Access-rights Analysis in the Presence of Subjects

Authors Paolina Centonze, Marco Pistoia, Omer Tripp

Thumbnail PDF


  • Filesize: 0.77 MB
  • 25 pages

Document Identifiers

Author Details

Paolina Centonze
Marco Pistoia
Omer Tripp

Cite AsGet BibTex

Paolina Centonze, Marco Pistoia, and Omer Tripp. Access-rights Analysis in the Presence of Subjects. In 29th European Conference on Object-Oriented Programming (ECOOP 2015). Leibniz International Proceedings in Informatics (LIPIcs), Volume 37, pp. 222-246, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2015)


Modern software development and run-time environments, such as Java and the Microsoft .NET Common Language Runtime (CLR), have adopted a declarative form of access control. Permissions are granted to code providers, and during execution, the platform verifies compatibility between the permissions required by a security-sensitive operation and those granted to the executing code. While convenient, configuring the access-control policy of a program is not easy. If a code component is not granted sufficient permissions, authorization failures may occur. Thus, security administrators tend to define overly permissive policies, which violate the Principle of Least Privilege (PLP). A considerable body of research has been devoted to building program-analysis tools for computing the optimal policy for a program. However, Java and the CLR also allow executing code under the authority of a subject (user or service), and no program-analysis solution has addressed the challenges of determining the policy of a program in the presence of subjects. This paper introduces Subject Access Rights Analysis (SARA), a novel analysis algorithm for statically computing the permissions required by subjects at run time. We have applied SARA to 348 libraries in IBM WebSphere Application Server - a commercial enterprise application server written in Java that consists of >2 million lines of code and is required to support the Java permission- and subject-based security model. SARA detected 263 PLP violations, 219 cases of policies with missing permissions, and 29 bugs that led code to be unnecessarily executed under the authority of a subject. SARA corrected all these vulnerabilities automatically, and additionally synthesized fresh policies for all the libraries, with a false-positive rate of 5% and an average running time of 103 seconds per library. SARA also implements mechanisms for mitigating the risk of false negatives due to reflection and native code; according to a thorough result evaluation based on testing, no false negative was detected. SARA enabled IBM WebSphere Application Server to receive the Common Criteria for Information Technology Security Evaluation Assurance Level 4 certification.
  • Static Analysis
  • Security
  • Access Control


  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    PDF Downloads


  1. M. Abadi and C. Fournet. Access Control Based on Execution History. In NDSS, 2003. Google Scholar
  2. O. Agesen. The Cartesian Product Algorithm: Simple and Precise Type Inference Of Parametric Polymorphism. In ECOOP, 1995. Google Scholar
  3. P. Anderson, T. Reps, and T. Teitelbaum. Design and Implementation of a Fine-Grained Software Inspection Tool. TSE, 29(8), 2003. Google Scholar
  4. K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. PScout: Analyzing the Android Permission Specification. In CCS, 2012. Google Scholar
  5. A. Banerjee and D. A. Naumann. Stack-based Access Control and Secure Information Flow. JFP, 15(2), 2005. Google Scholar
  6. M. Bartoletti, P. Degano, and G. L. Ferrari. Static Analysis for Stack Inspection. In ConCoord, volume 54, 2001. Google Scholar
  7. F. Besson, T. Blanc, C. Fournet, and A. D. Gordon. From Stack Inspection to Access Control: A Security Analysis for Libraries. In CSFW, 2004. Google Scholar
  8. P. Centonze. An Algebra for Access Control. PhD thesis, New York University, Polytechnic School of Engineering, Brooklyn, NY, USA, 2008. Google Scholar
  9. P. Centonze, R. J. Flynn, and M. Pistoia. Combining Static and Dynamic Analysis for Automatic Identification of Precise Access-control Policies. In ACSAC, 2007. Google Scholar
  10. D. Dean. The Security of Static Typing with Dynamic Linking. In Proceedings of the 4th ACM Conference on Computer and Communications Security (CCS), 1997. Google Scholar
  11. D. Dean, E. W. Felten, and D. S. Wallach. Java Security: From HotJava to Netscape and Beyond. In S&P, 1996. Google Scholar
  12. R. D. Dean. Formal Aspects of Mobile Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, 1999. Google Scholar
  13. Ú. Erlingsson and F. B. Schneider. IRM Enforcement of Java Stack Inspection. In S&P, 2000. Google Scholar
  14. A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In CCS, 2011. Google Scholar
  15. C. Fournet and A. D. Gordon. Stack Inspection: Theory and Variants. In POPL, 2002. Google Scholar
  16. E. Geay, M. Pistoia, T. Tateishi, B. G. Ryder, and J. Dolby. Modular String-sensitive Permission Analysis with Demand-driven Precision. In ICSE, 2009. Google Scholar
  17. G. Grätzer. General Lattice Theory. Birkhäuser, second edition, 2003. Google Scholar
  18. D. Grove and C. Chambers. A Framework for Call Graph Construction Algorithms. TOPLAS, 23(6), 2001. Google Scholar
  19. S. Gulwani and G. C. Necula. Path-sensitive Analysis for Linear Arithmetic and Uninterpreted Functions. In SAS, 2004. Google Scholar
  20. N. Hardy. The Confused Deputy (or Why Capabilities Might Have Been Invented). OSR, 22(4), 1988. Google Scholar
  21. T. P. Jensen, D. Le Métayer, and T. Thorn. Verification of Control Flow Based Security Properties. In S&P, 1999. Google Scholar
  22. G. A. Kildall. A Unified Approach to Global Program Optimization. In POPL, 1973. Google Scholar
  23. L. Koved, M. Pistoia, and A. Kershenbaum. Access Rights Analysis for Java. In OOPSLA, 2002. Google Scholar
  24. C. Lai, L. Gong, L. Koved, A. J. Nadalin, and R. Schemers. User Authentication and Authorization in the Javatrademark Platform. In ACSAC, 1999. Google Scholar
  25. B. Livshits, M. Sridharan, Y. Smaragdakis, O. Lhoták, J. N. Amaral, B. E. Chang, S. Z. Guyer, U. P. Khedker, A. Møller, and D. Vardoulakis. In Defense of Soundiness: A Manifesto. CACM, 58(2), 2015. Google Scholar
  26. B. Livshits, J. Whaley, and M. S. Lam. Reflection Analysis for Java. In APLAS, 2005. Google Scholar
  27. S. S. Muchnick. Advanced Compiler Design and Implementation. Morgan Kaufmann Publishers, Inc., 1997. Google Scholar
  28. G. Naumovich. A Conservative Algorithm for Computing the Flow of Permissions in Java Programs. In ISSTA, 2002. Google Scholar
  29. M. Pistoia. A Unified Mathematical Model for Stack- and Role-Based Authorization Systems. PhD thesis, New York University, Polytechnic School of Engineering, Brooklyn, NY, USA, 2005. Google Scholar
  30. M. Pistoia, A. Banerjee, and D. A. Naumann. Beyond Stack Inspection: A Unified Access-control and Information-flow Security Model. In S&P, 2007. Google Scholar
  31. F. Pottier, C. Skalka, and S. F. Smith. A Systematic Approach to Static Access Control. In ESOP, 2001. Google Scholar
  32. B. G. Ryder. Dimensions of Precision in Reference Analysis of Object-Oriented Languages. In CC, 2003. Invited Paper. Google Scholar
  33. J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Proceedings of the IEEE, volume 63, 1975. Google Scholar
  34. T. Tateishi, M. Pistoia, and O. Tripp. Path- and Index-sensitive String Analysis Based on Monadic Second-order Logic. TOSEM, 22(4), 2013. Google Scholar
  35. O. Tripp, M. Pistoia, P. Cousot, R. Cousot, and S. Guarnieri. Andromeda: Accurate and Scalable Security Analysis of Web Applications. In FASE, 2013. Google Scholar
  36. D. S. Wallach. A New Approach to Mobile-Code Security. PhD thesis, Princeton University, Princeton, NJ, USA, 1999. Google Scholar
  37. D. S. Wallach, D. Balfanz, D. Dean, and E. W. Felten. Extensible Security Architectures for Java. In SOSP, 1997. Google Scholar
  38. D. S. Wallach and E. W. Felten. Understanding Java Stack Inspection. In S&P, 1998. Google Scholar
  39. X. Zhang, L. Koved, M. Pistoia, S. Weber, T. Jaeger, G. Marceau, and L. Zeng. The Case for Analysis Preserving Language Transformation. In ISSTA, 2006. Google Scholar
Questions / Remarks / Feedback

Feedback for Dagstuhl Publishing

Thanks for your feedback!

Feedback submitted

Could not send message

Please try again later or send an E-mail