A security policy oracle: detecting security holes using multiple API implementations

@inproceedings{Srivastava2011ASP,
  title={A security policy oracle: detecting security holes using multiple API implementations},
  author={Varun Srivastava and Michael D. Bond and Kathryn S. McKinley and Vitaly Shmatikov},
  booktitle={PLDI},
  year={2011}
}
Even experienced developers struggle to implement security policies correctly. For example, despite 15 years of development, standard Java libraries still suffer from missing and incorrectly applied permission checks, which enable untrusted applications to execute native calls or modify private class variables without authorization. Previous techniques for static verification of authorization enforcement rely on manually specified policies or attempt to infer the policy by code-mining. Neither… CONTINUE READING