电子学报 ›› 2013, Vol. 41 ›› Issue (1): 161-165.DOI: 10.3969/j.issn.0372-2112.2013.01.028

• 科研通信 • 上一篇    下一篇

一种针对JVM运行时库安全策略的全自动检测方法

吴蓉晖, 汪宁, 孙建华, 陈浩, 陈志文   

  1. 湖南大学信息科学与工程学院,湖南长沙 410082
  • 收稿日期:2011-08-03 修回日期:2012-07-26 出版日期:2013-01-25 发布日期:2013-01-25
  • 通讯作者: 孙建华
  • 作者简介:吴蓉晖 女.1967年生,河南太康人,湖南大学副教授,主要研究方向为网络安全,生物信息技术. E-mail:wwrh@foxmail.com汪 宁 男.1985年生,河北邯郸人.2012年毕业于湖南大学信息科学与工程学院,获得工学硕士学位.从事web网络安全研究. E-mail:you20@126.com
  • 基金资助:
    国家自然科学基金(No.60803130,No.61173166);湖南大学"青年教师成长计划"

A Full Automatic Detection Method for Security Policy of JVM Run-Time Library

WU Rong-hui, WANG Ning, SUN Jian-hua, CHEN Hao, CHEN Zhi-wen   

  1. School of Information Science and Engineering, Hunan University, Changsha, Hunan 410082, China
  • Received:2011-08-03 Revised:2012-07-26 Online:2013-01-25 Published:2013-01-25

摘要: JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法摘要,自动检测出风险方法.

关键词: 安全策略, 控制流图, 污点分析, 方法摘要

Abstract: JVM run-time library can implement various security policies by calling the library functions of its own,one of the extremely important security policy requires that sensitive operations must be performed after access control permissions checks.Traditionally it relies manual analysis to ensure that the JVM run-time library satisfy this security policy.Java standard library,covering thousands of classes,tens of thousands of methods,is in rapid development and high-rate evolution.It is time-consuming and error-prone to analyze the security policy artificially.This paper presents a full automatic,efficient and rapid model detection method for evaluating that whether the JVM in compliance with this security policy.Scanning the byte code files of Java standard class library,generating control flow graph of the member methods,our method can work out method summary by taint analysis after defining detecting model and automatically detect the risky methods.

Key words: security policy, control flow graph, taint analysis, method summary

中图分类号: