Abstract
Security labels of subjects and objects are crucial for some security policies and are an essential part of the TrustedBSD MAC framework. We find that security labels not being destroyed properly will result in memory leaks. This paper analyzes the security labels management of the TrustedBSD MAC framework and presents a path-sensitive static analysis approach to detect potential memory leaks caused by the security label management. This approach verifies complete destruction of security labels through compiler-integrated checking rules at compile-time. It achieves complete coverage of execution paths and has low false positive rate.
Supported by the National Natural Science Foundation of China under Grant No.90818012 and the National High-Tech Research and Development Plan of China under Grant No. 2007AA010601.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Bell, D.E., LaPadula, L.J.: Secure Computer System: Unified Exposition and MULTICS Interpretation. MTR-2997, MITRE Corporation, Bedford, MA (1976)
Wright, C., Cowan, C., Smalley, S., Morris, J., Kroah-Hartman, G.: Linux Security Modules: General Security Support for the Linux Kernel. In: Usenix Security Symp., Usenix Assoc, pp. 17–31 (2002)
Zhang, X., Edwards, A., Jaeger, T.: Using CQUAL for Static Analysis of Authorization Hook Placement. In: Proceedings of the 11th Usenix Security Symposium, San Francisco, California (August 2002)
Edwards, A., Jaeger, T., Zhang, X.: Runtime Verification of Authorization Hook Placement for the Linux Security Modules Framework. In: ACM Conference on Computer and Communications Security (November 2002)
Foster, J.S., Fahndrich, M., Aiken, A.: A Theory of Type Qualifiers. In: ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 1999). Atlanta, Georgia (May 1999)
Volanschi, N.: A Portable Compiler-Integrated Approach to Permanent Checking. In: Proceedings of the 21st IEEE/ACM International Conference on Automated Software Engineering, Tokyo, Japan (September 2006)
Watson, R., Morrison, W., Vance, C., Feldman, B.: The TrustedBSD MAC Framework: Extensible Kernel Access Control for FreeBSD 5.0. In: USENIX Annual Technical Conference, San Antonio, TX (June 2003)
Larochelle, D., Evans, D.: Statically Detecting Likely Buffer Overflow Vulnerabilities. In: 10th USENIX Security Symposium (August 2001)
Meng, C., He, Y., Luo, Y.: Value Equality Analysis in C Program API Conformance Validation. Journal of Software 19(10), 2550–2561 (2008) (in Chinese)
Ganapathy, V., Jaeger, T., Jha, S.: Automatic Placement of Authorization Hooks in the Linux Security Modules Framework. In: Proceedings of the 12th ACM conference on Computer and communications security (November 2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Wu, X., Zhou, Z., He, Y., Liang, H. (2009). Static Analysis of a Class of Memory Leaks in TrustedBSD MAC Framework. In: Bao, F., Li, H., Wang, G. (eds) Information Security Practice and Experience. ISPEC 2009. Lecture Notes in Computer Science, vol 5451. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-00843-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-00843-6_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-00842-9
Online ISBN: 978-3-642-00843-6
eBook Packages: Computer ScienceComputer Science (R0)