Title :
Enhancing Automated Detection of Vulnerabilities in Java Components
Author_Institution :
Software Eng., FZI Forschungszentrum Inf., Karlsruhe
Abstract :
Java-based systems are built from components from various providers that are integrated together. Generic coding best practices are gaining momentum, but no tool is availableso far that guarantees that the interactions between these components are performed in a secure manner. We propose the ´Weak Component Analysis´ (WCA) tool, which performs static analysis of the component code to identify exploitable vulnerabilities. Three types of classes can be identified in Java components, that each can be exploited through specific vulnerabilities. Internal classes which are not available for other components can be abused in an indirect manner. Shared classes which are provided by libraries can be abused through class-level vulnerabilities. Shared objects, i.e. instantiated classes, which are made available as local services in Service-oriented Programming platforms such as OSGi, Spring and Guice can be abused through object-level vulnerabilities in addition to class-level vulnerabilities.
Keywords :
Java; Web services; program diagnostics; security of data; software libraries; Java component; automated detection enhancing; secure component static analysis; service-oriented programming platform; software library; vulnerability identification; weak component analysis tool; Availability; Best practices; Guidelines; Java; Libraries; Packaging; Performance analysis; Security; Software engineering; Sun; Component; Java Language; Software Vulnerabilities; Static Analysis;
Conference_Titel :
Availability, Reliability and Security, 2009. ARES '09. International Conference on
Conference_Location :
Fukuoka
Print_ISBN :
978-1-4244-3572-2
Electronic_ISBN :
978-0-7695-3564-7
DOI :
10.1109/ARES.2009.9
