Abstract
Java-based systems have evolved from stand-alone applications to multi-component to Service Oriented Programming (SOP) platforms. Each step of this evolution makes a set of Java vulnerabilities directly exploitable by malicious code: access to classes in multi-component platforms, and access to object in SOP, is granted to them with often no control.
This paper defines two taxonomies that characterize vulnerabilities in Java components: the vulnerability categories, and the goals of the attacks that are based on these vulnerabilities. The ‘vulnerability category’ taxonomy is based on three application types: stand-alone, class sharing, and SOP. Entries express the absence of proper security features at places they are required to build secure component-based systems. The ‘goal’ taxonomy is based on the distinction between undue access, which encompasses the traditional integrity and confidentiality security properties, and denial-of-service. It provides a matching between the vulnerability categories and their consequences. The exploitability of each vulnerability is validated through the development of a pair of malicious and vulnerable components. Experiments are conducted in the context of the OSGi Platform. Based on the vulnerability taxonomies, recommendations for writing hardened component code are issued.
This work is partially funded by the ANR-07-SESU_007 LISE Project.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bieber, G., Carpenter, J.: Introduction to service-oriented programming (rev 2.1). OpenWings Whitepaper (April 2001)
Cotroneo, D., Orlando, S., Russo, S.: Failures classification and analysis of the java virtual machine. In: 26th IEEE International Conference on Distributed Computing Systems (ICDCS 2006) (2006)
Debbabi, M., Saleh, M., Talhi, C., Zhioua, S.: Security evaluation of j2me cldc embedded java platform. Journal of Object Technology 5(2), 125–154 (2005)
Dolbec, J., Shepard, T.: A component based software reliability model. In: CASCON 1995: Proceedings of the 1995 conference of the Centre for Advanced Studies on Collaborative research, p. 19. IBM Press (1995)
Govindavajhala, S., Appel, A.W.: Using memory errors to attack a virtual machine. In: Symposium on Security and Privacy (2003)
Hovemeyer, D., Pugh, W.: Finding bugs is easy. In: ACM SIGPLAN Notices, vol. 39, p. 92–106 (2004); COLUMN: OOPSLA onward
Steele, G., Bracha, G., Gosling, J., Joy, B.: Java Language Specification, 3rd edn. Addison-Wesley Professional, Reading (2005)
Krsul, I.V.: Software Vulnerability Analysis. PhD thesis, Purdue University (May 1998)
Lai, C.: Java insecurity: Accounting for subtleties that can compromise code. IEEE Software 25(1), 13–19 (2008)
Landwehr, C.E., Bull, A.R., McDermott, J.P., Choi, W.S.: A taxonomy of computer program security flaws, with examples. In: ACM Computing Surveys, September 1994, vol. 26, pp. 211–254 (1994)
Lindqvist, U., Jonsson, E.: How to systematically classify computer security intrusions. In: IEEE Symposium on Security and Privacy, pp. 154–163 (May 1997)
Long, F.: Software vulnerabilities in java. Technical Report CMU/SEI-2005-TN-044, Carnegie Mellon University (October 2005)
OSGI Alliance. Osgi service platform, core specification release 4.1. Draft, 05 2007
Parnas, D.L., Wang, Y.: The trace assertion method of module interface specification. Technical Report 89-261, Dept. of Computing and Information Science, Queen’s Univ. at Kingston, Ontario, Canada (October 1989)
Parrend, P., Frenot, S.: Java components vulnerabilities - an experimental classification targeted at the osgi platform. Research Report RR-6231, INRIA, 06 (2007)
Parrend, P., Frenot, S.: More vulnerabilities in the java/osgi platform: A focus on bundle interactions. Technical report, INRIA (to be released, 2008)
Sun Microsystems Inc. Secure coding guidelines for the java programming language, version 2.0. Sun Whitepaper (2007), http://java.sun.com/security/seccodeguide.html
The Last Stage of Delirium. Research Group. Java and java virtual machine. security vulnerabilities and their exploitation techniques. In: Black Hat Briefings (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Parrend, P., Frénot, S. (2008). Classification of Component Vulnerabilities in Java Service Oriented Programming (SOP) Platforms . In: Chaudron, M.R.V., Szyperski, C., Reussner, R. (eds) Component-Based Software Engineering. CBSE 2008. Lecture Notes in Computer Science, vol 5282. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87891-9_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-87891-9_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-87890-2
Online ISBN: 978-3-540-87891-9
eBook Packages: Computer ScienceComputer Science (R0)