Late 2012 and early 2013 saw a spike of new Java vulnerabilities being reported in 0-day attacks and used in the wild, that allowed bypass of the Java sandbox. These vulnerabilities were of a variety of types: unguarded caller-sensitive methods, unsafe use of doPrivileged, invalid deserialisation, invalid serialisation, and more. Oracle reacted quickly by making available patches and has now increased the scheduled patch update cycle to 4 releases a year.Unlike more traditional vulnerabilities such as buffer overflow and cross-site scripting that have been studied in the literature for many years, these new Java vulnerabilities lack a clear definition of what the corresponding security bug type is, and what rules apply to each bug type.In this paper we give an overview of one type of access control vulnerabilities that affects the Java platform-unguarded callersensitive method calls. The aim of the paper is to explain to the practitioner what the vulnerability is, why it happens in the context of the Java security model, and how to fix it. For the program analysis community, the aim is to define the security bug type, to be able to detect this type of vulnerability.
Enterprise environment often screens large-scale (millions of lines of code) codebases with static analysis tools to find bugs and vulnerabilities. Parfait is a static code analysis tool used in Oracle to find security vulnerabilities in industrial codebases. Recently, many studies show that there are complicated cryptographic vulnerabilities caused by misusing cryptographic APIs in Java
TM
1
. In this paper, we describe how we realize a precise and scalable detection of these complicated cryptographic vulnerabilities based on Parfait framework. The key challenge in the detection of cryptographic vulnerabilities is the high false alarm rate caused by pseudo-influences. Pseudo-influences happen if security-irrelevant constants are used in constructing security-critical values. Static analysis is usually unable to distinguish them from hard-coded constants that expose sensitive information. We tackle this problem by specializing the backward dataflow analysis used in Parfait with refinement insights, an idea from the tool CryptoGuard [20]. We evaluate our analyzer on a comprehensive Java cryptographic vulnerability benchmark and eleven large real-world applications. The results show that the Parfait-based cryptographic vulnerability detector can find real-world cryptographic vulnerabilities in large-scale codebases with high true-positive rates and low runtime cost.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.