Combining static and dynamic analysis for automatic identification of precise access-control policies

Given a large component-based program, it may be very complex to identify an optimal access-control policy, allowing the program to execute with no authorization failures and no violations of the Principle of Least Privilege. This paper presents a novel combination of static and dynamic analysis for automatic determination of precise access-control policies for programs that will be executed on Stack-Based Access Control systems, such as Java and the Common Language Runtime (CLR). The static analysis soundly models the execution of the program taking into account native methods, reflection, and multi-threaded code. The dynamic analysis interactively refines the potentially conservative results of the static analysis, with no need for writing or generating test cases or for restarting the system if an authorization failure occurs during testing, and no risk of corrupting the underlying system on which the analysis is performed. We implemented the analysis framework presented by this paper in an analysis tool for Java programs, called Access-Control Explorer (ACE). ACE allows for automatic, safe, and precise identification of access-right requirements and library-code locations that should be made privilege-asserting to prevent client code from requiring unnecessary access rights. This paper presents experimental results obtained on large production-level applications.