Static computation of permission flow in Java programs

			     Gleb Naumovich
		  Polytechnic University, Brooklyn, NY

Open distributed systems are becoming increasingly popular.  Such
systems include components that may be obtained from a number of
different sources.  For example, Java allows run-time loading of
software components residing on remote machines.  One unfortunate
side-effect of this openness is the possibility that ``hostile''
software components may compromise the security of both the program
and the system on which it runs.  Java offers a built-in security
mechanism, using which programmers can give permissions to
distributed components and check these permissions at run-time.
This security model is flexible, but using it is not
straightforward, which may lead to insufficiently tight permission
checking and therefore breaches of security.

In this talk, we will describe an approach for automated analysis of
the flow of permissions in Java programs, based on data flow
analysis.  This technique produces, for a given instruction in the
program, a set of permissions that are checked on all possible
executions up to this instruction.  This information can be used in
program understanding tools or directly for checking properties that
assert what permissions must always be checked before access to
certain functionality is allowed.