An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

  • Bernhard J. Berger
  • Karsten Sohr
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 376)


Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.


Naive Approach Security Vulnerability Apache Tomcat Program Dependence Graph Apache Software Foundation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    File storage service with REST-like API, rich web GUI, webDAV (November 2011),
  2. 2.
    Open Source Exchange Network Node, supporting the National Environmental Exchange Network (November 2011),
  3. 3.
    Anderson, P., Zarins, M.: The codesurfer software understanding platform. In: Proceedings of 13th International Workshop on Program Comprehension, IWPC 2005, pp. 147–148 (May 2005)Google Scholar
  4. 4.
    Ashcraft, K., Engler, D.: Using Programmer-Written Compiler Extensions to Catch Security Holes. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 143–159. IEEE Computer Society, Washington, DC (2002)CrossRefGoogle Scholar
  5. 5.
    Bishop, M., Dilger, M.: Checking for Race Conditions in File Accesses. Computing Systems 9, 131–152 (1996)Google Scholar
  6. 6.
    Bodden, E., Lam, P., Hendren, L.: Clara: A Framework for Partially Evaluating Finite-State Runtime Monitors Ahead of Time. In: Barringer, H., Falcone, Y., Finkbeiner, B., Havelund, K., Lee, I., Pace, G., Roşu, G., Sokolsky, O., Tillmann, N. (eds.) RV 2010. LNCS, vol. 6418, pp. 183–197. Springer, Heidelberg (2010), CrossRefGoogle Scholar
  7. 7.
    Chess, B.: Improving Computer Security using Extended Static Checking. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 160–173. IEEE Computer Society, Washington, DC (2002)CrossRefGoogle Scholar
  8. 8.
    DeMichiel, L.G.: Enterprise JavaBeansTM Specification, Version 2.1. Sun Microsystems (2003)Google Scholar
  9. 9.
    DeMichiel, L.G., Keith, M.: JSR 220: Enterprise JavaBeansTM, Version 3.0. Sun Microsystems (2006)Google Scholar
  10. 10.
    Feiman, J., MacDonald, N.: Magic quadrant for static application security testing. Tech. rep., Gartner, Inc. (2010)Google Scholar
  11. 11.
    Graf, J.: Speeding up context-, object- and field-sensitive sdg generation. In: 2010 10th IEEE Working Conference on Source Code Analysis and Manipulation (SCAM), pp. 105–114 (2010)Google Scholar
  12. 12.
    Hammer, C.: Experiences with PDG-Based IFC. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 44–60. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Hammer, C., Snelting, G.: Flow-Sensitive, Context-Sensitive, and Object-sensitive Information Flow Control Based on Program Dependence Graphs. International Journal of Information Security 8(6), 399–422 (2009)CrossRefGoogle Scholar
  14. 14.
    Kircher, M., Jai, P.: Pooling. In: Proceedings of the 2002 European Conference on Pattern Languages of Programs (2002)Google Scholar
  15. 15.
    Krinke, J.: Identifying similar code with program dependence graphs. In: Proceedings of Eighth Working Conference on Reverse Engineering, pp. 301–309 (2001)Google Scholar
  16. 16.
    Livshits, B., Lam, M.S.: Finding Security Vulnerabilities in Java Applications with Static Analysis. In: Proceedings of the 14th USENIX Security Symposium, pp. 271–286 (2005)Google Scholar
  17. 17.
    Mordani, R.: JavaTM Servlet Specification, Version 3.0 Rev a. Sun Microsystems (2010)Google Scholar
  18. 18.
    Nagy, C., Mancoridis, S.: Static Security Analysis Based on Input-Related Software Faults. In: Proceedings of the 2009 European Conference on Software Maintenance and Reengineering, pp. 37–46. IEEE Computer Society, Washington, DC (2009)CrossRefGoogle Scholar
  19. 19.
    Oracle: Java EE at a Glance (November 2011),
  20. 20.
    Raza, A., Vogel, G., Plödereder, E.: Bauhaus – A Tool Suite for Program Analysis and Reverse Engineering. In: Pinho, L.M., González Harbour, M. (eds.) Ada-Europe 2006. LNCS, vol. 4006, pp. 71–82. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  21. 21.
  22. 22.
    Reenskaug, T.: Models – Views – Controllers. Tech. rep., Xerox PARC (1979),
  23. 23.
    Roth, M., Pelegrí-Llopart, E.: JavaServer PagesTM Specification, Version 2.0. Sun Microsystems (2003)Google Scholar
  24. 24.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. John Wiley & Sons Ltd. (2006)Google Scholar
  25. 25.
    Souza, F., Arteiro, R., Rosa, N., Maciel, P.: Performance Models for the Instance Pooling Mechanism of the JBoss Application Server. In: IEEE International on Performance, Computing and Communications Conference, IPCCC 2008, pp. 135–143 (2008)Google Scholar
  26. 26.
    SpringSource: (November 2011),
  27. 27.
    The Apache Software Foundation: Apache Struts (November 2011),
  28. 28.
    The Apache Software Foundation: Apache Tomcat (November 2011),
  29. 29.
    Wassermann, G., Su, Z.: Sound and Precise Analysis of Web Applications for Injection Vulnerabilities. In: Proceedings of the 2007 ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2007, pp. 32–41. ACM, New York (2007)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2012

Authors and Affiliations

  • Bernhard J. Berger
    • 1
  • Karsten Sohr
    • 1
  1. 1.Center for Computing Technologies (TZI)Universität BremenBremenGermany

Personalised recommendations