An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

Abstract : Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.
Type de document :
Communication dans un congrès
Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.25-36, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_3〉
Liste complète des métadonnées

Littérature citée [22 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-01518238
Contributeur : Hal Ifip <>
Soumis le : jeudi 4 mai 2017 - 13:45:31
Dernière modification le : mardi 13 février 2018 - 16:24:03
Document(s) archivé(s) le : samedi 5 août 2017 - 13:33:43

Fichier

978-3-642-30436-1_3_Chapter.pd...
Fichiers produits par l'(les) auteur(s)

Licence


Distributed under a Creative Commons Paternité 4.0 International License

Identifiants

Citation

Bernhard Berger, Karsten Sohr. An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. Dimitris Gritzalis; Steven Furnell; Marianthi Theoharidou. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. Springer, IFIP Advances in Information and Communication Technology, AICT-376, pp.25-36, 2012, Information Security and Privacy Research. 〈10.1007/978-3-642-30436-1_3〉. 〈hal-01518238〉

Partager

Métriques

Consultations de la notice

91

Téléchargements de fichiers

15