Jalapa: Securing Java with Local Policies Tool Demonstration

AbstractWe present Jalapa, a tool for securing Java bytecode programs with history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Usage automata are expressive enough to allow programmers specify of many real-world usage policies; yet, they are simple enough to permit formal reasoning. Programmers can sandbox untrusted pieces of code with usage policies. The Jalapa tool rewrites the Java bytecode by adding the hooks for the mechanism that enforces the given policies at run-time

12th International Workshop on Termination (WST 2012) : WST 2012, February 19–23, 2012, Obergurgl, Austria / ed. by Georg Moser

This volume contains the proceedings of the 12th International Workshop on Termination (WST 2012), to be held February 19–23, 2012 in Obergurgl, Austria. The goal of the Workshop on Termination is to be a venue for presentation and discussion of all topics in and around termination. In this way, the workshop tries to bridge the gaps between different communities interested and active in research in and around termination. The 12th International Workshop on Termination in Obergurgl continues the successful workshops held in St. Andrews (1993), La Bresse (1995), Ede (1997), Dagstuhl (1999), Utrecht (2001), Valencia (2003), Aachen (2004), Seattle (2006), Paris (2007), Leipzig (2009), and Edinburgh (2010). The 12th International Workshop on Termination did welcome contributions on all aspects of termination and complexity analysis. Contributions from the imperative, constraint, functional, and logic programming communities, and papers investigating applications of complexity or termination (for example in program transformation or theorem proving) were particularly welcome. We did receive 18 submissions which all were accepted. Each paper was assigned two reviewers. In addition to these 18 contributed talks, WST 2012, hosts three invited talks by Alexander Krauss, Martin Hofmann, and Fausto Spoto

AppGuard — fine-grained policy enforcement for untrusted android applications

Android’s success makes it a prominent target for malicious software. However, the user has very limited control over security-relevant operations. This work presents AppGuard, a powerful and flexible security system that overcomes these deficiencies. It enforces user-defined security policies on untrusted Android applications without requiring any changes to a smartphone’s firmware, root access, or the like. Finegrained and stateful security policies are expressed in a formal specification language, which also supports secrecy requirements. Our system offers complete mediation of security-relevant methods based on calleesite inline reference monitoring and supports widespread deployment. In the experimental analysis we demonstrate the removal of permissions for overly curious apps as well as how to defend against several recent real-world attacks on Android phones. Our technique exhibits very little space and runtime overhead. The utility of AppGuard has already been demonstrated by more than 1,000,000 downloads

Preventing Supply Chain Vulnerabilities in Java with a Fine-Grained Permission Manager

Integrating third-party packages accelerates modern software engineering, but introduces the risk of software supply chain vulnerabilities. Vulnerabilities in applications' dependencies are being exploited worldwide. Often, these exploits leverage features that are present in a package, yet unneeded by an application. Unfortunately, the current generation of permission managers, such as SELinux, Docker containers, and the Java Security Manager, are too coarse-grained to usefully support engineers and operators in mitigating these vulnerabilities. Current approaches offer permissions only at the application's granularity, lumping legitimate operations made by safe packages with illegitimate operations made by exploited packages. This strategy does not reflect modern engineering practice. we need a permission manager capable of distinguishing between actions taken by different packages in an application's supply chain. In this paper, we describe Next-JSM, the first fine-grained ("supply chain aware") permission manager for Java applications. Next-JSM supports permission management at package-level granularity. Next-JSM faces three key challenges: operating on existing JVMs and without access to application or package source code, minimizing performance overhead in applications with many packages, and helping operators manage finer-grained permissions. We show that these challenges can be addressed through bytecode rewriting; appropriate data structures and algorithms; and an expressive permission notation plus automated tooling to establish default permission. In our evaluation, we report that Next-JSM mitigates 11 of the 12 package vulnerabilities we evaluated and incurs an average 2.72% overhead on the Dacapobench benchmark. Qualitatively, we argue that Next-JSM addresses the shortcomings of the (recently deprecated) Java Security Manager (JSM).Comment: 15 pages, 5 figures, 5 table

Shortening Time-to-Discovery with Dynamic Software Updates for Parallel High Performance Applications

Despite using multiple concurrent processors, a typical high performance parallel application is long-running, taking hours, even days to arrive at a solution. To modify a running high performance parallel application, the programmer has to stop the computation, change the code, redeploy, and enqueue the updated version to be scheduled to run, thus wasting not only the programmer’s time, but also expensive computing resources. To address these inefficiencies, this article describes how dynamic software updates can be used to modify a parallel application on the fly, thus saving the programmer’s time and using expensive computing resources more productively. The net effect of updating parallel applications dynamically reduces their time-to-discovery metrics, the total time it takes from posing a problem to arriving at a solution. To explore the benefits of dynamic updates for high performance applications, this article takes a two-pronged approach. First, we describe our experience in building and evaluating a system for dynamically updating applications running on a parallel cluster. We then review a large body of literature describing the existing state of the art in dynamic software updates and point out how this research can be applied to high performance applications. Our experimental results indicate that dynamic software updates have the potential to become a powerful tool in reducing the time-to-discovery metrics for high performance parallel applications

Size-Change Termination as a Contract

Termination is an important but undecidable program property, which has led to a large body of work on static methods for conservatively predicting or enforcing termination. One such method is the size-change termination approach of Lee, Jones, and Ben-Amram, which operates in two phases: (1) abstract programs into "size-change graphs," and (2) check these graphs for the size-change property: the existence of paths that lead to infinite decreasing sequences. We transpose these two phases with an operational semantics that accounts for the run-time enforcement of the size-change property, postponing (or entirely avoiding) program abstraction. This choice has two key consequences: (1) size-change termination can be checked at run-time and (2) termination can be rephrased as a safety property analyzed using existing methods for systematic abstraction. We formulate run-time size-change checks as contracts in the style of Findler and Felleisen. The result compliments existing contracts that enforce partial correctness specifications to obtain contracts for total correctness. Our approach combines the robustness of the size-change principle for termination with the precise information available at run-time. It has tunable overhead and can check for nontermination without the conservativeness necessary in static checking. To obtain a sound and computable termination analysis, we apply existing abstract interpretation techniques directly to the operational semantics, avoiding the need for custom abstractions for termination. The resulting analyzer is competitive with with existing, purpose-built analyzers

Towards an aspect weaving BPEL engine

This position paper proposes the use of dynamic aspects and the visitor design pattern to obtain a highly configurable and extensible BPEL engine. Using these two techniques, the core of this infrastructural software can be customised to meet new requirements and add features such as debugging, execution monitoring, or changing to another Web Service selection policy. Additionally, it can easily be extended to cope with customer-specific BPEL extensions. We propose the use of dynamic aspects not only on the engine itself but also on the workflow in order to tackle the problems of Web Service hot deployment and hot fixes to long running processes. In this way, composing aWeb Service "on-the-fly" means weaving its choreography interface into the workflow

Information Flow Control in Spring Web Applications

Companies rely extensively on frameworks and APIs when developing their systems, as these mechanisms are quite advantageous. Two of the most conspicuous benefits are their ease of use and workload reduction, allowing for shorter and more responsive development cycles. However, most frameworks do not provide security properties such as data confidentiality as other tools do. A prime example is a Spring. It is the most heavily used Java web development framework, hosting a vast array of functionalities, ranging from data layer functionalities (c.f. hibernate and JPA), security providers, and metrics providers to provide statistical data on the application itself as well as a layer for REST communication. However, to achieve such advanced functionalities, Spring resorts to bytecode manipulation and generation during its startup period, hindering the use of other formal analysis tools that use similar processes in their execution. In a broader sense, we provide a comprehensive approach for the static analysis of spring-based web applications. We introduce hooks in the Spring pipeline, making feasible the formal analysis and manipulation of the complete, run-time-generated appli- cation bytecode through a well-defined interface. The hooks provide not only access to the entire web application’s bytecode but also allow for the replacement of the applica- tion’s component, enabling more complex analysis requiring the instrumentation of the application. To address data confidentiality-related issues in web applications developed with this framework, we propose integrating information flow control tools in the framework’s pipeline. Namely, we combine Spring with Snitch, a tool for hybrid information flow control in Java bytecode that will be used as a case-study.As empresas apoiam-se cada vez mais em frameworks e APIs quando desenvolvem os seus sistemas, pois estas ferramentas fornecem grandes vantagens. Duas das maiores vantages destes sistemas são a sua fácil utilização/integração nos sistemas bem como a quantidade de trabalho que reduzem ao desenvolvedor, permitindo assim períodos de desenvolvimento mais curtos e responsivos. Ainda assim, a mrioria das frameworks não têm como lidar com propriedades de segurança fundamentais como confidencialidade dos dados. Um dos exemplos mais conhecidos é o Spring. É a framework mais usada em Java para desenvolvimento web, oferecendo um vasto leque de funcionalidades, variando entre uma camada que lida com dados (eg: hibernate e JPA), uma camada gestora de segurança nas aplicações, uma camada estatística que permite analisar a performance do sistema e também uma camada para comunicação REST. Para alcançar estas funcionalidades, que não são triviais, o Spring recorre a mecanismos de manipulação de bytecode e geração de código durante o seu período de inicialização, perturbando o uso de ferramentas de análise formais que recorrem a processos semelhantes na sua execução. Em geral, nós fornecemos uma nova forma de lidar com análise formal em aplicações web Spring. Aqui introduzimos hooks no processo de inicialização do Spring, tornando possível que a análise formal e a manipulação de todo o bytecode gerado da aplicação a partir duma interface cuidadosamente definida. Os hooks fornecidos fornecem acesso ao bytecode da aplicação na sua totalidade bem como permitem a substituição do componente da aplicação, permitindo assim a análise complexa e formal por parte da ferramenta que pode requerer instrumentação da aplicação. Para lidar com problemas relacionados com confidencialidade dos dados em aplicações web desenvolvidas com a framework, propomos a integração de ferramentas de controlo do fluxo de informação na prórpia framework. Assim, juntamos Spring e Snitch, uma ferramenta que analisa bytecode para verificar a segurança do fluxo de informação híbrida

On the Security of Software Systems and Services

This work investigates new methods for facing the security issues and threats arising from the composition of software. This task has been carried out through the formal modelling of both the software composition scenarios and the security properties, i.e., policies, to be guaranteed. Our research moves across three different modalities of software composition which are of main interest for some of the most sensitive aspects of the modern information society. They are mobile applications, trust-based composition and service orchestration. Mobile applications are programs designed for being deployable on remote platforms. Basically, they are the main channel for the distribution and commercialisation of software for mobile devices, e.g., smart phones and tablets. Here we study the security threats that affect the application providers and the hosting platforms. In particular, we present a programming framework for the development of applications with a static and dynamic security support. Also, we implemented an enforcement mechanism for applying fine-grained security controls on the execution of possibly malicious applications. In addition to security, trust represents a pragmatic and intuitive way for managing the interactions among systems. Currently, trust is one of the main factors that human beings keep into account when deciding whether to accept a transaction or not. In our work we investigate the possibility of defining a fully integrated environment for security policies and trust including a runtime monitor. Finally, Service-Oriented Computing (SOC) is the leading technology for business applications distributed over a network. The security issues related to the service networks are many and multi-faceted. We mainly deal with the static verification of secure composition plans of web services. Moreover, we introduce the synthesis of dynamic security checks for protecting the services against illegal invocations