OALib Journal期刊
ISSN: 2333-9721
费用：99美元

投递稿件

查看量	下载量

相关文章
更多...

电子学报 2013

一种针对JVM运行时库安全策略的全自动检测方法

DOI: 10.3969/j.issn.0372-2112.2013.01.028, PP. 161-165

吴蓉晖,汪宁,孙建华,陈浩,陈志文

Keywords: 安全策略,控制流图,污点分析,方法摘要

Full-Text Cite this paper Add to My Lib

Abstract:

JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法,自动检测出风险方法.

References

[1]	Irem Aktug,Mads Dam,Dilian Gurov.Provably correct runtime monitoring [J].The journal of logic and algebraic programming,2009,78(5):262-277.
[2]	Almut Herzog,et al.Performance of the Java security manager [J].Computers & Security,2005,24(3):192-207.
[3]	Koufi V,et al.Context-aware access control for pervasive access to process-based healthcare systems [J].Studies in Health Technology and Informatics,2008,136:679-684.
[4]	Zhang X,Edwards A,Jaeger T.Using CQUAL for static analysis of authorization hook placement [A].Proceedings of the 11th Usenix Security Symposium [C].San Francisco,CA,USA:USENIX Association,2002.33-48.
[5]	王学香,浦汉来,杨军.基于扩展控制流图的片上存储器分配策略[J] .电子学报,2007,35(8):1558-1562.Wang Xue-xiang,Pu Han-lai,Yang Jun.Performance oriented allocation scheme for scratch-pad memory [J].Acta Electronica Sinica,2007,35(8):1558-1562.(in Chinese)
[6]	A P Sistla,et al.CMV:Automatic verification of complete mediation for Java Virtual Machine [A].Proceedings of ASIACCS''08 [C].New York,USA:ACM,2008.100-111.
[7]	H Chen,D Wagner.MOPS:an infrastructure for examining security properties of software [A].CCS''02 Proceedings of the 9th ACM Conference on Computer and Communications Security [C].New York,USA:ACM,2002.235-244.
[8]	王祥根,等.基于代码覆盖的恶意代码多路径分析方法[J] .电子学报,2009,37(4):701-705.Wang Xiang-gen,et al.Exploring multiple execution paths for malware analysis based on coverage of codes [J].Acta Electronica Sinica,2009,37(4):701-705.(in Chinese)
[9]	Ben H Thacker,David S Riha,et al.Probabilistic engineering analysis using the NESSUS software [J].Structural Safety,2006,28(1/2):83-107.
[10]	Clause J,Li W,Orso A.Dytan:A generic dynamic taint analysis framework [A].Proceedings of ISSTA''07 [C].New York,USA:ACM,2007.196-206.
[11]	Anand S,Pasareanu C S,Visser W.JPF-SE:A symbolic execution extension to Java Pathfinder [A].Proceedings of TACAS''07 [C].Heidelberg:Springer,2007.134-138.
[12]	X Fu,X Lu,B Peltsverger,et al.A static analysis framework for detecting SQL injection vulnerabilities [A].Proceedings of the 31st Annual International Computer Software and Applications Conference [C].New York,USA:ACM,2007.87-96.
[13]	Sable Research Group.Soot:A Java optimization framework [OL].http://www.sable.mcgill.ca/soot/ tutorial/index.htm,2010-01-01.
[14]	严俊,郭涛等. JUTA:一个Java自动化单元测试工具[J].计算机研究与发展,2010,47(10):1840-1848.Yan Jun,Guo Tao,et al.JUTA:An automated unit testing framework for Java [J].Journal of Computer Research and Development,2010,47(10):1840-1848.(in Chinese)

Full-Text

Contact Us

service@oalib.com

QQ:3279437679

WhatsApp +8615387084133