research-article

CMV: automatic verification of complete mediation for java virtual machines

Authors:

A. Prasad Sistla,

V. N. Venkatakrishnan,

Hilary BranskeAuthors Info & Claims

ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security

Pages 100 - 111

https://doi.org/10.1145/1368310.1368327

Published: 18 March 2008 Publication History

Abstract

Runtime monitoring systems play an important role in system security, and verification efforts that ensure that these systems satisfy certain desirable security properties are growing in importance. One such security property is complete mediation, which requires that sensitive operations are performed by a piece of code only after the monitoring system authorizes these actions. In this paper, we describe a verification technique that is designed to check for the satisfaction of this property directly on code from Java standard libraries. We describe a tool CMV that implements this technique and automatically checks shrink-wrapped Java bytecode for the complete mediation property. Experimental results on running our tool over several thousands of lines of bytecode from the Java libraries suggest that our approach is scalable, and leads to a very significant reduction in human efforts required for system verification.

References

[1]

G. Ammons, R. Bodik, and J. Larus. Mining specifications. In ACM Symposium on Principles of Programming Languages (POPL), 2002.

Digital Library

[2]

K. Ashcraft and D. Engler. Using programmer-written compiler extensions to catch security holes. In IEEE Symposium on Security and Privacy (SSP), May 2002.

Digital Library

[3]

T. Ball and S. K. Rajamani. Bebop: A symbolic model checker for boolean programs. In 7th International SPIN Workshop on SPIN Model Checking and Software Verification, London, UK, 2000.

Digital Library

[4]

T. Ball and S. K. Rajamani. The SLAM toolkit. In Computer Aided Verification CAV, New York-Berlin-Heidelberg, July 2001.

Digital Library

[5]

G. Brat, K. Havelund, S. Park, and W. Visser. Java PathFinder: Second generation of a Java model checker. In Post-CAV 2000 Workshop on Advances in Verification, July 2000.

[6]

H. Chen and D. Wagner. MOPS: an infrastructure for examining security properties of software. In ACM conference on Computer and Communications Security (CCS), 2002.

Digital Library

[7]

E. Clarke, E. Emerson, and A. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specification. In ACM Transactions on Programming Languages and Systems (TOPLAS), 1986.

Digital Library

[8]

J. Corbett, M. Dwyer, J. Hatcliff, C. Pasareanu, Robby, S. Laubach, and H. Zheng. BANDERA: extracting finite-state models from Java source code. In 22nd International Conference on Software Engineering (ICSE), Limerick, Ireland, June 2000.

Digital Library

[9]

D. Engler, B. Chelf, A. Chou, and S. Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In USENIX Symposium on Operating Systems Design and Implementation (OSDI), 2000.

Digital Library

[10]

U. Erlingsson and F. B. Schneider. IRM enforcement of java stack inspection. In IEEE Symposium on Security and Privacy, Oakland, California, May 2000.

Digital Library

[11]

D. Evans and A. Tywman. Flexible policy directed code safety. In IEEE Symposium on Security and Privacy, Oakland, California, may 1999.

[12]

P. W. L. Fong and R. D. Cameron. Proof linking: Distributed verification of java classfiles in the presence of multiple classloaders. In USENIX Java Virtual Machine Research and Technology Symposium (JVM'01), 2001.

Digital Library

[13]

T. Fraser, J. Nick L. Petroni, and W. A. Arbaugh. Applying flow-sensitive cqual to verify minix authorization check placement. In PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security, New York, NY, USA, 2006.

Digital Library

[14]

V. Ganapathy, T. Jaeger, and S. Jha. Retrofitting legacy code for authorization policy enforcement. In SP'06: Proceedings of the 2006 IEEE Symposium on Security and Privacy, Oakland, California, USA, May 2006.

Digital Library

[15]

V. Ganapathy, D. King, T. Jaeger, and S. Jha. Mining security sensitive operations in legacy code using concept analysis. In ICSE'07: Proceedings of the 29th International Conference on Software Engineering, Minneapolis, Minnesota, USA, May 2007.

Digital Library

[16]

L. Gong, M. Mueller, H. Prafullchandra, and R. Schemers. Going beyond the sandbox: An overview of the new security architecture in the java development kit 1.2. In USENIX Symposium on Internet Technologies and Systems, December 1997.

Digital Library

[17]

T. A. Henzinger, R. Jhala, R. Majumdar, G. C. Necula, G. Sutre, and W. Weimer. Temporal-safety proofs for systems code. In Computer Aided Verification CAV, 2002.

Digital Library

[18]

G. Holzmann. The model checker spin. IEEE Transactions on Software Engineering, 1997.

Digital Library

[19]

T. Jensen, D. Le Metayer, and T. Thorn. Verification of control flow based security properties. In IEEE Symposium on Security and Privacy, 1999.

[20]

L. Koved, M. Pistoia, and A. Kershenbaum. Access rights analysis for Java. In ACM Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA 2002), 2002.

Digital Library

[21]

D. Larochelle and D. Evans. Statically detecting likely buffer overflow vulnerabilities. In USENIX Security Symposium, 2001.

Digital Library

[22]

G. Necula. Proof-carrying code. In ACM Symposium on Principles of Programming Languages (POPL), 1997.

Digital Library

[23]

S. Owre, S. Rajan, J. Rushby, N. Shankar, and M. Srivas. PVS: Combining specification, proof checking, and model checking. In Computer-Aided Verification, CAV '96, New Brunswick, NJ, 1996.

Digital Library

[24]

T. Reps, S. Horwitz, and M. Sagiv. Precise interprocedural dataflow analysis via graph reachability. In 22nd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, 1995.

Digital Library

[25]

J. Saltzer and S. M. D. The protection of information in computer systems. proceedings of the IEEE, September 1975.

[26]

R. Sekar, V. N. Venkatakrishnan, S. Basu, S. Bhatkar, and D. C. DuVarney. Model carrying code: A practical approach for safe execution of untrusted applications. In ACM Symposium on Operating Systems Principles (SOSP), 2003.

Digital Library

[27]

U. Shankar, K. Talwar, J. S. Foster, and D. Wagner. Detecting format-string vulnerabilities with type qualifiers. In USENIX Security Symposium, 2001.

Digital Library

[28]

R. Vallée-Rai and L. H. et al. SOOT - a Java optimization framework. In Proceedings of CASCON 1999, pages 125--135, 1999.

[29]

V. N. Venkatakrishnan, R. Peri, and R. Sekar. Empowering mobile code using expressive security policies. In New Security Paradigms Workshop (NSPW), 2002.

Digital Library

[30]

D. S. Wallach and E. W. Felten. Understanding java stack inspection. In 1998 IEEE Symposium on Security and Privacy, 1998.

[31]

X. Zhang, A. Edwards, and T. Jaeger. Using cqual for static analysis of authorization hook placement. In USENIX Security Symposium, 2002.

Digital Library

Cited By

Li SKang MHou JCao YSpinellis DGousios GChechik MDi Penta M(2021)Detecting Node.js prototype pollution vulnerabilities via object lookup analysisProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468542(268-279)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468542
Almousa MKeshavarz MAnwar M(2020)Awareness and Working Knowledge of Secure Design Principles: A User StudyHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_1(3-15)Online publication date: 10-Jul-2020
https://doi.org/10.1007/978-3-030-50309-3_1
He BRastogi VCao YChen YVenkatakrishnan VYang RZhang Z(2015)Vetting SSL Usage in Applications with SSLINTProceedings of the 2015 IEEE Symposium on Security and Privacy10.1109/SP.2015.38(519-534)Online publication date: 17-May-2015
https://dl.acm.org/doi/10.1109/SP.2015.38
Show More Cited By

Index Terms

CMV: automatic verification of complete mediation for java virtual machines
1. Security and privacy
  1. Systems security
    1. Operating systems security

Recommendations

Guaranteeing Correctness Properties of a Java Card Applet

The paper describes an experiment in which a framework for model checking Java byte code, combined with the application of runtime monitoring techniques through code rewriting, was used to guarantee correctness properties of a Java Card applet.
FiLM: A Runtime Monitoring Tool for Distributed Systems
SSIRI '09: Proceedings of the 2009 Third IEEE International Conference on Secure Software Integration and Reliability Improvement

It is well recognized that debugging or testing a distributed system is a great challenge. FiLM is a runtime monitoring tool that can monitor the execution of distributed applications against LTL specifications on finite traces. Implemented within the ...
Execution and property specifications for JPF-android

JPF-Android is a model checking tool for Android applications allowing them to be verified outside of an emulator on Java PathFinder (JPF). The Android applications are executed on a model of the Android software stack and their execution driven by ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '08: Proceedings of the 2008 ACM symposium on Information, computer and communications security

March 2008

399 pages

ISBN:9781595939791

DOI:10.1145/1368310

Program Chairs:
Masayuki Abe
NTT, Japan
,
Virgil Gligor
University of Maryland

Copyright © 2008 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 March 2008

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

Asia CCS '08

Sponsor:

SIGSAC

Asia CCS '08: Asia CCS'08 ACM Symposium on Information, Computer and Communications Security

March 18 - 20, 2008

Tokyo, Japan

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
225
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)2

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Li SKang MHou JCao YSpinellis DGousios GChechik MDi Penta M(2021)Detecting Node.js prototype pollution vulnerabilities via object lookup analysisProceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3468264.3468542(268-279)Online publication date: 20-Aug-2021
https://dl.acm.org/doi/10.1145/3468264.3468542
Almousa MKeshavarz MAnwar M(2020)Awareness and Working Knowledge of Secure Design Principles: A User StudyHCI for Cybersecurity, Privacy and Trust10.1007/978-3-030-50309-3_1(3-15)Online publication date: 10-Jul-2020
https://doi.org/10.1007/978-3-030-50309-3_1
He BRastogi VCao YChen YVenkatakrishnan VYang RZhang Z(2015)Vetting SSL Usage in Applications with SSLINTProceedings of the 2015 IEEE Symposium on Security and Privacy10.1109/SP.2015.38(519-534)Online publication date: 17-May-2015
https://dl.acm.org/doi/10.1109/SP.2015.38
Fontaine AHym SSimplot-Ryl I(2011)On-device control flow verification for Java programsProceedings of the Third international conference on Engineering secure software and systems10.5555/1946341.1946347(43-57)Online publication date: 9-Feb-2011
https://dl.acm.org/doi/10.5555/1946341.1946347
Son SMcKinley KShmatikov V(2011)RoleCastACM SIGPLAN Notices10.1145/2076021.204814646:10(1069-1084)Online publication date: 22-Oct-2011
https://dl.acm.org/doi/10.1145/2076021.2048146
Son SMcKinley KShmatikov VLopes CFisher K(2011)RoleCastProceedings of the 2011 ACM international conference on Object oriented programming systems languages and applications10.1145/2048066.2048146(1069-1084)Online publication date: 22-Oct-2011
https://dl.acm.org/doi/10.1145/2048066.2048146
Srivastava VBond MMcKinley KShmatikov VHall MPadua D(2011)A security policy oracleProceedings of the 32nd ACM SIGPLAN Conference on Programming Language Design and Implementation10.1145/1993498.1993539(343-354)Online publication date: 4-Jun-2011
https://dl.acm.org/doi/10.1145/1993498.1993539
Srivastava VBond MMcKinley KShmatikov V(2011)A security policy oracleACM SIGPLAN Notices10.1145/1993316.199353946:6(343-354)Online publication date: 4-Jun-2011
https://dl.acm.org/doi/10.1145/1993316.1993539
Fontaine AHym SSimplot-Ryl I(2011)On-Device Control Flow Verification for Java ProgramsEngineering Secure Software and Systems10.1007/978-3-642-19125-1_4(43-57)Online publication date: 2011
https://doi.org/10.1007/978-3-642-19125-1_4
Yan FFong PLi WSusilo WTupakula USafavi-Naini RVaradharajan V(2009)Efficient IRM enforcement of history-based access control policiesProceedings of the 4th International Symposium on Information, Computer, and Communications Security10.1145/1533057.1533066(35-46)Online publication date: 10-Mar-2009
https://dl.acm.org/doi/10.1145/1533057.1533066

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten