Java Security Research - overview

Enterprises are continuing to transform their business using internet-based technologies, linking businesses to businesses and consumers to businesses. Computer security has never been more important than now. Java, as a programming language and runtime environment, is an integral element of this trend. Major programming models, such as J2EE, EJB, Servlets , JSPs, Web Services and OSGi are all Java based. The Java Security project has a long history of extending Java security and developing tools to make it easier to secure Java-based environments.

The project's current work is focused on static analysis based techniques to identify authorization requirements and a variety potential security vulnerabilities in Java, with an emphasis on Eclipse plug-ins, OSGi bundles/fragments and Java applications. Our most recent work, a tool called Security WORkbench Development Environment for Java (SWORD4J), available from IBM alphaWorks, is a set of Eclipse 3.x plug-ins. SWORD4J assists developers with creating security aware applications and components. SWORD4J has recently been reported on in the press.

Our earlier projects include:

  • A Java security book, Enterprise Java™ Security: Building Secure J2EE™ Applications,
  • Tools for security analysis of Java programs, particularly Java 2 permission analysis and privileged code placement, and J2EE authorization analysis,
  • Authentication and authorization frameworks (e.g., JAAS, EJB 1.1 security),
  • Java-based enterprise middleware security, and
  • Integration of Java security into the OS infrastructure.

We have had a long history working with Sun Microsystems on Java 2 Standard EditionTM and its security architecture, as well as defining ways in which it can be extended. Notable contributions include contributions to Java Authentication and Authorization Services (JAAS), an integral part of Java 2 Standard Edition version 1.4. JAAS extends Java 2 security by adding an authentication framework and additional support for principal (e.g., user-based) authorization within the Java 2 Standard Edition runtime environment. This became the basis for other Java security endeavors. The motivation for and description of the architecture has been presented at the 1999 ACSAC conference (html | postscript). The project also contributed to the definition of EJB 1.1 security.

As we have developed various tools and techniques for program analysis, we have also worked on non-security projects.

One of our first projects outside of security was a tool to optimize container managed persistence (CMP) for Enterprise Java Beans, which we called CMPOpt. This project built upon our earlier work on mutability analysis and accurate call graph construction.

Another project, called SABER, focused on finding bug in large J2EE (server) web applications. SABER is also knows as J2EE Code Validator, and has subsequently been incorporated into Rational Application Developer (RAD).

The Java Security project is part of a larger effort called SPADE: Security and Privacy Aware Development Environment.

Former project members:

  • Aaron Kershenbaum
  • George B. Leeman