Entwicklertag IT-Innovationen

Harden Your Java Components

Dr. Pierre Parrend, FZI Forschungszentrum Informatik

Der Vortrag steht als PDF Dokument zum Download bereit.

The flexibility of today’s applications relies on two major mechanisms: integration of third party components and remote access, for instance through Web Services.

Whereas the security issues implied by the latter are being fought against actively by the community, issues originating in the interactions of mutually untrusted components are only considered to a limited extent. This issue is likely to find more attention from the industry, especially in the following use cases: plug-in based systems or complex systems where components from various issuers are integrated and dynamic applications such as those built on top on frameworks such as the OSGi platform.

We therefore propose two complementary contributions which intend to be of direct use for the industry: a systematic classification of security issues in software components, in particular Java ones, and a tool, VCA (Vulnerable Component Analysis).

The systematic classification of security issues aims at providing developers and architects with an overview of the actual threats which originate in the interaction of components which are run on the same execution environment. It should lead them to understand the risks, and to identify the good practices which should be enforced in component code. Code shared between components is particularly exposed, and should consequently be the focus of the development of hardened components.

The VCA tool intends to automate the identification of such issues in the code of components. Contrary to existing tools such as FindBugs, which aim at enforcing generic coding best practices throughout the whole code, VCA focuses on the code components share with others and aims at preventing any interaction between the components which could lead to uncontrolled data access or modification. Automation relieves security analysts from the tedious work, and let them concentrate on more complex threats which actually require human intervention.

To build more trustworthy component-based systems, harden your own Java components!

 

Pierre Parrend Dr. Pierre Parrend is a research scientist at the FZI (Forschungszentrum Informatik) Karlsruhe since September 2008. He pursues both development activities and research in software security. He holds a PhD on software, realized in the French research institution INRIA, and an engineer degree in Telecommunications from the INSA-Lyon, France. He is active in the OWASP (Open Web Application Security Project), as well as in the ISSECO (International Secure Software Engineering Council) communities.