Advertisement

Static Analysis of a Class of Memory Leaks in TrustedBSD MAC Framework

  • Xinsong Wu
  • Zhouyi Zhou
  • Yeping He
  • Hongliang Liang
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5451)

Abstract

Security labels of subjects and objects are crucial for some security policies and are an essential part of the TrustedBSD MAC framework. We find that security labels not being destroyed properly will result in memory leaks. This paper analyzes the security labels management of the TrustedBSD MAC framework and presents a path-sensitive static analysis approach to detect potential memory leaks caused by the security label management. This approach verifies complete destruction of security labels through compiler-integrated checking rules at compile-time. It achieves complete coverage of execution paths and has low false positive rate.

Keywords

static analysis memory leak TrustedBSD MAC framework security label mygcc 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
    Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and MULTICS Interpretation. MTR-2997, MITRE Corporation, Bedford, MA (1976)Google Scholar
  3. 3.
    Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: Usenix Security Symp., Usenix Assoc, pp. 17–31 (2002)Google Scholar
  4. 4.
    Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for Static Analysis of Authorization Hook Placement. In: Proceedings of the 11th Usenix Security Symposium, San Francisco, California (August 2002)Google Scholar
  5. 5.
    Edwards, A., Jaeger, T., Zhang, X.: Runtime Verification of Authorization Hook Placement for the Linux Security Modules Framework. In: ACM Conference on Computer and Communications Security (November 2002)Google Scholar
  6. 6.
    Foster, J.S., Fahndrich, M., Aiken, A.: A Theory of Type Qualifiers. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999). Atlanta, Georgia (May 1999)Google Scholar
  7. 7.
    Volanschi, N.: A Portable Compiler-Integrated Approach to Permanent Checking. In: Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering, Tokyo, Japan (September 2006)Google Scholar
  8. 8.
    Watson, R., Morrison, W., Vance, C., Feldman, B.: The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In: USENIX Annual Technical Conference, San Antonio, TX (June 2003)Google Scholar
  9. 9.
    Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: 10th USENIX Security Symposium (August 2001)Google Scholar
  10. 10.
    Meng, C., He, Y., Luo, Y.: Value Equality Analysis in C Program API Conformance Validation. Journal of Software 19(10), 2550–2561 (2008) (in Chinese)CrossRefGoogle Scholar
  11. 11.
    Ganapathy, V., Jaeger, T., Jha, S.: Automatic Placement of Authorization Hooks in the Linux Security Modules Framework. In: Proceedings of the 12th ACM conference on Computer and communications security (November 2005)Google Scholar
  12. 12.

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Xinsong Wu
    • 1
    • 2
  • Zhouyi Zhou
    • 1
    • 2
  • Yeping He
    • 1
  • Hongliang Liang
    • 1
  1. 1.Institute of SoftwareChinese Academy of SciencesBeijingChina
  2. 2.Graduate SchoolChinese Academy of SciencesBeijingChina

Personalised recommendations