Automated Detection of Security Vulnerabilities in the Java Runtime Library

Project

Automated Detection of Security Vulnerabilities in the Java Runtime Library

Principal Investigator

Eric Bodden

Fraunhofer Institute for Secure Information Technology (SIT)

Oracle Fellowship Recipient

Ben Hermann, Johannes Lerch, Philipp Holzinger

Oracle Principal Investigator

Andrew Gross

Summary

This project’s primary objective is to provide a well-founded automatic approach to detecting and fixing security vulnerabilities in Oracle’s implementation of the Java Runtime Library. Triggered by the press coverage about recent security incidents with this library, we have conducted an in-depth analysis of the security issues involved (e.g. CVE-2012-4681). Most recent vulnerabilities were directly related to a problem that in the scientific literature is called a “confused deputy”: exploit code was able to misuse novel security-sensitive APIs. We propose to develop dedicated automated tool support to detect such vulnerabilities directly in the code of the Java runtime library, without any additional assistance from the developer. The analysis can be used to find potential further vulnerabilities in the current version of the JDK, and can be used within regression tests to protect against vulnerabilities caused by future code changes or by the additions of novel APIs.