Automated Detection of Security Vulnerabilities in the Java Runtime Library
Project
Automated Detection of Security Vulnerabilities in the Java Runtime Library
Principal Investigator
Fraunhofer Institute for Secure Information Technology (SIT)
Oracle Fellowship Recipient
Ben Hermann, Johannes Lerch, Philipp Holzinger
Oracle Principal Investigator
Andrew Gross
Summary
This project’s primary objective is to provide a well-founded automatic approach to detecting and fixing security vulnerabilities in Oracle’s implementation of the Java Runtime Library. Triggered by the press coverage about recent security incidents with this library, we have conducted an in-depth analysis of the security issues involved (e.g. CVE-2012-4681). Most recent vulnerabilities were directly related to a problem that in the scientific literature is called a “confused deputy”: exploit code was able to misuse novel security-sensitive APIs. We propose to develop dedicated automated tool support to detect such vulnerabilities directly in the code of the Java runtime library, without any additional assistance from the developer. The analysis can be used to find potential further vulnerabilities in the current version of the JDK, and can be used within regression tests to protect against vulnerabilities caused by future code changes or by the additions of novel APIs.