Full-Stack Static Security Analysis for the Java Platform Vom Fachbereich Informatik der Technischen Universit¨atDarmstadt genehmigte Dissertation zur Erlangung des akademischen Grades eines Doktor-Ingenieurs (Dr.-Ing.) vorgelegt von Dipl.-Inform. Benjamin Hermann geboren in Langen (Hessen). Referent: Prof. Dr.-Ing. Mira Mezini Korreferent: Prof. Dr. Awais Rashid Datum der Einreichung: 29. September 2016 Datum der m¨undlichen Pr¨ufung: 16. November 2016 Erscheinungsjahr 2016 Darmst¨adterDissertationen D17 Preface I did not decide right away that in my career as a computer scientist pursuing a doctorate would be something I would invest time into. After my diploma thesis I wanted to venture out and learn through experience. Designing and developing software for a living is something that I enjoyed very much. However, after five years I felt that I needed something more in my life. Coincidentally, a particular problem I encountered during my professional career sparked my scientific interest. I had the opportunity and the pleasure of exploring this idea { which I present in this thesis { during the last years. During these year I met very bright people that helped me on the way. Following you find an attempt to praise all of them. First, I would like to thank my supervisor Prof. Mira Mezini, who took the chance of advising someone who has been out of the scientific workflow for some time. It is a venture I recently begun to fully understand and which I am deeply grateful for. I also thank Prof. Awais Rashid for being the second examiner of my thesis and his time and effort of carefully reviewing it. Next, I thank Prof. Eric Bodden for all the support during and beyond the projects we collaborated on. I learned an immense amount about the scientific process just by discussing with him. I also would like to thank the quality assurance inspector of a pharmaceutical com- pany that I had the pleasure of convincing of the quality of a piece software in a prior engagement. During his systematic questioning of our process he let me stumble upon a very interesting issue that I could not solve with state-of-the-art technology. By this, he unknowingly sparked my interest for research. This issue { after many iterations and reformulations { ultimately led me to my research question presented in this thesis. One of the many things I can look back on is my research project PEAKS that was funded by the German Ministry of Education and Research (BMBF). It was a great honor to receive funding at this early career stage. It enabled me to lead a research team and back my work up with working prototypes, which we released along with the publications. The motivated people involved in this project were two PhD students called Leonid Glanz and Michael Reif, the undergraduate students Lawrence Dean, Tim Kranz, Florian K¨ubler,Patrick M¨uller,and Moritz Tiedje, and our brilliant intern Ben Setzer. We grew as a team over the course of the project and still collaborate on new topics. In this very project, I had the chance to meet Christian Gengenbach from Software AG. He was my mentor over the course of the project and the time after the project ended. I am very grateful for his time and advice during that time. Our regular meetings provided me with strength, confidence and insight to tackle all obstacles on the path to this thesis. 3 I would like to thank the people that have provided their help in proof reading this thesis. It is their merit, that you can follow my line of thought and, well, might even enjoy reading the next pages. They are Sven Amann, Michael Eichberg, Johannes Lerch, Jan Sinschek, and Michael Reif. Also, I would like to thank the anonymous reviewers of my successful as well as my less successful papers. I took their criticism to heart and tried to include it into my work. To be honest, it is a system that I became to love and loathe at the same time. It is never easy to accept criticism, but once I saw how helpful it was, I immediately became grateful even for the harshest comments. I would also include the students I had the pleasure to supervise in the last years. These are Bastian Gorholt, Tim Kranz, Dominic Helm, Henriette R¨oger,Florian K¨ubler, Florian Wendel and Johann Wiedmeier. A day in the office would not be complete without the great conversations with my brilliant colleagues Sven Amann, Andi Bejleri, Oliver Bracevac, Marcel Bruch, Erv- ina Cergani, Joscha Drechsler, Michael Eichberg, Matthias Eichholz, Sebastian Erdweg, Leonid Glanz, Sylvia Grewe, Sven Keidl, Edlira Kuci, Johannes Lerch, Ingo Maier, Ralf Mitschke, Ragnar Mogk, Sarah Nadi, Sebastian Proksch, Guido Salvaneschi, Andreas Sewe, Jan Sinschek Michael Reif, Manuel Weiel, Pascal Weisenburger, and Jurgen van Ham. No dedication section would be complete without the mentioning of Gudrun Harris. She may be the most important person in the endeavor of venturing out for a doctorate degree in Mira's group. She constantly keeps track that we are all funded properly, fulfill regulations and in general will not lose our nerves in process. I cannot event begin to mention the importance of all of these things in the process of my doctorate studies. And of course I could not have made it without the support of my partner, my friends and my family. I am deeply grateful for everyone of them, that still talk to me and like me, even though I missed their birthdays, celebrations, or invitations. They forgave me for replying late to their emails and missing important dates. Apparently, pursuing a doctorate degree requires to have a very understanding personal environment and I am glad to say that I have that. Editorial notice: Throughout this thesis I use the term \we" and \us" to describe my work. It is meant to underline that research is always a cooperative effort and that I would have much less (if something at all) to present here, if other people had not took the time off of their own work to review and discuss mine. I am deeply grateful for their effort. Also, I use pronouns in the feminine gender in this thesis. This is a deliberate decision to even out the general use of male gender in literature. By using these pronouns I mean to include persons of any gender identity. Written language is, however, not perfectly suited to represent this intent, so please keep the intent in mind when reading this thesis. 4 Abstract We have to face a simple, yet, disturbing fact: current computing is inherently insecure. The systems we develop and maintain have outgrown our capacity to prove them secure in every instance. Moreover, we became increasingly dependent on these systems. From small firmware running in cars and household appliances to smart phones and large-scale banking systems, software systems permeate our every day life. We rely on the safety and security of these systems, yet, we encounter threats to these properties every day. Therefore, systems have be secure by construction and not by maintenance. The principles to achieve this are well known. The Principle of Least Privilege [SS75] has been published in 1975, yet, software systems do not generally apply it. We argue that new, lightweight methods based on sound theory have to be put forward so that developers can efficiently check that their software is secure in their domain context. In this thesis, we present three analysis techniques that help programmers develop more secure software by informing them about the current state of unsafe operation usage, extensive capability use in third-party components, and suspicious dead software paths that point to programming errors that could lead to insecurity. These three analyses inspect the full stack of a Java program from the application code over library and base-library code down to the native code level. If programmers use the information provided by the analyses, they are able to reduce the attack surface of their applications and provide more safe and secure systems to their users. Furthermore, we contribute two concepts for automated isolation. While the first concept reduces the attack surface by slicing third-party components to their necessary parts, the second concept is more fundamental and aims at achieving a fine-grained privilege separation. We believe that the software engineering discipline needs more research on these language-based approaches that tackle the problem of software security at its root cause: defective implementation. Using formal methods to construct these tools is necessary, yet, software developers cannot be overburdened with new requirements to their work process. Automated tools need to derive security properties from program code by them- selves with as little input required from the programmer as possible. By these means software can be developed reliably secure in an efficient fashion. 5 Zusammenfassung Der stetige Strom an Exploit-Meldungen scheint es zu best¨atigen: Aktuelle Software- Systeme sind unsicher. Die Gr¨oßeder Systeme, die wir entwickeln und warten hat unsere M¨oglichkeiten ¨uberstiegen ihre Sicherheit nachzuweisen. Dazu sind wir sehr viel abh¨angigervon diesen Systemen geworden, als noch vor zehn Jahren. Software- Systeme durchziehen unser t¨agliches Leben angefangen von Firmware in Automobilen und Haushaltsger¨aten¨uber Smartphones bis zu großen Banktransaktions-Systemen. Wir verlassen uns auf die Sicherheit dieser Systeme, jedoch erfahren wir tagt¨aglich die Gefahr, die von diesen Systemen ausgeht. Daher meinen wir, dass Software-Systeme durch Konstruktion sicher sein m¨ussenund nicht durch Wartung. Die daf¨ur notwendigen Prinzipien sind bekannt. Das "Principle of Least Privilege" [SS75] wurde 1975 publiziert, jedoch wird es in aktuellen Systemen immer noch nicht konsequent umgesetzt.