Enhancing Automated Detection of Vulnerabilities in Java Components
Pierre Parrend
Forth International Conference on Availability, Reliability and Security (AReS 2009), 16th – 19th March 2009, Fukuoka, Japan.
Abstract
:
Java-based systems are built from components from various
providers that are integrated together. Generic coding
best practices are gaining momentum, but no tool is available
so far that guarantees that the interactions between
these components are performed in a secure manner.
We propose the ‘Weak Component Analysis’ (WCA) tool,
which performs static analysis of the component code to
identify exploitable vulnerabilities. Three types of classes
can be identified in Java components, that each can be
exploited through specific vulnerabilities. Internal classes
which are not available for other components can be abused
in an indirect manner. Shared classes which are provided
by libraries can be abused through class-level vulnerabilities.
Shared objects, i.e. instantiated classes, which are
made available as local services in Service-oriented Programming
platforms such as OSGi, Spring and Guice can
be abused through object-level vulnerabilities in addition to
class-level vulnerabilities.
Keywords :Software Security, Component Middleware, Static Analysis, OSGi Platform
Appendix :pdf file
Bibtex :
@INPROCEEDINGS{Parrend2009ares,
author = {Pierre Parrend},
title = {Enhancing Automated Detection of Vulnerabilities in Java Components},
booktitle = {Forth International Conference on Availability, Reliability and Security
(AReS 2009)},
year = {2009},
address = {Fukuoka, Japan},
month = {March},
}