Static Vulnerability Detection in Java Service-oriented Components

François Goichon 1 Guillaume Salagnac 1, 2 Pierre Parrend 3 Stéphane Frénot 1, 4
2 SOCRATE - Software and Cognitive radio for telecommunications
CITI - CITI Centre of Innovation in Telecommunications and Integration of services, Inria Grenoble - Rhône-Alpes
4 DICE - Data on the Internet at the Core of the Economy
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Extensible component-based platforms allow dynamic discovery, installation and execution of components. Such platforms are service-oriented, as components may directly interact with each other via the services they provide. Even robust languages such as Java were not designed to handle safe code interaction between trusted and untrusted parties. Dynamic installation of code provided by different third parties leads to several security issues. The different security layers adopted by Java or component-based platforms cannot fully address the problem of untrusted components trying to tamper with other components via legitimate interactions. A malicious component might even use vulnerable ones to compromise the whole component-based platform. Our approach identifies vulnerable components in order to prevent them from threatening services security. We use static analysis to remain as exhaustive as possible and to avoid the need for non-standard or intrusive environments. We show that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components. We present STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws. Finally, the audit of several trusted Apache Felix bundles shows that nowadays component-based platforms are not prepared for malicious Java interactions.
Type de document :
Article dans une revue
Journal in Computer Virology, Springer Verlag, 2012, 〈10.1007/s11416-012-0172-1〉
Liste complète des métadonnées

https://hal.inria.fr/hal-00740858
Contributeur : François Goichon <>
Soumis le : jeudi 11 octobre 2012 - 11:21:32
Dernière modification le : mercredi 11 avril 2018 - 01:57:14

Lien texte intégral

Identifiants

Collections

Citation

François Goichon, Guillaume Salagnac, Pierre Parrend, Stéphane Frénot. Static Vulnerability Detection in Java Service-oriented Components. Journal in Computer Virology, Springer Verlag, 2012, 〈10.1007/s11416-012-0172-1〉. 〈hal-00740858〉

Partager

Métriques

Consultations de la notice

320