A taxonomy of computer program security flaws
ACM Computing Surveys (CSUR)
A component based software reliability model
CASCON '95 Proceedings of the 1995 conference of the Centre for Advanced Studies on Collaborative research
Using Memory Errors to Attack a Virtual Machine
SP '03 Proceedings of the 2003 IEEE Symposium on Security and Privacy
How to Systematically Classify Computer Security Intrusions
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Software vulnerability analysis
Software vulnerability analysis
ACM SIGPLAN Notices
Failure classification and analysis of the Java Virtual Machine
ICDCS '06 Proceedings of the 26th IEEE International Conference on Distributed Computing Systems
Towards Dynamic Component Isolation in a Service Oriented Platform
CBSE '09 Proceedings of the 12th International Symposium on Component-Based Software Engineering
Adaptive monitoring of end-user OSGi-based home boxes
Proceedings of the 15th ACM SIGSOFT symposium on Component Based Software Engineering
Various Extensions for the Ambient OSGi Framework
International Journal of Adaptive, Resilient and Autonomic Systems
Hi-index | 0.00 |
Java-based systems have evolved from stand-alone applications to multi-component to Service Oriented Programming (SOP) platforms. Each step of this evolution makes a set of Java vulnerabilities directly exploitable by malicious code: access to classes in multi-component platforms, and access to object in SOP, is granted to them with often no control.This paper defines two taxonomies that characterize vulnerabilities in Java components: the vulnerability categories, and the goals of the attacks that are based on these vulnerabilities. The `vulnerability category' taxonomy is based on three application types: stand-alone, class sharing, and SOP. Entries express the absence of proper security features at places they are required to build secure component-based systems. The `goal' taxonomy is based on the distinction between undue access, which encompasses the traditional integrity and confidentiality security properties, and denial-of-service. It provides a matching between the vulnerability categories and their consequences. The exploitability of each vulnerability is validated through the development of a pair of malicious and vulnerable components. Experiments are conducted in the context of the OSGi Platform. Based on the vulnerability taxonomies, recommendations for writing hardened component code are issued.