Introducing Mango: A Formal Eclipse plugin for Java Vulnerability Detection

Introducing Mango: A Formal Eclipse plugin for Java Vulnerability DetectionFrank RimlingerInformation Assurance DirectorateNational Security Agencyhttp://babelfish.arc.nasa.gov/trac/jpf/wiki/projects/jpf-mango

SummaryTool purpose, featuresWhat is Eclipse? What is a plugin?Finalizer attack (from Oracle Java Security Guide)Step 1: Build trapStep2: Mock-upStep3: Detect trapStep4: TrainMango class resolver, and math foundations.Tool purposeCreate and understand formal specification of Java code.Create and apply tests to screen for known issues.Formulate and prove properties about the code using automated theorem proving.Tool featuresAvailable as open-source, Eclipse plugin.Persistent automated modeling of formal specification.Natural language translation.Navigable view of specification.Pattern capture-and-edit for test creation.Layered Eclipse project design for code approximation.What is Eclipse?

What is the Mango plugin?

Finalizer attack

Step 1: Build the trapHow to use Mango to build a trap for catching coding errors which enable the finalizer attack.Add safe.firewallCheck()

Build the opaque spec

Inspect the state transition

Modify the heap reference

Step 2: Mock-upHow to set up a mock situation that will fire the trap.Firewall and sensitive dummies

Approximate the sensitive methodStep 3: DetectCreate a training rule to detect and report all firewallCheck expressions.More refined rules later to weed out false positives.The training rule

Step 4 TrainUse Mango navigation of generated specification to reveal the salient features of the formal model. Develop rules for more general situations.

Generate the mock-up spec

Movie: Mango does its thing!

Navigate to the hit point

Edit hit to generalize

The loop algorithm

The confluence algorithm

Confluence Alg concluded