Translating Java into LLVM IR to Detect Security Vulnerabilities

Late 2012 and early 2013 saw a spike of new Java vulnerabilities being reported in 0-day attacks and use in the wild, allowing bypass of the Java sandbox: unguarded caller sensitive methods, misuse of doPrivileged, invalid deserialisation, invalid serialisation, and more. Oracle quickly reacted by making available patches and has now increased the scheduled patch update cycle to 4 releases a year. Given the lack of available tools in the market to detect these types of vulnerabilities, and the internal success of the Parfait-for-C static code analysis tool[1] within Oracle, the question on whether Parfait could be extended quickly to support the Java language semantics as well as detect these new vulnerabilities was raised. In this talk we describe how, in the course of 1 year, we are developing and deploying Parfait-for-Java, with the first couple of three deployment milestones in place. The Java translator, Jaffa, reuses the LLVM intermediate representation, which Parfait uses as its own intermediate representation, and extends it with metadata to support the semantics of the Java language. Jaffa's translation is done for analysis purposes, not for execution purposes. New analyses of the detection of the new vulnerabilities encode the Java Secure Coding Guidelines (http://www.oracle.com/technetwork/java/seccodeguide-139067.html). Interaction with the Java Security team is in place, in order to better understand the guidelines themselves, and to obtain early feedback on results of the analyses. Staged deployment of Parfait-for-Java provides developers with timely feedback on the new code being developed, and it provides QA with feedback on the existing code. [1] Parfait-for-C was reported at the LLVM Developer Meeting 2009