Static vulnerability detection in Java service-oriented components
TL;DR: This work shows that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components, and presents STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws.
read more
Abstract: Extensible component-based platforms allow dynamic discovery, installation and execution of components. Such platforms are service-oriented, as components may directly interact with each other via the services they provide. Even robust languages such as Java were not designed to handle safe code interaction between trusted and untrusted parties. Dynamic installation of code provided by different third parties leads to several security issues. The different security layers adopted by Java or component-based platforms cannot fully address the problem of untrusted components trying to tamper with other components via legitimate interactions. A malicious component might even use vulnerable ones to compromise the whole component-based platform. Our approach identifies vulnerable components in order to prevent them from threatening services security. We use static analysis to remain as exhaustive as possible and to avoid the need for non-standard or intrusive environments. We show that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components. We present STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws. Finally, the audit of several trusted Apache Felix bundles shows that nowadays component-based platforms are not prepared for malicious Java interactions.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Foundations and applications of artificial Intelligence for zero-day and multi-step attack detection
TL;DR: This review proposes a comprehensive framework for addressing the challenge of characterising novel complex threats and relevant counter-measures in the field of intrusion detection, which is typically performed online, and security investigation, performed offline.
•Posted Content
Putting the Semantics into Semantic Versioning
TL;DR: It is argued that developers would greatly benefit from tools such as semantic version calculators to help them upgrade safely, and that contracts are a promising input to semantic versioning calculators, which can suggest whether an upgrade is likely to be safe.
28
Putting the semantics into semantic versioning
Patrick Lam,Jens Dietrich,David J. Pearce +2 more
- 18 Nov 2020
TL;DR: In this paper, the authors argue that developers would greatly benefit from tools such as semantic version calculators to help them upgrade safely, since changes can be breaking, requiring additional downstream work to adapt to.
25
Assessing Attack Surface with Component-Based Package Dependency
Su Zhang,Xinwen Zhang,Xinming Ou,Liqun Chen,Nigel Edwards,Jing Jin +5 more
- 03 Nov 2015
TL;DR: This work proposes a systematic approach of measuring attack surface exposed by individual vulnerabilities through component level dependency analysis, which is the first to quantitatively assess attack surfaces of vulnerabilities, components, packages, and systems through componentlevel dependency.
19
Modeling discovery and removal of security vulnerabilities in software system using priority queueing models
Dae-Eun Lim,Tae-Sung Kim +1 more
TL;DR: This paper aims to model the discovery and removal of software vulnerabilities based on queueing theory, and the service rate to prevent the number or accumulated degree of vulnerabilities from exceeding the predetermined level can be estimated.
7
References
Sun Microsystems Inc.
TL;DR: Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry and holds a non-exclusive license from Xerox to the Xerox Graphical User Interface.
1.7K
Precise interprocedural dataflow analysis via graph reachability
Thomas Reps,Susan Horwitz,Mooly Sagiv +2 more
- 25 Jan 1995
TL;DR: The paper shows how a large class of interprocedural dataflow-analysis problems can be solved precisely in polynomial time by transforming them into a special kind of graph-reachability problem.
Cloning-based context-sensitive pointer alias analysis using binary decision diagrams
John Whaley,Monica S. Lam +1 more
- 09 Jun 2004
TL;DR: This paper presents the first scalable context-sensitive, inclusion-based pointer alias analysis for Java programs, and develops a system called bddbddb that automatically translates Datalog programs into highly efficient BDD implementations.
Scaling Java points-to analysis using SPARK
Ondřej Lhoták,Laurie Hendren +1 more
- 07 Apr 2003
TL;DR: SPARK is introduced, a flexible framework for experimenting with points-to analyses for Java that supports equality- and subset-based analyses, variations in field sensitivity, respect for declared types, variationsIn call graph construction, off-line simplification, and several solving algorithms.
Refinement-based context-sensitive points-to analysis for Java
Manu Sridharan,Rastislav Bodik +1 more
- 11 Jun 2006
TL;DR: This work has developed a refinement-based analysis that succeeds by simultaneously refining handling of method calls and heap accesses, allowing the analysis to precisely analyze important code while entirely skipping irrelevant code.