Abstract
This paper presents the source code analysis of a file reader server socket program (connection-oriented sockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove important software security vulnerabilities, which if left unattended could severely impact the server running the software and also the network hosting the server. The vulnerabilities studied are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, and (4) Denial of Service vulnerabilities. We analyze the reason for these vulnerabilities to occur in the program, discuss the impact of leaving them unattended, and propose solutions to remove each of these vulnerabilities from the program. We also analyze any potential performance tradeoffs (such as increase in code size and loss of features) that could arise while incorporating the proposed solutions on the server program. The proposed solutions are very generic in nature, and can be suitably modified to correct any such vulnerabilities in software developed in any other programming language.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Baca D (2009) Static code analysis to detect software security vulnerabilities–does experience matter?. International conference on availability, reliability and security, IEEE, Fukuoka, Japan, In, pp 804–810
Caseley PR, Hadley MJ (2006) Assessing the effectiveness of static code analysis. In: 1st institution of engineering and technology international conference on system safety, London, UK, pp 227–237.
Chess B, West J (2008) Secure programming with static analysis, 1st edn. Addison Wesley, Boston
Graff MG, van Wyk KR (2003) Secure coding: principles and practices, 1st edn. O’Reilly Media, Sebastopol
HP Fortify SCA: https://www.fortify.com/products/hpfssc/source-code-analyzer.html
Mantere M, Uisitalo I, Roning J (2009) Comparison of static code analysis tools. In: 3rd international conference on emerging security information, systems and technologies, Athens, Greece, pp 15–22.
Mcheick H, Dhiab H, Dbouk M, Mcheik R (2010) Detecting type errors and secure coding in C/C++ applications. International conference on computer systems and applications, IEEE/ACS, Hammamet, Tunisia, In, pp 1–9
Novak J, Krajnc A, Zontar R (2010) Taxonomy of static code analysis tools. In: 33rd international conference on information and communication technology. Electronics and microelectronics, Opatija, Canada, pp 418–422.
Tondel IA, Jaatun MG, Jensen J (2008) Learning from software security testing. International conference on software testing verification and validation workshop, Lillehammer, Norway, In, pp 286–294
Whittaker JA (2002) How to break software, 1st edn. Addison-Wesley, Boston
Acknowledgments
The work leading to this paper is funded through the U. S. National Science Foundation CCLI/TUES grant (DUE-0941959) on “Incorporating Systems Security and Software Security in Senior Projects.” The views and conclusions contained in this document are those of the author and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the funding agency.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer Science+Business Media New York
About this paper
Cite this paper
Meghanathan, N. (2013). Source Code Analysis of a Connection-Oriented File Reader Server Socket Program in Java and Removal of the Security Vulnerabilities. In: Chaki, N., Meghanathan, N., Nagamalai, D. (eds) Computer Networks & Communications (NetCom). Lecture Notes in Electrical Engineering, vol 131. Springer, New York, NY. https://doi.org/10.1007/978-1-4614-6154-8_61
Download citation
DOI: https://doi.org/10.1007/978-1-4614-6154-8_61
Published:
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4614-6153-1
Online ISBN: 978-1-4614-6154-8
eBook Packages: EngineeringEngineering (R0)