From Access Control to Information Flow: Security Model and Static Analysis
for Detecting Java Security Vulnerabilities

Yi Lu, Paddy Krishnan, Raghavendra K. R.
Oracle Labs, Brisbane

Modern programming languages like Java and C# have been designed for Internet
applications and extensible systems. In order to run untrusted code (e.g.
mobile code downloaded from Internet) in the same process as trusted code,
these languages rely on a fine-grained permission-based access control model
to manage the security requirements of program code. Previous literature has
shown that such access control model is flawed in that unauthorised code (code
with no sufficient permission) may influence and/or be influenced by the
execution of security-sensitive code (code manipulating system resources)
without accessing it. Traditional information flow models may be used to
enforce non-interference between security-sensitive code and untrusted code
regardless their permissions. But they do not reason about access control
therefore undesirably preclude information flow between security-sensitive
code and authorised code (code granted with sufficient permissions).

We propose a new security model to prevent undesired influences between
security-sensitive code and unauthorised code while still allowing desired
influences between security-sensitive code and authorised code. It generalises
both access control and information flow control with a hybrid security
policy, where information flow is constrained by access control. To show the
practicability of the security model, we realise it in the form of static
program analysis which can be used to automatically detect security
vulnerabilities in Java programs.