Java Vulnerability Detection

The JVD project started in 2013 with the aim to find security vulnerabilities in the Java Platform (i.e., the Java Development Kit).

Key findings

We have created a classification of security vulnerabilities that are derived from the Java Secure Coding Guidelines. The classification is mainly focused on access-control issues but also consider other topics such as information-flow. We use static program-analysis techniques to detect the various security vulnerabilities.

To enable the Java product group to detect vulnerabilities, the static analysis tool, Parfait is enhanced with various Java security specific analyses. In order to have a highly scalable, precise and accurate analysis we use a mixture of object-based, field-sensitive context-sensitive/context-insensitive, flow-sensitive/flow-insensitive analyses which are designed specifically for libraries. Parfait also supports cross language analyses to detect a class of JNI related vulnerabilities

Other outcomes include using points-to analysis for libraries in the context of call-graph construction, taint and escape analysis, techniques to make the points-to analysis scalable and the role of information-flow in Java related vulnerabilities.

The project also developed and evolved a mechanism for continuous technology transfer. The research aspects of this project were fully transferred to the Parfait team in April 2017. Parfait is integrated into the development processes and is used by numerous developers in the Java product group.

Hardware and Software, Engineered to Work Together