 |
Information Security and Privacy Research 27th IFIP TC 11 Information Security and Privacy Conference, SEC 2012 Heraklion, Crete, Greece, June 4-6, 2012 |
 |
Conference papers
An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling
Abstract : Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.
Cited literature [22 references]
https://hal.inria.fr/hal-01518238
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Thursday, May 4, 2017 - 1:45:31 PM
Last modification on : Tuesday, February 13, 2018 - 4:24:03 PM
Long-term archiving on: : Saturday, August 5, 2017 - 1:33:43 PM
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Thursday, May 4, 2017 - 1:45:31 PM
Last modification on : Tuesday, February 13, 2018 - 4:24:03 PM
Long-term archiving on: : Saturday, August 5, 2017 - 1:33:43 PM
File
978-3-642-30436-1_3_Chapter.pd...
Files produced by the author(s)
Licence
Distributed under a Creative Commons Attribution 4.0 International License