MQP:Project Overview

From JimboWiki
Revision as of 21:17, 5 September 2008 by J (Talk | contribs) (New page: Category:MQP {{MQP:Navbar}} This project will attempt to develop methods to analyze the policy requirements of a Java application and methods of presenting the results to developers. ...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


MQP Navigation
MQP
MQP-Design
MQP-Prototypes
MQP-Research
  Main
  Project Overview

This project will attempt to develop methods to analyze the policy requirements of a Java application and methods of presenting the results to developers. These methods will be used to structure and build a tool to help developers create applications that utilize Java security policy. Analysis may use a combination of static and runtime analysis tools to create a complete representation. Outside sources, such as policies that are already in place, developer specified policy requirements, and other policy sources, may be used to enhance the analysis. Results of the analysis may be presented through an IDE, a generated policy file, or some standalone representation.

The main goal of this project is to encourage developers to create applications that use the security manager by providing a tool to analyze Java policy.

This page is incomplete
More work needs to be done on this page, so if somthing is missing, don't be surprised

Program Analysis

The tool produced should be able to take input from multiple sources to perform a detailed analysis of the permission requirements of each part of the code.

Static Analysis

Static Analysis can be used to provide a significant amount of information about the permission requirements of an application. More information is available here

Runtime Analysis

In order to demonstrate, test, and further refine the policy proposed by static analysis, runtime analysis is required. There are several strategies for runtime analysis such as:

  • An interactive policy development centered approach, where the developer is prompted to allow or deny permission calls as they come up
  • A monitoring centered approach, where all permissions are simply granted and recorded
  • A testing centered approach, where only failures or special watch cases are presented for action

Combining Results

Combining results from multiple sources allows us to present a more complete representation of the actual requirements and implications of an application's security design. With the combined data source, analyses are able to build on what others have already learned. The combined result can show new insights into the the application's security requirements.

Result Presentation

In order to communicate the results of the analysis to the developer, it is important to have a clear, concise representation of the application's permission requirements.

IDE

The most usable representation within an IDE would happen as the developer writes code - similar to the syntax checker. This may not provide enough time to perform the static analysis that would take place. Another concern is keeping the permission requirement set up to date as the coder continues to write code without regenerating the entire data set.

It would also be possible to have this data presented after an analysis completes - similar to a code coverage tool. This would require user intervention to perform.

The sort of information to be presented includes:

  • All permissions required for some block of code (class, method, etc)
  • Occurrences of doPrivileged blocks
  • Occurrences of Thread objects being passed outside their own context
  • Add more to this list.

Policy File Generation

Standalone Tool

Usability Concerns

Ease of Use

Speed of Analysis

Presentation of Data

Project Schedule and Goals

<tasks> [1] Add dates to all these goals [1] Finish adding tasks [ ] Finalize Static Analysis Algorithm </tasks>

Retrieved from "http://jimbodude.net/w/index.php?title=MQP:Project_Overview&oldid=1931"