Abstract
Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.
This work was supported by the German Federal Ministry of Education and Research (BMBF) under the grant 01IS10015B (ASKS project).
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
File storage service with REST-like API, rich web GUI, webDAV (November 2011), http://code.google.com/p/gss/
Open Source Exchange Network Node, supporting the National Environmental Exchange Network (November 2011), http://code.google.com/p/en-node2/
Anderson, P., Zarins, M.: The codesurfer software understanding platform. In: Proceedings of 13th International Workshop on Program Comprehension, IWPC 2005, pp. 147–148 (May 2005)
Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 143–159. IEEE Computer Society, Washington, DC (2002)
Bishop, M., Dilger, M.: Checking for Race Conditions in File Accesses. Computing Systems 9, 131–152 (1996)
Bodden, E., Lam, P., Hendren, L.: Clara: A Framework for Partially Evaluating Finite-State Runtime Monitors Ahead of Time. In: Barringer, H., Falcone, Y., Finkbeiner, B., Havelund, K., Lee, I., Pace, G., Roşu, G., Sokolsky, O., Tillmann, N. (eds.) RV 2010. LNCS, vol. 6418, pp. 183–197. Springer, Heidelberg (2010), http://www.bodden.de/pubs/blh10clara.pdf
Chess, B.: Improving Computer Security using Extended Static Checking. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 160–173. IEEE Computer Society, Washington, DC (2002)
DeMichiel, L.G.: Enterprise JavaBeansTM Specification, Version 2.1. Sun Microsystems (2003)
DeMichiel, L.G., Keith, M.: JSR 220: Enterprise JavaBeansTM, Version 3.0. Sun Microsystems (2006)
Feiman, J., MacDonald, N.: Magic quadrant for static application security testing. Tech. rep., Gartner, Inc. (2010)
Graf, J.: Speeding up context-, object- and field-sensitive sdg generation. In: 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 105–114 (2010)
Hammer, C.: Experiences with PDG-Based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)
Hammer, C., Snelting, G.: Flow-Sensitive, Context-Sensitive, and Object-sensitive Information Flow Control Based on Program Dependence Graphs. International Journal of Information Security 8(6), 399–422 (2009)
Kircher, M., Jai, P.: Pooling. In: Proceedings of the 2002 European Conference on Pattern Languages of Programs (2002)
Krinke, J.: Identifying similar code with program dependence graphs. In: Proceedings of Eighth Working Conference on Reverse Engineering, pp. 301–309 (2001)
Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, pp. 271–286 (2005)
Mordani, R.: JavaTM Servlet Specification, Version 3.0 Rev a. Sun Microsystems (2010)
Nagy, C., Mancoridis, S.: Static Security Analysis Based on Input-Related Software Faults. In: Proceedings of the 2009 European Conference on Software Maintenance and Reengineering, pp. 37–46. IEEE Computer Society, Washington, DC (2009)
Oracle: Java EE at a Glance (November 2011), http://www.oracle.com/technetwork/java/javaee
Raza, A., Vogel, G., Plödereder, E.: Bauhaus – A Tool Suite for Program Analysis and Reverse Engineering. In: Pinho, L.M., González Harbour, M. (eds.) Ada-Europe 2006. LNCS, vol. 4006, pp. 71–82. Springer, Heidelberg (2006)
Red Hat, Inc: Session EJB and MDB Configuration (2011), http://docs.jboss.org/ejb3/docs/reference/build/reference/en/html/session-bean-config.html
Reenskaug, T.: Models – Views – Controllers. Tech. rep., Xerox PARC (1979), http://heim.ifi.uio.no/~trygver/1979/mvc-2/1979-12-MVC.pdf
Roth, M., Pelegrí-Llopart, E.: JavaServer PagesTM Specification, Version 2.0. Sun Microsystems (2003)
Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. John Wiley & Sons Ltd. (2006)
Souza, F., Arteiro, R., Rosa, N., Maciel, P.: Performance Models for the Instance Pooling Mechanism of the JBoss Application Server. In: IEEE International on Performance, Computing and Communications Conference, IPCCC 2008, pp. 135–143 (2008)
SpringSource: SpringSource.org. (November 2011), http://www.springsource.org
The Apache Software Foundation: Apache Struts (November 2011), http://struts.apache.org
The Apache Software Foundation: Apache Tomcat (November 2011), http://tomcat.apache.org/
Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 32–41. ACM, New York (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Berger, B.J., Sohr, K. (2012). An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds) Information Security and Privacy Research. SEC 2012. IFIP Advances in Information and Communication Technology, vol 376. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30436-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-30436-1_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30435-4
Online ISBN: 978-3-642-30436-1
eBook Packages: Computer ScienceComputer Science (R0)