N. Bhalla and S. Kazerooni, Web services vulnerabilities, BlackHat Europe, 2007.

]. C. Boy04 and . Boyapati, SafeJava: A Unified Type System for Safe Programming, 2004.

D. Crocker and P. Overell, Augmented bnf for syntax specifications: Abnf, IETF RfC, vol.4234, 2005.

D. Hovemeyer and W. Pugh, Finding bugs is easy, ACM SIGPLAN Notices, vol.39, issue.12, pp.92-106, 2004.
DOI : 10.1145/1052883.1052895

M. Howard, J. Pincus, and J. M. Wing, Computer Security in the 21st Century, chapter Measuring Relative Attack Surfaces, pp.109-137, 2005.

C. Lai, Java Insecurity: Accounting for Subtleties That Can Compromise Code, IEEE Software, vol.25, issue.1, pp.13-19, 2008.
DOI : 10.1109/MS.2008.9
URL : http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.490.8787

U. Lindqvist and E. Jonsson, How to systematically classify computer security intrusions, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097), pp.154-163, 1997.
DOI : 10.1109/SECPRI.1997.601330

D. [. Neumann and . Parker, A summary of computer misuse techniques, Proceedings of the 12th National Computer Security Coifererice, p.3961107, 1989.

. Osgi-alliance, Osgi service platform, core specification release 4.1. Draft, 2007.

P. Parrend and S. Frénot, Java components vulnerabilities -an experimental classification targeted at the osgi platform, Research Report, vol.6231, p.6, 2007.
URL : https://hal.archives-ouvertes.fr/inria-00157341

P. @bullet-attack, ? Consequence Description: ? See Also: Returns Reference to Mutable Object Protection ? Existing Mechanisms: Deep Copy of Data -Before making it Public ? Enforcement Point: Execution ? Potential Mechanisms: Code static Analysis ? Attack Prevention: Code Reviewing ? Reaction: Correct the flawed bundle Vulnerability Implementation ? Code Reference: Returnref2array-0.1.jar ? OSGi Profile: J2SE-1.6 ? Date, ? Test Coverage: 100% ? Known Vulnerable Platforms: Oscar; Felix; Equinox; Knopflerfish ? Known Robust Platforms, pp.2008-2010

@. Preconditions, Use of non final parameter. A malicious implementation is provided waiting for execution. Knowledge of code behavior (e.g. access to source code) is required for attacks against a specific code excerpt

A. @bullet-see, Copied and Checked Parameters -Fake Copy Constructor Protection ? Existing Mechanisms: Use final Types for Parameters ? Enforcement Point: Execution ? Potential Mechanisms: ? Attack Prevention: Code Reviewing ? Reaction: Correct the flawed bundle Vulnerability Implementation ? Code Reference: Parametervalidationerror.service-0.1.jar,parametervalidationerror.client- 0.1.jar,parametervalidationerror.scenario-0.1.jar ? OSGi Profile: J2SE-1.6 ? Date, ? Test Coverage: 100% ? Known Vulnerable Platforms: Oscar; Felix; Equinox, pp.2008-2010

@. Preconditions, Use of non final parameter. A malicious implementation is provided waiting for execution. Knowledge of code behavior (e.g. access to source code) is required for attacks against a specific code excerpt

P. @bullet-attack, The copy constructor does not perform as expected. ? Consequence Description: Program instability, uncoherence, or undue execution of code

I. Unité-de-recherche and . Lorraine, Technopôle de Nancy-Brabois -Campus scientifique 615, rue du Jardin Botanique -BP 101 -54602 Villers-lès-Nancy Cedex (France) Unité de recherche INRIA Rennes : IRISA, Campus universitaire de Beaulieu -35042 Rennes Cedex (France) Unité de recherche INRIA Rocquencourt : Domaine de Voluceau -Rocquencourt -BP 105 -78153 Le Chesnay Cedex (France) Unité de recherche, 2004.

I. De-voluceau-rocquencourt, BP 105 -78153 Le Chesnay Cedex (France) http://www.inria.fr ISSN, pp.249-6399