HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

Abstract : Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.
Document type :
Conference papers
Complete list of metadata

Cited literature [22 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Thursday, May 4, 2017 - 1:45:31 PM
Last modification on : Tuesday, February 13, 2018 - 4:24:03 PM
Long-term archiving on: : Saturday, August 5, 2017 - 1:33:43 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Bernhard Berger, Karsten Sohr. An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. pp.25-36, ⟨10.1007/978-3-642-30436-1_3⟩. ⟨hal-01518238⟩



Record views


Files downloads