Takaaki Tateishi

Modular string-sensitive permission analysis with demand-driven precision

In modern software systems, programs are obtained by dynamically assembling components. This has made it necessary to subject component providers to access-control restrictions. What permissions should be granted to each component? Too few permissions may cause run-time authorization failures, too many constitute a security hole. We have designed and implemented a composite algorithm for precise static permission analysis for Java and the CLR. Unlike previous work, the analysis is modular and fully integrated with a novel slicing-based string analysis that is used to statically compute the string values defining a permission and disambiguate permission propagation paths. The results of our research prototype on production-level Java code support the effectiveness, practicality, and precision of our techniques, and show outstanding improvement over previous work.

Path- and index-sensitive string analysis based on monadic second-order logic

We propose a novel technique for statically verifying the strings generated by a program. The verification is conducted by encoding the program in Monadic Second-order Logic (M2L). We use M2L to describe constraints among program variables and to abstract built-in string operations. Once we encode a program in M2L, a theorem prover for M2L, such as MONA, can automatically check if a string generated by the program satisfies a given specification, and if not, exhibit a counterexample. With this approach, we can naturally encode relationships among strings, accounting also for cases in which a program manipulates strings using indices. In addition, our string analysis is path sensitive in that it accounts for the effects of string and Boolean comparisons, as well as regular-expression matches. We have implemented our string analysis algorithm, and used it to augment an industrial security analysis for Web applications by automatically detecting and verifying sanitizers—methods that eliminate malicious patterns from untrusted strings, making these strings safe to use in security-sensitive operations. On the 8 benchmarks we analyzed, our string analyzer discovered 128 previously unknown sanitizers, compared to 71 sanitizers detected by a previously presented string analysis.

Verifying the Consistency of Security Policies by Abstracting into Security Types

The service-oriented architecture (SOA) makes application development easier, because applications can be built from existing services with a bottom-up methodology. However, it is difficult to determine if a desired new service can be built from existing services. Not only the functional consistency of the existing services, but also the consistency of their non-functional (such as security) aspects must be verified. Message protection is an aspect of security. Every service needs an appropriate security policy defining the protection of messages exchanged between the parties to the service. Because of the intricacy of the Web services security policy language, it is difficult to verify the consistency of the security policies. We are developing a method to verify the consistency of security policies by abstracting them. Each security policy is abstracted, and then attached as a security type to the corresponding service in the application model. The security type denotes a security level for message protection. The security developer defines the possible abstraction methods. In this paper, we define the constraint of abstraction methods based on the semantics of the policy language. And also we state verifying the consistency of security types by using information flow analysis.

Static discovery and remediation of code-embedded resource dependencies

Many enterprises perform data-center transformation, consolidation, and migration in order to improve the efficiency of their IT infrastructures. These transformation projects begin with the discovery of the existing infrastructure, in particular the dependencies between applications. These dependencies are needed in planning, in order to determine how components influence one another, and in relinking, so that the component names and addresses can be updated. Typically, dependency discovery is done by network monitoring and middleware configuration analysis. These existing approaches will often fail to detect dependencies expressed in the application code. In this paper, we present the first method and tool for automatically identifying code-embedded external dependencies in Java Enterprise Edition applications. In addition, our tool can automatically alter the application code to update the dependencies, or externalize them to configuration files. We analyzed over 1000 Java EE applications from three enterprise environments. The results demonstrate the prevalence of code-embedded dependencies that would otherwise have to be identified manually, often causing failures during user-acceptance testing.

DHTML accessibility checking based on static JavaScript analysis

DHTML accessibility is being standardized by W3C, which provides metadata for UI widgets commonly implemented by HMTL and JavaScript. However it is difficult to check that webpages always have correct metadata according to the standards of DHTML accessibility since UI widgets can be updated by JavaScript programs. Thus we propose a technique for checking accessibility of UI widgets. In this check, we use static program analysis techniques so that we can check accessibility without executing a program. In addition, we developed a prototype system based on the proposed technique and applied it to a simple DHTML application.

Automated Verification Tool for DHTML

Automated verification for client-side programs of DHTML applications has become necessary. This is because DHTML applications are increasingly complicated in order to enhance the functionality and usability of dynamic Web content. We are therefore motivated to create a tool for automatically verifying a JavaScript program of a DHTML application against a specification describing the page flows. The verification is based on a type inference technique focusing on DOM updates

Reducing Unnecessary Conservativeness in Access Rights Analysis with String Analysis

The JavaTM2 runtime system has a security mechanism which guarantees the code under execution has appropriate access permissions to a certain system resource. Use of this security mechanism requires access control policies to specify what operations are permitted on each such resource at each program point. Previous work proposed a program analysis algorithm to statically infer a semi-optimal policy set from given program text. However the proposed method cannot calculate the optimal policy when the target resource is determined by string values at run-time, since it does not keep track of all potential string values generated through built-in or user-defined methods. This results in generating excessive access policies where actually unnecessary resource accesses are permitted. To overcome such limitations, we apply static string analysis to program variables relevant to access control policies. This paper shows that unnecessary permissions can be reduced with string analysis by applying it to analyzing open-source libraries.

Secure Behavior of Web Browsers to Prevent Information Leakages

Recently Web browsers are widely used as client-side application platforms beyond the traditional use of Web browsers. One of main reasons for such evolution of the browsers is the client-side JavaScript language that can execute programs embedded in a document. However, Web applications with client-side JavaScript programs have problems of leaking private information (such as cookie information) due to interactions between the browser and scripts embedded in the document. We propose a new calculus representing browser behavior that prevents information from leakage by means of language-based information flow. The proposed calculus can deal with script rewriting and higher-order functions. In addition, our calculus has a noninterference property depending on a security policy statically given by the user.

Editor's Meesage to Special Issue on Software Engineering

Software engineering is a research area that covers theories and technologies of various aspects of software lifecycle including development and maintenance. In recent years, requirements to software quality and productivity are being changed in response to rapid chanages in IT environment as social infrastructure. Software engineering research has to find and solve current and prospective problems on practical software developments. Toward this situation, wide-ranging scientific and/or engineering approaches are needed, which includes new principles of software engineering based on theoretical researches and demonstrational experiments based on empirical researches in addition to long succession of universal fundamental theoretical researches. Futhermore, it is significantly important to integrate the multiple approaches and to find reliable and practical solutions. Because of this background, IPSJ Special Interest Group on Software Engineering (SIGSE), holds many events (e.g.: symposiums, workshops, research meetings), and calls on many software engineering researchers and software engineers to join the events, in order to share wide-ranging knolwedge including theoretical research results and experiences of practice among researchers, engineers, and practitioners. This special issue is also designed as a part of these activities. This special issue invited new research results and experiences about all aspects of software engineering. In addition, the editorial committee promoted submissions of papers to both this special issue and Software Engineering Symposium (SES) 2015, sponsored by SIGSE, in order to accelerate submissions of excellent papers and to drive contributions to society. This collaboration with SES is continuing from 2011. The editorial committee accepted 4 papers out of 22 papers submitted to this special issue through peer review meetings. The editorial committee made a lot of efforts to clearify the acceptance conditions for the conditionally accepted papers at the first peer review meeting, and to make review reports useful for revising papers that were not accepted. The accepted papers cover topics about requirements specification, code analysis, programming, and project management. Lastly, I would like to thank all the authors of the papers for their submissions to this special issue, the editorial committee of Journal of Information Processing for admitting this special issue, and all the reviewers and the editorial committees of this special issue for their invaluable contributions to the review process.