Automatic Generation Of Security Relevant Behavior Model For Java Programs Using Static Analysis

In recent years, with the rapid growth of telecommunications technologies and distributed computing systems, mobile code technologies has developed greatly, therefore, mobile code security is becoming more and more prominent. One important research subject in mobile code security is safe execution of mobile code from untrusted source on local host.MCC (Model-Carrying Code) is a new approach for safe execution of untrusted mobile code on local host. MCC is inspired by the idea that additional information should be accompanied with untrusted code to aid verification of its safety. A security relevant behavior model is generated at code-producer side as this additional information. The model is stated in the terms of the security relevant operations made by the code, the arguments of these operations and the sequence relationship among them. Code consumer will check whether the model satisfies security policies of interests. MCC also supports runtime security policy enforcement. MCC bridges the gap between high-level security and low-level binary code with the model which means abstraction of program about its security-related properties. Model generation is the first step and also an important part of MCC framework.In order to implement model generation in MCC, two issues have to be taken into account:(1) how to represent the security related model?(2) how to generate the security related model?In previous MCC framework, EFSA (Extended Finite State Automata) is used to represent program security relevant model, and the model extraction have been done with a machine learning process, which generates EFSA from the set of system call sequences that intercepted by runtime environment. However, there are some problems when applying EFSA model to modular programs, for instance, if mobile code consumer use different libraries from mobile code producer, EFSA model can not reflect such updates and result in inconsistency between program and the EFSA model. The reason of these problems is that the models should also be modular.On the other hand, in previous MCC framework, execution-monitoring based model extracting approach has been used. However, execution-monitoring based model generation depends on comprehensive test suite that cannot be created easily. The model cannot capture all program security relevant behavior when the test suite isn't comprehensive, which might cause such a situation that the program deviated from the model.In this thesis, ECFG has been utilized to represent the security related model, and static analysis is applied to model generation. It will greatly enhance the practicality of MCC and has important significance that using modular model and corresponding model generating approach which captures program security relevant behavior as comprehensive as possible.The main contributions of this thesis include:(1) Security Related ModelA modular model called ECFG (Extended Context Free Grammar) is used in this paper. It is known that control flow in a function or a procedure is independent of the environment where they are called (without considering the branch conditions), while a non-terminal in a CFG is context free, therefore, non-terminal symbols can be used to represent those functions or procedures. On the other hand, the nature of production rules enables them to be used to express the transition of states and the control flow. For the reason that model should be capable of being verified with more precise security policies such as ones written in REE (Regular Expressions over Events), CFG is extended (which is called ECFG) with assignment relationship between parameters in the form of digraph.(2) Static Analysis based Model GenerationDifferent approaches to model generation have been studied and compared. Static analysis has been used for generating program security-relevant behavior model. Since Java programming language plays a key role in mobile code technologies, our approach has been applied in extracting model from Java source programs. Various problems concerning static analysis of Java programs have been taken into account and solved. Among these problems, handling exception is discussed in detail.(3) Handling ExceptionsException-handling-constructs in Java provides a mechanism for separating exception handling code from normal code, this helps make the code more readable and more maintainable. In the process of extracting model on Java source code which uses exception handling constructs, the main problem is how to deal with the complex control flow introduced by exception handling related statements. On this issue, a syntax-directed recursive descent algorithm is used, which is capable of constructing control flow graph with exception handling control flow correctly. Another problem is that the model generated on such control flow graph is no longer context-free, because a method which declares with the keywords"throws"has not only one normal entry and one normal exit, but also one or more exception exit, which means the control flows in such method depend on the environment where it is called. One simple solution to this issue is to fix the number of exception exit to one and slice the model into two parts.(4) Relationship among ParametersThis paper gives an approach to obtaining assignment relationships among fields, local variables, formal parameters and actual parameters from the control flow graph of Java method by using flow-sensitive data-flow analysis, and these relationships are stored as digraph. The model ECFG which consists of CFG and digraphs is still modular because these digraphs are constructed within the scope of a Java method.(5) Composition of ModelsThe ECFG model of a Java program is the composition of ECFG models of all its methods. The composition happens because of method invocation and combination of formal parameter with actual parameter. In order to perform composition of models, dynamic binding needs to be considered. Our solution to dynamic binding includes three steps: First, decide whether a method invocation is a static binding or dynamic binding according to the principles of Java virtual machine and Java compiler technologies. Second, in the case of dynamic binding, infer the runtime type set of receiver of instance method by traversing its assignment relationship graph, and if the inferred results don't make sense, the Cone set calculated through class hierarchy analysis will be used instead. Finally, decide all the method which will be bound at runtime with runtime type set of receiver.In summary, a static analysis based approach to generating security related model for Java programs have been introduced, and a model generator has been implemented, which will be integrated into MCC framework. Extended CFG based representation of security related model has provided a modular way to represent the model for modular programs. By running some examples it is indicated that our approach is efficient in extracting behavior models from rather complicated Java programs. The model generator developed in this paper provides a basis for solving mobile code security under the framework of MCC.