An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling - Information Security and Privacy Research
Conference Papers Year : 2012

An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling

Abstract

Security tools, using static code analysis, are employed to find common bug classes, such as SQL injections and cross-site scripting vulnerabilities. This paper focuses on another bug class that is related to the object-pool pattern, which allows objects to be reused over multiple sessions. We show that the pattern is applied in a wide range of Java Enterprise frameworks and describe the problem of inter-session data flows, which comes along with the pattern. To demonstrate that the problem is relevant, we analyzed different open-source and a proprietary commercial software, with the help of a detection approach we introduce. We were able to show that the problem class occurred in these applications and posed a threat to the confidentiality of the closed-source software.
Fichier principal
Vignette du fichier
978-3-642-30436-1_3_Chapter.pdf (193.72 Ko) Télécharger le fichier
Origin Files produced by the author(s)
Loading...

Dates and versions

hal-01518238 , version 1 (04-05-2017)

Licence

Identifiers

Cite

Bernhard J. Berger, Karsten Sohr. An Approach to Detecting Inter-Session Data Flow Induced by Object Pooling. 27th Information Security and Privacy Conference (SEC), Jun 2012, Heraklion, Crete, Greece. pp.25-36, ⟨10.1007/978-3-642-30436-1_3⟩. ⟨hal-01518238⟩
99 View
100 Download

Altmetric

Share

More