RZO Web Page - networks and Co

Bienvenue sur la page RZO

Ressources de Jean et Pierre Parrend en informatique, telecoms et reseaux


Home

Pierre

Enseignement

Publications

Developpement

Jean

Ressources techniques

A Lire

Contact

Home-Pierre-Jean-Enseignement-Ressources techniques-Contact
Recherche-Publications-CV-Master

Enhancing Automated Detection of Vulnerabilities in Java Components

Pierre Parrend

Forth International Conference on Availability, Reliability and Security (AReS 2009), 16th – 19th March 2009, Fukuoka, Japan.

Abstract : Java-based systems are built from components from various providers that are integrated together. Generic coding best practices are gaining momentum, but no tool is available so far that guarantees that the interactions between these components are performed in a secure manner.

We propose the ‘Weak Component Analysis’ (WCA) tool, which performs static analysis of the component code to identify exploitable vulnerabilities. Three types of classes can be identified in Java components, that each can be exploited through specific vulnerabilities. Internal classes which are not available for other components can be abused in an indirect manner. Shared classes which are provided by libraries can be abused through class-level vulnerabilities. Shared objects, i.e. instantiated classes, which are made available as local services in Service-oriented Programming platforms such as OSGi, Spring and Guice can be abused through object-level vulnerabilities in addition to class-level vulnerabilities.

Keywords :Software Security, Component Middleware, Static Analysis, OSGi Platform

Appendix :pdf file

Bibtex :

@INPROCEEDINGS{Parrend2009ares,
author = {Pierre Parrend},
title = {Enhancing Automated Detection of Vulnerabilities in Java Components},
booktitle = {Forth International Conference on Availability, Reliability and Security
(AReS 2009)},
year = {2009},
address = {Fukuoka, Japan},
month = {March},
}

Go to the English version

Home-Pierre-Jean-Enseignement-Ressources techniques-Contact

Last update : 22 April 2008 - contact the webmaster