Skip to Main content Skip to Navigation
Journal articles

Static Vulnerability Detection in Java Service-oriented Components

François Goichon 1 Guillaume Salagnac 1, 2 Pierre Parrend 3 Stéphane Frénot 1, 4 
2 SOCRATE - Software and Cognitive radio for telecommunications
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
4 DICE - Data on the Internet at the Core of the Economy
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : Extensible component-based platforms allow dynamic discovery, installation and execution of components. Such platforms are service-oriented, as components may directly interact with each other via the services they provide. Even robust languages such as Java were not designed to handle safe code interaction between trusted and untrusted parties. Dynamic installation of code provided by different third parties leads to several security issues. The different security layers adopted by Java or component-based platforms cannot fully address the problem of untrusted components trying to tamper with other components via legitimate interactions. A malicious component might even use vulnerable ones to compromise the whole component-based platform. Our approach identifies vulnerable components in order to prevent them from threatening services security. We use static analysis to remain as exhaustive as possible and to avoid the need for non-standard or intrusive environments. We show that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components. We present STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws. Finally, the audit of several trusted Apache Felix bundles shows that nowadays component-based platforms are not prepared for malicious Java interactions.
Document type :
Journal articles
Complete list of metadata
Contributor : François Goichon Connect in order to contact the contributor
Submitted on : Thursday, October 11, 2012 - 11:21:32 AM
Last modification on : Wednesday, March 9, 2022 - 3:30:34 PM

Links full text



François Goichon, Guillaume Salagnac, Pierre Parrend, Stéphane Frénot. Static Vulnerability Detection in Java Service-oriented Components. Journal in Computer Virology, Springer Verlag, 2012, ⟨10.1007/s11416-012-0172-1⟩. ⟨hal-00740858⟩



Record views