中文摘要：

JVM运行时库通过调用自身库函数的安全管理器类能够实现多种安全策略,其中非常重要的一条安全策略是保证程序在执行敏感操作之前必须进行相应的访问控制权限检查.传统上依赖于人工分析来确保JVM运行时库满足该安全策略,由于Java标准类库涵盖上千个类,上万个方法,且处于快速发展和演化过程中,人工分析费时费力,容易出错.本文提出一种全自动、高效、快速的模型检测方法评估JVM是否遵守这一安全策略,扫描Java标准类库字节码文件,将类的成员方法生成控制流图,通过定义检验模型,结合污点分析计算出方法摘要,自动检测出风险方法.

英文摘要：

JVM run-time library can implement various security policies by calling the library functions of its own,one of the extremely important security policy requires that sensitive operations must be performed after access control permissions checks.Traditionally it relies manual analysis to ensure that the JVM run-time library satisfy this security policy.Java standard library,covering thousands of classes,tens of thousands of methods,is in rapid development and high-rate evolution.It is time-consuming and error-prone to analyze the security policy artificially.This paper presents a full automatic,efficient and rapid model detection method for evaluating that whether the JVM in compliance with this security policy.Scanning the byte code files of Java standard class library,generating control flow graph of the member methods,our method can work out method summary by taint analysis after defining detecting model and automatically detect the risky methods.