Enhancing Automated Detection of Vulnerabilities in Java Components

Author

Parrend, Pierre

Author_Institution

Software Eng., FZI Forschungszentrum Inf., Karlsruhe

fYear

2009

fDate

16-19 March 2009

Firstpage

216

Lastpage

223

Abstract

Java-based systems are built from components from various providers that are integrated together. Generic coding best practices are gaining momentum, but no tool is availableso far that guarantees that the interactions between these components are performed in a secure manner. We propose the ´Weak Component Analysis´ (WCA) tool, which performs static analysis of the component code to identify exploitable vulnerabilities. Three types of classes can be identified in Java components, that each can be exploited through specific vulnerabilities. Internal classes which are not available for other components can be abused in an indirect manner. Shared classes which are provided by libraries can be abused through class-level vulnerabilities. Shared objects, i.e. instantiated classes, which are made available as local services in Service-oriented Programming platforms such as OSGi, Spring and Guice can be abused through object-level vulnerabilities in addition to class-level vulnerabilities.

Keywords

Java; Web services; program diagnostics; security of data; software libraries; Java component; automated detection enhancing; secure component static analysis; service-oriented programming platform; software library; vulnerability identification; weak component analysis tool; Availability; Best practices; Guidelines; Java; Libraries; Packaging; Performance analysis; Security; Software engineering; Sun; Component; Java Language; Software Vulnerabilities; Static Analysis;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security, 2009. ARES '09. International Conference on

Conference_Location

Fukuoka

Print_ISBN

978-1-4244-3572-2

Electronic_ISBN

978-0-7695-3564-7

Type

conf

DOI

10.1109/ARES.2009.9

Filename

5066476