Skip to main content
SpringerLink
Log in

Static vulnerability detection in Java service-oriented components

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

Extensible component-based platforms allow dynamic discovery, installation and execution of components. Such platforms are service-oriented, as components may directly interact with each other via the services they provide. Even robust languages such as Java were not designed to handle safe code interaction between trusted and untrusted parties. Dynamic installation of code provided by different third parties leads to several security issues. The different security layers adopted by Java or component-based platforms cannot fully address the problem of untrusted components trying to tamper with other components via legitimate interactions. A malicious component might even use vulnerable ones to compromise the whole component-based platform. Our approach identifies vulnerable components in order to prevent them from threatening services security. We use static analysis to remain as exhaustive as possible and to avoid the need for non-standard or intrusive environments. We show that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components. We present STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws. Finally, the audit of several trusted Apache Felix bundles shows that nowadays component-based platforms are not prepared for malicious Java interactions.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2

Similar content being viewed by others

Notes

  1. http://code.google.com/android/.

  2. http://msdn.microsoft.com/netframework.

  3. http://felix.apache.org/.

References

  1. Google Mobile Team. An update on Android Market security

  2. O.S.G.i. Alliance. OSGi service platform core specifications

  3. JSR 118 Expert Group. MIDP 2.0, Sun specification (2002)

  4. Herzog, A., Shahmehri, N.: Problems running untrusted services as Java threads. In: Certification and Security in Inter-Organizational E-Services, Vol. 177, pp. 19–32. Springer, Boston (2005)

  5. Parrend, P., Frénot, S.: More vulnerabilities in the Java/OSGi platform: a focus on bundle interactions. Research Report RR-6649, INRIA (2008)

  6. Goichon, F., Frénot, S.: Exploiting Java code interactions. Technical Report RT-0419, INRIA (2011)

  7. Rain Forest Puppy. NT web technology vulnerabilities. Phrack, Vol. 54 (1998)

  8. Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM’05: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley, CA, USA (2005)

  9. Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI ’09: Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 87–97. ACM, New York, NY, USA (2009)

  10. Yin, L., Ana, M.: Static information flow analysis for Java. Technical Report, Rensselaer Polytechnic Institute (2008)

  11. Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE ’05: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM, New York, NY, USA (2005)

  12. Sun Microsystems Inc. Java Security Architecture Specifications (2002)

  13. Almut, Herzog: Performance of the Java security manager. Comput. Secur. 24(3), 192–207 (2005)

    Google Scholar 

  14. Whitehouse, O.: Analysis of GS protections in Microsoft Windows Vista. Technical Report, Symantec Advanced Threat Research (2006)

  15. Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: ACSAC ’05: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 303–311. IEEE Computer Society, Washington, DC, USA, (2005)

  16. Pistoia, M., Chandra, S., Fink, S.J., Yahav, E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007)

    Article  Google Scholar 

  17. Parrend, P.: Enhancing automated detection of vulnerabilities in Java components. In: AReS ’09: Fourth International Conference on Availability, Reliability and Security, Fukuoka, Japan (2009)

  18. Marco, Avvenuti, Cinzia, Bernardeschi, Nicoletta, De Francesco: Java bytecode verification for secure information flow. SIGPLAN Not. 38(12), 20–27 (2003)

    Article  Google Scholar 

  19. Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: PODS ’05: Proceedings of the Twenty-Fourth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, pp. 1–12. ACM, New York, NY, USA (2005)

  20. Lhoták, O., Hendren, L.: Context-sensitive points-to analysis: is it worth it? Technical Report, McGill University, Sable Research, Group (2005)

  21. John, Whaley, Martin, Rinard: Compositional pointer and escape analysis for Java programs. SIGPLAN Not. 34(10), 187–206 (1999)

    Article  Google Scholar 

  22. Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL ’95: Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61. ACM, New York, NY, USA (1995)

  23. Manu, Sridharan, Rastislav, Bodík: Refinement-based context-sensitive points-to analysis for Java. SIGPLAN Not. 41(6), 387–400 (2006)

    Article  Google Scholar 

  24. John, Whaley, Lam, Monica S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. SIGPLAN Not. 39(6), 131–144 (2004)

    Article  Google Scholar 

  25. Lhoták, O., Hendren, L.: Scaling Java points-to analysis using Spark. In: CC ’03: Proceedings of the 12th International Conference on Compiler Construction, LNCS, Vol. 2622, pp. 153–169, Springer, Warsaw, Poland (2003)

  26. Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OOPSLA ’05: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 365–383. ACM, New York, NY, USA (2005)

Download references

Acknowledgments

We would like to thank the anonymous reviewers for their detailed discussions, Yvan Royon from Alcatel Lucent for his knowledge and accurate criticism, Cédric Lauradoux for his constructive and complete reviews and the whole Amazones team for providing us a convivial and productive working environment. This article is granted by the LISE (Liability Issues in Software Engineering) project, funded by the ANR (Agence Nationale de la Recherche) under the SeSur 2007 program (ANR-07-SESU-007).

Author information

Authors and Affiliations

  1. CITI Laboratory, University of Lyon, INRIA, INSA-Lyon, 69621, Villeurbanne, France

    François Goichon, Guillaume Salagnac & Stéphane Frénot

  2. Université de Strasbourg, ECAM Strasbourg-Europe, Schiltigheim, France

    Pierre Parrend

Authors
  1. François Goichon
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guillaume Salagnac
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Pierre Parrend
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Stéphane Frénot
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to François Goichon.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Goichon, F., Salagnac, G., Parrend, P. et al. Static vulnerability detection in Java service-oriented components. J Comput Virol Hack Tech 9, 15–26 (2013). https://doi.org/10.1007/s11416-012-0172-1

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-012-0172-1

Keywords

Search

Navigation