Static vulnerability detection in Java service-oriented components

  • François GoichonEmail author
  • Guillaume Salagnac
  • Pierre Parrend
  • Stéphane Frénot
Original Paper


Extensible component-based platforms allow dynamic discovery, installation and execution of components. Such platforms are service-oriented, as components may directly interact with each other via the services they provide. Even robust languages such as Java were not designed to handle safe code interaction between trusted and untrusted parties. Dynamic installation of code provided by different third parties leads to several security issues. The different security layers adopted by Java or component-based platforms cannot fully address the problem of untrusted components trying to tamper with other components via legitimate interactions. A malicious component might even use vulnerable ones to compromise the whole component-based platform. Our approach identifies vulnerable components in order to prevent them from threatening services security. We use static analysis to remain as exhaustive as possible and to avoid the need for non-standard or intrusive environments. We show that a static analysis through tainted object propagation is well suited to detect vulnerabilities in Java service-oriented components. We present STOP, a Service-oriented Tainted Object Propagation tool, which applies this technique to statically detect those security flaws. Finally, the audit of several trusted Apache Felix bundles shows that nowadays component-based platforms are not prepared for malicious Java interactions.


Service Call Dataflow Analysis Vulnerability Detection Java Component OSGi Framework 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank the anonymous reviewers for their detailed discussions, Yvan Royon from Alcatel Lucent for his knowledge and accurate criticism, Cédric Lauradoux for his constructive and complete reviews and the whole Amazones team for providing us a convivial and productive working environment. This article is granted by the LISE (Liability Issues in Software Engineering) project, funded by the ANR (Agence Nationale de la Recherche) under the SeSur 2007 program (ANR-07-SESU-007).


  1. 1.
    Google Mobile Team. An update on Android Market securityGoogle Scholar
  2. 2.
    O.S.G.i. Alliance. OSGi service platform core specificationsGoogle Scholar
  3. 3.
    JSR 118 Expert Group. MIDP 2.0, Sun specification (2002)Google Scholar
  4. 4.
    Herzog, A., Shahmehri, N.: Problems running untrusted services as Java threads. In: Certification and Security in Inter-Organizational E-Services, Vol. 177, pp. 19–32. Springer, Boston (2005)Google Scholar
  5. 5.
    Parrend, P., Frénot, S.: More vulnerabilities in the Java/OSGi platform: a focus on bundle interactions. Research Report RR-6649, INRIA (2008)Google Scholar
  6. 6.
    Goichon, F., Frénot, S.: Exploiting Java code interactions. Technical Report RT-0419, INRIA (2011)Google Scholar
  7. 7.
    Rain Forest Puppy. NT web technology vulnerabilities. Phrack, Vol. 54 (1998)Google Scholar
  8. 8.
    Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in Java applications with static analysis. In: SSYM’05: Proceedings of the 14th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley, CA, USA (2005)Google Scholar
  9. 9.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: TAJ: effective taint analysis of web applications. In: PLDI ’09: Proceedings of the 2009 ACM SIGPLAN Conference on Programming Language Design and Implementation, pp. 87–97. ACM, New York, NY, USA (2009)Google Scholar
  10. 10.
    Yin, L., Ana, M.: Static information flow analysis for Java. Technical Report, Rensselaer Polytechnic Institute (2008)Google Scholar
  11. 11.
    Halfond, W.G.J., Orso, A.: AMNESIA: analysis and monitoring for neutralizing SQL-injection attacks. In: ASE ’05: Proceedings of the 20th IEEE/ACM International Conference on Automated Software Engineering, pp. 174–183. ACM, New York, NY, USA (2005)Google Scholar
  12. 12.
    Sun Microsystems Inc. Java Security Architecture Specifications (2002)Google Scholar
  13. 13.
    Almut, Herzog: Performance of the Java security manager. Comput. Secur. 24(3), 192–207 (2005)Google Scholar
  14. 14.
    Whitehouse, O.: Analysis of GS protections in Microsoft Windows Vista. Technical Report, Symantec Advanced Threat Research (2006)Google Scholar
  15. 15.
    Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for Java. In: ACSAC ’05: Proceedings of the 21st Annual Computer Security Applications Conference, pp. 303–311. IEEE Computer Society, Washington, DC, USA, (2005)Google Scholar
  16. 16.
    Pistoia, M., Chandra, S., Fink, S.J., Yahav, E.: A survey of static analysis methods for identifying security vulnerabilities in software systems. IBM Syst. J. 46(2), 265–288 (2007)CrossRefGoogle Scholar
  17. 17.
    Parrend, P.: Enhancing automated detection of vulnerabilities in Java components. In: AReS ’09: Fourth International Conference on Availability, Reliability and Security, Fukuoka, Japan (2009)Google Scholar
  18. 18.
    Marco, Avvenuti, Cinzia, Bernardeschi, Nicoletta, De Francesco: Java bytecode verification for secure information flow. SIGPLAN Not. 38(12), 20–27 (2003)CrossRefGoogle Scholar
  19. 19.
    Lam, M.S., Whaley, J., Livshits, V.B., Martin, M.C., Avots, D., Carbin, M., Unkel, C.: Context-sensitive program analysis as database queries. In: PODS ’05: Proceedings of the Twenty-Fourth ACM SIGMOD-SIGACT-SIGART Symposium on Principles of Database Systems, pp. 1–12. ACM, New York, NY, USA (2005)Google Scholar
  20. 20.
    Lhoták, O., Hendren, L.: Context-sensitive points-to analysis: is it worth it? Technical Report, McGill University, Sable Research, Group (2005)Google Scholar
  21. 21.
    John, Whaley, Martin, Rinard: Compositional pointer and escape analysis for Java programs. SIGPLAN Not. 34(10), 187–206 (1999)CrossRefGoogle Scholar
  22. 22.
    Reps, T., Horwitz, S., Sagiv, M.: Precise interprocedural dataflow analysis via graph reachability. In: POPL ’95: Proceedings of the 22nd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pp. 49–61. ACM, New York, NY, USA (1995)Google Scholar
  23. 23.
    Manu, Sridharan, Rastislav, Bodík: Refinement-based context-sensitive points-to analysis for Java. SIGPLAN Not. 41(6), 387–400 (2006)CrossRefGoogle Scholar
  24. 24.
    John, Whaley, Lam, Monica S.: Cloning-based context-sensitive pointer alias analysis using binary decision diagrams. SIGPLAN Not. 39(6), 131–144 (2004)CrossRefGoogle Scholar
  25. 25.
    Lhoták, O., Hendren, L.: Scaling Java points-to analysis using Spark. In: CC ’03: Proceedings of the 12th International Conference on Compiler Construction, LNCS, Vol. 2622, pp. 153–169, Springer, Warsaw, Poland (2003)Google Scholar
  26. 26.
    Martin, M., Livshits, B., Lam, M.S.: Finding application errors and security flaws using PQL: a program query language. In: OOPSLA ’05: Proceedings of the 20th Annual ACM SIGPLAN Conference on Object-Oriented Programming, Systems, Languages, and Applications, pp. 365–383. ACM, New York, NY, USA (2005)Google Scholar

Copyright information

© Springer-Verlag France 2012

Authors and Affiliations

  • François Goichon
    • 1
    Email author
  • Guillaume Salagnac
    • 1
  • Pierre Parrend
    • 2
  • Stéphane Frénot
    • 1
  1. 1.CITI LaboratoryUniversity of Lyon, INRIA, INSA-LyonVilleurbanneFrance
  2. 2.Université de Strasbourg, ECAM Strasbourg-EuropeSchiltigheimFrance

Personalised recommendations