Abstract:When servers manage resources on behalf of multiple, mutuallydistrusting clients, they must mediate access to those resources to ensure that each client request complies with an authorization policy. This goal is typically achieved by placing authorization hooks at appropriate locations in server code. The goal of authorization hook placement is to completely mediate all security-sensitive operations on shared resources.To date, authorization hook placement in code bases, such as the X server and postgresql, h… Show more
“…However, over time the amount of information that programmers must specify has been reduced. In our prior work, we infer security-sensitive operations only using the sources of untrusted inputs and languagespecific lookup functions [13].…”
Section: Background On Hook Placementmentioning
confidence: 99%
“…Second, such placements might lead to redundant authorization, as one hook may already perform the same authorization as another hook that it dominates. In our prior work, we have suggested techniques to remove hooks that authorize structure member accesses redundantly [13]. However, this approach still does not result in a placement that has a one-to-one correspondence with hooks placed manually by domain experts.…”
Section: Background On Hook Placementmentioning
confidence: 99%
“…In the figure, hooks placed by the programmer have prefixes such as m1:: and hooks placed by an automated tool [13] have prefixes such as h1::. The function MAPWINDOW performs the operation write(pWin→mapped) on the window, which makes the window viewable.…”
Section: How Manual Placements Differmentioning
confidence: 99%
“…We provide some background on our prior research [13] in automatically identifying the set O of security-sensitive operations (SSOs) in programs using static analysis. Each SSO is represented using a variable v and a set of read and write structure member accesses on the variable.…”
Abstract. Many security-sensitive programs manage resources on behalf of mutually distrusting clients. To control access to resources, authorization hooks are placed before operations on those resources. Manual hook placements by programmers are often incomplete or incorrect, leading to insecure programs. We advocate an approach that automatically identifies the set of locations to place authorization hooks that mediates all security-sensitive operations in order to enforce expected access control policies at deployment. However, one challenge is that programmers often want to minimize the effort of writing such policies. As a result, they may remove authorization hooks that they believe are unnecessary, but they may remove too many hooks, preventing the enforcement of some desirable access control policies.In this paper, we propose algorithms that automatically compute a minimal authorization hook placement that satisfies constraints that describe desirable access control policies. These authorization constraints reduce the space of enforceable access control policies; i.e., those policies that can be enforced given a hook placement that satisfies the constraints. We have built a tool that implements this authorization hook placement method, demonstrating how programmers can produce authorization hooks for real-world programs and leverage policy goalspecific constraint selectors to automatically identify many authorization constraints. Our experiments show that our technique reduces manual programmer effort by as much as 58% and produces placements that reduce the amount of policy specification by as much as 30%.
“…However, over time the amount of information that programmers must specify has been reduced. In our prior work, we infer security-sensitive operations only using the sources of untrusted inputs and languagespecific lookup functions [13].…”
Section: Background On Hook Placementmentioning
confidence: 99%
“…Second, such placements might lead to redundant authorization, as one hook may already perform the same authorization as another hook that it dominates. In our prior work, we have suggested techniques to remove hooks that authorize structure member accesses redundantly [13]. However, this approach still does not result in a placement that has a one-to-one correspondence with hooks placed manually by domain experts.…”
Section: Background On Hook Placementmentioning
confidence: 99%
“…In the figure, hooks placed by the programmer have prefixes such as m1:: and hooks placed by an automated tool [13] have prefixes such as h1::. The function MAPWINDOW performs the operation write(pWin→mapped) on the window, which makes the window viewable.…”
Section: How Manual Placements Differmentioning
confidence: 99%
“…We provide some background on our prior research [13] in automatically identifying the set O of security-sensitive operations (SSOs) in programs using static analysis. Each SSO is represented using a variable v and a set of read and write structure member accesses on the variable.…”
Abstract. Many security-sensitive programs manage resources on behalf of mutually distrusting clients. To control access to resources, authorization hooks are placed before operations on those resources. Manual hook placements by programmers are often incomplete or incorrect, leading to insecure programs. We advocate an approach that automatically identifies the set of locations to place authorization hooks that mediates all security-sensitive operations in order to enforce expected access control policies at deployment. However, one challenge is that programmers often want to minimize the effort of writing such policies. As a result, they may remove authorization hooks that they believe are unnecessary, but they may remove too many hooks, preventing the enforcement of some desirable access control policies.In this paper, we propose algorithms that automatically compute a minimal authorization hook placement that satisfies constraints that describe desirable access control policies. These authorization constraints reduce the space of enforceable access control policies; i.e., those policies that can be enforced given a hook placement that satisfies the constraints. We have built a tool that implements this authorization hook placement method, demonstrating how programmers can produce authorization hooks for real-world programs and leverage policy goalspecific constraint selectors to automatically identify many authorization constraints. Our experiments show that our technique reduces manual programmer effort by as much as 58% and produces placements that reduce the amount of policy specification by as much as 30%.
“…Static taint analysis does not incur runtime overhead, but may report false errors. It has been used for identifying vulnerabilities [50,51,52,53,54], for helping symbolic execution [55], and for identifying where authorization hooks should be placed in an access-control system [56].…”
A Foreign Function Interface (FFI) allows one host programming language to interoperate with another foreign language. It enables efficient software development by permitting developers to assemble components in different languages. One typical FFI is the Java Native Interface (JNI), through which Java programs can invoke native-code components developed in C, C++, or assembly code. Although FFIs bring convenience to software development, interface code developed in FFIs is often error prone because of the lack of safety and security enforcement. This paper introduces a static-analysis framework, TurboJet, which finds exception-related bugs in JNI applications. It finds bugs of inconsistent exception declarations and bugs of mishandling JNI exceptions. TurboJet is carefully engineered to achieve both high efficiency and accuracy. We have applied TurboJet on a set of benchmark programs and identified many errors. We have also implemented a practical Eclipse plug-in based on TurboJet that can be used by JNI programmers to find errors in their code.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.