The Research Of Full Automatic Detection Method For Security Policy Of JVM Run-time Library

The reason why Java’s platform is independent is because differentoperating system platforms have their own Java virtual machine (JVM).JVM run-time library can implement various security policies by callingits own library functions. One of the extremely important securitypolicies requires that sensitive operations must be performed afterchecking the corresponding control permissions.Traditionally, it relies manual analysis to ensure that the JVMrun-time library satisfy the security policy. Java standard library,covering thousands of classes, tens of thousands of methods, is in rapiddevelopment and high-rate emollition. It is time-consuming anderror-prone to analyze the security policy manually. Recentsemi-automatic testing tool has made it automatic. However, it wouldproduce a lot of false positives and need a lot of manual analysis work toeliminate these false positives, so semi-automatic testing tool is stillinefficient.To address the problem, this paper proposed a full automatic detection method for security policy of JVM run-time library (FADM) onthe basis of related work and advantages of semi-automatic detection tool.The main work is as follows: Firstly, we designed and implemented theFADM system. Scanning the byte code files of Java standard class library,generating control flow graph of the member methods, our method canwork out method summary by taint analysis after defining detectingmodel and automatically detect the risky methods. Secondly, wedetailedly described the FADM inspection algorithms, implemented theautomatic detection by introducing queue technology and taint analysistechnique, and then analyzed the algorithm. Finally, the paper used twoevaluations, time cost and false positive rate, to test the systemperformance. The experimental results show that, under about the sametime cost, FADM reduced false positive rate of the semi-automaticdetection method by an order of magnitude and kept fully automaticdetection without manual participation.The system can automatically test out the risky method in Javalibrary standard. It has the characteristics of high efficiency and expansibility, can accurately evaluate the reliability of security policy ofJVM run-time library.