Unit:
Department of Informatics and TelecommunicationsΠληροφορική
Author:
Triantafyllou Konstantinos
Supervisors info:
Γιάννης Σμαραγδάκης, Καθηγητής, Τμήμα Πληροφορικής και Τηλεπικοινωνιών, ΕΚΠΑ
Original Title:
Security Analysis of the Java Library with Mock Objects
Translated title:
Security Analysis of the Java Library with Mock Objects
Summary:
Widely used platforms such as the Java Class Library have always attracted attackers’
interest. One common exploitation scenario consists of an attacker triggering sensitive
platform operations, thus letting him/her retrieve sensitive data from the results of those operations.
We present a static analysis which, considering as sources a subset of the public API
of the Java Class Library, computes an over-approximation of the parts of the platform
that could leak sensitive information, if triggered by an attacker. The main challenge in
analysing a whole library, and not a specific program, is that we have to come up with
ways to accurately fake attacker-created objects.
The analysis is based on the Doop framework which uses the Datalog language to declaratively specify pointer analysis algorithms. The analysis logic required just about 200 lines of Datalog code, which clearly shows the contribution of Doop in defining concise and expressive static analyses.
Main subject category:
Technology - Computer science
Keywords:
static program analysis, security, java, mock objects, datalog
