Java Security Research - Automating Security Analysis of Java Code

Both standalone and distributed applications written in Java are complex and difficult to analyze through traditional (manual) code reviews. Security auditing of application and middleware code becomes even more challenging when development time is defined in terms of “Web Years”, or the code has been written as a set of “components” that have been assembled from multiple vendors or development organizations.

The project's current work is focused on static analysis based techniques to identify authorization requirements and a variety potential security vulnerabilities in Java. We have developed a set of program understanding tools that yield insight into the security characteristics of Java programs and components. Our work is focused on analyzing applications written for Java 2 Standard Edition (J2SE), OSGi (bundles/fragments) and Eclipse. The tool, called Security WORkbench Development Environment for Java (SWORD4J), is based on our earlier research on privileged code analysis and privileged code placement. SWORD4J is available from the IBM alphaWorks web site as a set of Eclipse 3 plug-ins. It assists developers with creating security aware applications and components.

We developed similar authorization analysis work for server-side (J2EE) applications, called Enterprise Security Policy Evaluator (ESPE). Notably, the authorization models for J2SE and J2EE are different, as are the program analysis precision requirements.

Because all code is not necessarily written in Java, we also developed techniques by which "native" (C/C++ JNI) code behavior can be incorporated into a program analysis.

Logical outgrowths of our work include analysis of isolation faults in the Java runtime and applications, and the verification of other security properties of Java code. The first, and essential, part of our exploration is the construction of very accurate invocation (call) graphs. Secondly isolation faults are the result of mutability.