changes to supplier locations, routing of shipments, frequency of orders, and transportation modes. A scenario analysis module explores various consolidation policies to minimize transportation, inventory, and carbon costs, subject to inventory availability requirements. A sensitivity analysis module quantifies the effects of changes to uncontrollable and uncertain inputs, such as manufacturing demand for components, carbon prices, and supplier reliability. The tool makes use of a Javae™- based graphical user interface and an IBM® DB2t (Database 2e) platform to manage input and output data. A pilot implementation of the solution, using actual customer data, showed that emissions and transportation costs can be reduced simultaneously by optimizing vehicle use, fuel types, and shipment consolidation. Achieving a 20%-30% reduction in emission was possible with minimal cost increase.

Labyrinth: Visually Configurable Data-Leakage Detection in Mobile Applications

Mobile devices have revolutionized many aspects of our lives. We use smartphones and tablets as portable computers and, often without realizing it, we run various types of security-sensitive programs on them, such as personal and enterprise email and instant-messaging applications, as well as social, banking, insurance and retail programs. These applications access and transmit over the network numerous pieces of private information, including our geographical location, device ID, contacts, calendar events, passwords, and health records, as well as credit-card, social-security, and bank-account numbers. Guaranteeing that no private information is exposed to unauthorized observers is very challenging given the level of complexity that these applications have reached. Furthermore, using program-analysis tools with out-of-the-box configurations in order to detect confidentiality violations may not yield the desired results because only a few pieces of private data, such as the devices ID and geographical location, are obtained from standard sources. The majority of confidentiality sources (such as credit-card and bank-account numbers) are application-specific and require careful configuration. This paper presents Labyrinth, a run-time privacy enforcement system that automatically detects leakage of private data originating from standard as well as application-specific sources. Labyrinth features several novel contributions: (i) it allows for visually configuring, directly atop the applications User Interface (UI), the fields that constitute custom sources of private data, (ii) it does not require operating-system instrumentation, but relies only an application-level instrumentation and on a proxy that intercepts the communication between the mobile device and the back-end servers, and (iii) it performs an enhanced form of value-similarity analysis to detect data leakage even when sensitive data (such as a password) has been encoded or hashed. Labyrinth supports both Android and iOS. We have evaluated Labyrinth experimentally, and in this paper we report results on production-level applications.

Dynamic encryption key security scheme (DEKSS) for mobile and cloud systems

Our Dynamic Encryption Key Security Scheme(DEKSS) is a novel security strategy that utilizes a secure architectureto dispatch and manage data through multiple Cloud ServiceProviders (CSP). This strategy can promise data security for bothclients and service providers without impacting the other party negatively.While there are limitations in being truly secure, such as thoserecognized by WhiteHat security in their annual reports[1],our securityscheme can secure effectively data through being able to folddata in as many encrypted layers as desired for every table name andcolumn of data stored. Through this approach, we have found it applicableto a variety of different audiences in the cloud securityspace.

Cross-platform access-rights analysis of mobile applications

We live in the era of mobile computing. Mobile devices havemore sensors and more capabilities than desktop computers. Forany computing device that contains sensitive information andaccesses the Internet, security is a major concern for bothenterprises and end-users. Of the mobile devices commonly inuse, iOS and Android are the prevalent platforms; each platformhas a unique architecture and security policy relating to howthey handle these sensitive permissions; due to these differencesone platform is likely more secure than the other. A deep staticand dynamic analysis of the applications available for eachplatform was conducted in order to determine on whichoverprivileged applications were more prevalent.

Automatic detection, correction, and visualization of security vulnerabilities in mobile apps

Mobile devices have revolutionized many aspects of our lives. We use them as portable computers and, often without realizing it, we run various types of security-sensitive programs on them, such as personal and enterprise email and instant-messaging applications, as well as social, banking, insurance and retail programs. These applications access and transmit over the network numerous pieces of private information. Guaranteeing that such information is not exposed to unauthorized observers is very challenging given the level of complexity that these applications have reached. Furthermore, using program-analysis tools with out-of-the-box configurations in order to detect confidentiality violations may not yield the desired results because only a few pieces of private data, such as the devices ID and geographical location, are obtained from standard sources. The majority of confidentiality sources (such as credit-card and bank-account numbers) are application-specific and require careful configuration. This paper presents Astraea, a privacy-enforcement system for Android and iOS that dynamically detects and repairs leakage of private data originating from standard as well as application-specific sources. Astraea features several novel contributions: (i) it allows for visually configuring, directly atop the applications User Interface (UI), the fields that constitute custom sources of private data; (ii) it relies on application-level instrumentation, without interfering with the underlying operating system; (iii) it performs an enhanced form of value-similarity analysis to detect and repair data leakage even when sensitive data has been encoded or hashed, and (iv) it displays the results of the privacy analysis on top of a visual representation of the applications UI.

Access-rights Analysis in the Presence of Subjects

Modern software development and run-time environments, such as Java and the Microsoft .NET Common Language Runtime (CLR), have adopted a declarative form of access control. Permissions are granted to code providers, and during execution, the platform verifies compatibility between the permissions required by a security-sensitive operation and those granted to the executing code. While convenient, configuring the access-control policy of a program is not easy. If a code component is not granted sufficient permissions, authorization failures may occur. Thus, security administrators tend to define overly permissive policies, which violate the Principle of Least Privilege (PLP). A considerable body of research has been devoted to building program-analysis tools for computing the optimal policy for a program. However, Java and the CLR also allow executing code under the authority of a subject (user or service), and no program-analysis solution has addressed the challenges of determining the policy of a program in the presence of subjects. This paper introduces Subject Access Rights Analysis (SARA), a novel analysis algorithm for statically computing the permissions required by subjects at run time. We have applied SARA to 348 libraries in IBM WebSphere Application Server - a commercial enterprise application server written in Java that consists of >2 million lines of code and is required to support the Java permission- and subject-based security model. SARA detected 263 PLP violations, 219 cases of policies with missing permissions, and 29 bugs that led code to be unnecessarily executed under the authority of a subject. SARA corrected all these vulnerabilities automatically, and additionally synthesized fresh policies for all the libraries, with a false-positive rate of 5% and an average running time of 103 seconds per library. SARA also implements mechanisms for mitigating the risk of false negatives due to reflection and native code; according to a thorough result evaluation based on testing, no false negative was detected. SARA enabled IBM WebSphere Application Server to receive the Common Criteria for Information Technology Security Evaluation Assurance Level 4 certification.