Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation

Philipp Holzinger, Ben Hermann, Johannes Lerch, E. Bodden, M. Mezini
{"title":"Hardening Java’s Access Control by Abolishing Implicit Privilege Elevation","authors":"Philipp Holzinger, Ben Hermann, Johannes Lerch, E. Bodden, M. Mezini","doi":"10.1109/SP.2017.16","DOIUrl":null,"url":null,"abstract":"While the Java runtime is installed on billions of devices and servers worldwide, it remains a primary attack vector for online criminals. As recent studies show, the majority of all exploited Java vulnerabilities comprise incorrect or insufficient implementations of access-control checks. This paper for the first time studies the problem in depth. As we find, attacks are enabled by shortcuts that short-circuit Java's general principle of stack-based access control. These shortcuts, originally introduced for ease of use and to improve performance, cause Java to elevate the privileges of code implicitly. As we show, this creates many pitfalls for software maintenance, making it all too easy for maintainers of the runtime to introduce blatant confused-deputy vulnerabilities even by just applying normally semantics-preserving refactorings. How can this problem be solved? Can one implement Java's access control without shortcuts, and if so, does this implementation remain usable and efficient? To answer those questions, we conducted a tool-assisted adaptation of the Java Class Library (JCL), avoiding (most) shortcuts and therefore moving to a fully explicit model of privilege elevation. As we show, the proposed changes significantly harden the JCL against attacks: they effectively hinder the introduction of new confused-deputy vulnerabilities in future library versions, and successfully restrict the capabilities of attackers when exploiting certain existing vulnerabilities. We discuss usability considerations, and through a set of large-scale experiments show that with current JVM technology such a faithful implementation of stack-based access control induces no observable performance loss.","PeriodicalId":6502,"journal":{"name":"2017 IEEE Symposium on Security and Privacy (SP)","volume":"6 1","pages":"1027-1040"},"PeriodicalIF":0.0000,"publicationDate":"2017-05-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"12","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2017 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP.2017.16","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 12

Abstract

While the Java runtime is installed on billions of devices and servers worldwide, it remains a primary attack vector for online criminals. As recent studies show, the majority of all exploited Java vulnerabilities comprise incorrect or insufficient implementations of access-control checks. This paper for the first time studies the problem in depth. As we find, attacks are enabled by shortcuts that short-circuit Java's general principle of stack-based access control. These shortcuts, originally introduced for ease of use and to improve performance, cause Java to elevate the privileges of code implicitly. As we show, this creates many pitfalls for software maintenance, making it all too easy for maintainers of the runtime to introduce blatant confused-deputy vulnerabilities even by just applying normally semantics-preserving refactorings. How can this problem be solved? Can one implement Java's access control without shortcuts, and if so, does this implementation remain usable and efficient? To answer those questions, we conducted a tool-assisted adaptation of the Java Class Library (JCL), avoiding (most) shortcuts and therefore moving to a fully explicit model of privilege elevation. As we show, the proposed changes significantly harden the JCL against attacks: they effectively hinder the introduction of new confused-deputy vulnerabilities in future library versions, and successfully restrict the capabilities of attackers when exploiting certain existing vulnerabilities. We discuss usability considerations, and through a set of large-scale experiments show that with current JVM technology such a faithful implementation of stack-based access control induces no observable performance loss.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
通过取消隐式特权提升来加强Java的访问控制
虽然Java运行时安装在全球数十亿的设备和服务器上,但它仍然是在线犯罪分子的主要攻击媒介。正如最近的研究表明的那样,大多数被利用的Java漏洞包括访问控制检查的不正确或不充分的实现。本文首次对这一问题进行了深入的研究。正如我们所发现的,攻击是通过快捷方式实现的,这些快捷方式使Java基于堆栈的访问控制的一般原则短路。这些快捷方式最初是为了方便使用和提高性能而引入的,它们导致Java隐式地提升代码的特权。正如我们所展示的,这为软件维护创造了许多陷阱,使得运行时的维护者很容易引入明显的混淆代理漏洞,即使只是通过应用正常的语义保留重构。如何解决这个问题?可以在没有快捷方式的情况下实现Java的访问控制吗?如果可以,这种实现是否仍然可用且高效?为了回答这些问题,我们对Java类库(JCL)进行了工具辅助的改编,避免了(大多数)快捷方式,因此转向了完全显式的特权提升模型。正如我们所展示的,提议的更改显著地增强了JCL对攻击的抵抗力:它们有效地阻止了在未来的库版本中引入新的混淆代理漏洞,并成功地限制了攻击者利用某些现有漏洞的能力。我们讨论了可用性方面的考虑,并通过一组大规模实验表明,使用当前的JVM技术,这种基于堆栈的访问控制的忠实实现不会导致可观察到的性能损失。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
To Catch a Ratter: Monitoring the Behavior of Amateur DarkComet RAT Operators in the Wild Under the Shadow of Sunshine: Understanding and Detecting Bulletproof Hosting on Legitimate Service Provider Networks Stack Overflow Considered Harmful? The Impact of Copy&Paste on Android Application Security SoK: Science, Security and the Elusive Goal of Security as a Scientific Pursuit An Experimental Security Analysis of an Industrial Robot Controller
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1