Data-flow Based Analysis of Java Bytecode Vulnerability
Gang Zhao Department of Computer science and Technology Tsinghua University firstname.lastname@example.org Hua Chen Dongxia Wang Beijing Institute of System Engineering email@example.com firstname.lastname@example.org
Java is widely used because its security andplatform independence. Although Java’s security model is designed for protecting users from untrusted sources, Java’s security is not under fully control at the application level. A large number of Java classes or Java class libraries have been used in network 阿 application development, whose source is unknown and trust unassured. Analyzing the vulnerability of Java bytecode is helpful forassessing the security of untrusted Java components. The data-flow based methods suit to vulnerability analysis because their data propagation character. The paper is about using data-flow based methods to analyze the vulnerability of Java program in bytecode.
Java is widely used because its security and platform independence. By the popular application of J2EE, network serversdeveloped with Java are spread everywhere. The security of Java comes to public attention then. Java is a secure language for which the security has been taken into account in its design. Java provides special security mechanism to keep program from network exploiting. Even though there are still security risks in it. The disclosed security flaws of JAVA program showed that Java’s security mechanismmight lost control in some cases. The typical problem is command injection . The input of program can be passed directly to some risk inner operation as parameters. The operation could be fully controlled by some skillful input. The behavior of program loses its way as a result. The system security is damaged then. Vulnerability is about a program’s defects or errors, which may be used to damagethe confidentiality, integrality, and availability of the program as well as the whole system the program stays in. It means the
vulnerability is about the usability of the program’s flaw from space out of program. If there is a path that could pass outer data to some risk point of a program, there is vulnerability in. To analyze the vulnerability of a program means to evaluate the possibilityand possible effect that the external data could affect the program. Data-flow analysis is a method to provide the global information about how a program deals with its data. It could expose the influence and propagation of data in a program. With the help of data-flow analysis, we can know the way outer data operates on the program. It can be used to estimate the possibility the program may beexploited. The information is helpful to system security assurance. Java program converts to Java bytecode by Java compiler. Java bytecode is the base of Java platform independence. The bytecode makes Java to compile once and execute anywhere. Java helped to promote the components technology and open source development. Large numbers of Java classes and Java class libraries with bytecode form havebeen widely used in network software development. Their sources were unknown and trusty unassured. Only analyzing the vulnerability for source code could not solve the whole problem. There is a definitely need to analyzing the vulnerability of Java bytecode. It will help to evaluate the security of untrusted Java component and its composite system. The analysis can support the Java securityassurance. In this paper we present a framework to use dataflow technique analyzing the vulnerability of Java bytecode program. We give a model of data-flow based vulnerability analysis and discuss how to use it in Java bytecode program analysis. The implementation is discussed then.
2. Vulnerability and program input
978-0-7695-3185-4/08 $25.00 © 2008 IEEE DOI 10.1109/WAIM.2008.99