Static analysis for finding security inconsistencies between similar implementations

Access full-text files

Date

2010-05

Authors

Srivastava, Varun

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

The proliferation of distributed, multilayer software services is encouraging a separation of Application Programming Interfaces (APIs) and their implementation, and thus multiple implementations of the same API. Increasing number of platforms are following the Software As A Service (SAAS) model [2,18,20,31], which encourages multiple implementations of the same functionality. To work securely and seamlessly on top of these platforms, software applications rely on consistent implementations of APIs. Vulnerabilities, or interoperability bugs due to differences in security semantics in these APIs, can be exploited to break the security of applications using them. Previous techniques for finding security vulnerabilities and verifying security properties, require manually provided security specifications, which limits their scope [9,11,19]. Techniques which automatically extract security policies tend to have a large number of false positives [41].

This work proposes a novel method for automatically extracting security policies and then differencing them to exploit multiple implementations of the same functionality to find errors. We perform context-sensitive, interprocedural forward dataflow analysis to extract the security policies from each implementation and difference them. Determining which security policy is correct is difficult. Instead, we exploit the fact that multiple implementations of the same API should have consistent security semantics, i.e., we do not determine which one is correct, but which one(s) are different.

We compare the Sun, Harmony and Classpath Java Virtual Machine libraries using our approach and produce very encouraging results. Our approach finds 15 unique cases of security-relevant semantic differences (manifested in 46 APIs) between Sun and Harmony, and 18 cases of security-relevant semantic differences (manifested in 303 APIs) between Sun and Classpath. All these semantic differences are either exploitable vulnerabilities, or bugs resulting in interoperability issues. The approach is effective for accurately finding security vulnerabilities. It takes advantage of the fact that multiple implementations of APIs should have the same security semantics.

Description

LCSH Subject Headings

Citation