Software Vulnerabilities in Java

Long, Fred

doi:10.21236/ada443139

Cited by 11 publications

(6 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Prior studies showed that API misuses caused security vulnerabilities [5], [7], [35], [46]- [50]. For instance, Lazar et al analyzed 369 published cryptographic vulnerabilities in the CVE database, and found that 83% of them were caused by API misuses [48].…”

Section: Related Work a Security Api Misusesmentioning

confidence: 99%

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Chen

Fischer

Meng

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

Stack Overflow (SO) is the most popular online Q&A site for developers to share their expertise in solving programming issues. Given multiple answers to certain questions, developers may take the accepted answer, the answer from a person with high reputation, or the one frequently suggested. However, researchers recently observed that SO contains exploitable security vulnerabilities in the suggested code of popular answers, which found their way into security-sensitive highprofile applications that millions of users install every day. This observation inspires us to explore the following questions: How much can we trust the security implementation suggestions on SO? If suggested answers are vulnerable, can developers rely on the community's dynamics to infer the vulnerability and identify a secure counterpart?To answer these highly important questions, we conducted a comprehensive study on security-related SO posts by contrasting secure and insecure advice with the community-given content evaluation. Thereby, we investigated whether SO's gamification approach on incentivizing users is effective in improving security properties of distributed code examples. Moreover, we traced the distribution of duplicated samples over given answers to test whether the community behavior facilitates or prevents propagation of secure and insecure code suggestions within SO.We compiled 953 different groups of similar security-related code examples and labeled their security, identifying 785 secure answer posts and 644 insecure answer posts. Compared with secure suggestions, insecure ones had higher view counts (36,508 vs. 18,713), received a higher score (14 vs. 5), and had significantly more duplicates (3.8 vs. 3.0) on average. 34% of the posts provided by highly reputable so-called trusted users were insecure.Our findings show that based on the distribution of secure and insecure code on SO, users being laymen in security rely on additional advice and guidance. However, the communitygiven feedback does not allow differentiating secure from insecure choices. The reputation mechanism fails in indicating trustworthy users with respect to security questions, ultimately leaving other users wandering around alone in a software security minefield.Index Terms-Stack Overflow, crowdsourced knowledge, social dynamics, security implementation K e y P a i r G e n e r a t o r kpg = K e y P a i r G e n e r a t o r . g e t I n s t a n c e ( " RSA " ) ; kpg . i n i t i a l i z e ( 1 0 2 4 ) ; K e y P a i r kp = kpg . g e n e r a t e K e y P a i r ( ) ; RSAPublicKey pub = ( RSAPublicKey ) kp . g e t P u b l i c ( ) ; RSAPrivateKey p r i v = ( RSAPrivateKey ) kp . g e t P r i v a t e ( ) ;Hash: In the context of password-based key derivation, digital signatures, and authentication/authorization, developers may explicitly invoke broken hash functions. Listing 4 shows an example using MD5.

show abstract

Section: Related Work a Security Api Misusesmentioning

confidence: 99%

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Chen

Fischer

Meng

et al. 2019

2019 IEEE/ACM 41st International Conference on Software Engineering (ICSE)

View full text Add to dashboard Cite

show abstract

“…Prior studies showed that the API misuse of cryptography, SSL, and Java reflection caused many security vulnerabilities [63,86,88,101]. For instance, Long identified several Java features whose misuse or improper implementation can compromise security [88].…”

Section: Analyzing Security Vulnerabilitiesmentioning

confidence: 99%

Secure Coding Practices in Java: Challenges and Vulnerabilities

Meng,

Nagy,

Yao

et al. 2017

Preprint

View full text Add to dashboard Cite

Java platform and third-party libraries provide various security features to facilitate secure coding. However, misusing these features can cost tremendous time and effort of developers or cause security vulnerabilities in software. Prior research was focused on the misuse of cryptography and SSL APIs, but did not explore the key fundamental research question: what are the biggest challenges and vulnerabilities in secure coding practices? In this paper, we conducted a comprehensive empirical study on StackOverflow posts to understand developers' concerns on Java secure coding, their programming obstacles, and potential vulnerabilities in their code.We observed that developers have shifted their effort to the usage of authentication and authorization features provided by Spring security-a third-party framework designed to secure enterprise applications. Multiple programming challenges are related to APIs or libraries, including the complicated cross-language data handling of cryptography APIs, and the complex Java-based or XML-based approaches to configure Spring security. More interestingly, we identified security vulnerabilities in the suggested code of accepted answers. The vulnerabilities included using insecure hash functions such as MD5, breaking SSL/TLS security through bypassing certificate validation, and insecurely disabling the default protection against Cross Site Request Forgery (CSRF) attacks. Our findings reveal the insufficiency of secure coding assistance and education, and the gap between security theory and coding practices.

show abstract

“…Bien que le langage Java ai été conçu pour être sécurisé, il comporte un certain nombre de vulnérabilités recensées dans la litérature (The Last Stage of Delirium. Research Group., 2002, Long, 2005, Lai, 2008. Les applications Java doivent donc être développées de manière à ce que ces vulnérabilités ne soient pas exploitables.…”

Section: Vulnerabilités Des Applications à Composants Javaunclassified

“…En particulier, un certain nombre de mécanismes standards du langage Java et de la JVM peuvent être exploités pour subvertir le système (Long, 2005) :…”

Section: Vulnerabilités Des Applications à Composants Javaunclassified

Vérification automatique pour l'exécution sécurisée de composants Java

Parrend¹,

Frénot²

2008

Objet

View full text Add to dashboard Cite

National audienceLes plates-formes dynamiques de services permettent d'exécuter simultanément plusieurs composants fournis par des tiers. Ceci apporte une grande flexibilité dans leur utilisation, aussi bien en environnements à ressources limitées que dans le cas de serveurs d'applications. Toutefois, les implications pour la sécurité du système sont encore mal connues: quels sont les risques posés par l'exécution de composants tiers pour la plate-forme d'execution ? pour les autres composants ? Comment y remédier ? A partir d'expérimentations réalisées sur la plate-forme Java/OSGi, nous proposons une classification des vulnérabilités des platesformes dynamiques de services. Deux cas sont considérés: les vulnérabilités de la plate-forme elle-même, et les vulnérabilités des composants. Plusieurs solutions sont proposées pour résoudre ces vulnérabilités. Premièrement, le Contrôle d'accès basé Composants (CBAC, pour Component-based Access Control) permet de limiter l'accès à des méthodes dangereuses de la plate-forme ou des composants. La validation est effectuée par analyse statique de code. La configuration est entièrement déclarative, ce qui rend cette approche extensible, et adaptée pour la protection de méthodes fournies par des composants tiers. Deuxièmement, l'Analyse de Composants faibles (WCA, pour Weak Component Analysis) permet d'identifier les vulnérabilités des composants, par analyse statique de code également. CBAC et WCA exploitent la phase d'installation des composants pour réaliser les vérifications nécessaires. Seuls les composants valides sont installés. WCA peut également être utilisé lors du dévelopement pour améliorer la qualité du code

show abstract

Software Vulnerabilities in Java

Cited by 11 publications

References 0 publications

How Reliable is the Crowdsourced Knowledge of Security Implementation?

How Reliable is the Crowdsourced Knowledge of Security Implementation?

Secure Coding Practices in Java: Challenges and Vulnerabilities

Vérification automatique pour l'exécution sécurisée de composants Java

Contact Info

Product

Resources

About