Data-flow based vulnerability analysis and java bytecode
Authors: 
Hua Chen, Tao Zou, Dongxia WangAuthors Info & Claims
Pages 201 - 207
Abstract
The security of information systems has been the focus because of network applications. Vulnerability analysis is widely used to evaluate the security of a system to assure system security. With the help of vulnerability analysis, the security risk of a system can be predicted so that the countermeasures are arranged in advance. These will promote system security effectively. The object of vulnerability analysis is to find out the unknown security holes in a system. It could be helpful to understand the characteristics of security holes and to assess the security risk of a system. Data-flow based analysis shows its predominance in vulnerability analysis because the vulnerability is data-flow dependent. The paper discusses how to use data-flow analysis in vulnerability analysis. The way to apply data-flow analysis in Java bytecode vulnerability analyzing is presented.
References
[1]
{1} Metasploit Project, Available: http://www.metasploit.com/
[2]
{2} Ciera Nicole Christopher, "Analysis of Software Artifacts Evaluating Static Analysis Frameworks", Carnegie Mellon University, May 10, 2006.
[3]
{3} Open Web Application Security Project, The ten most critical web application security vulnerabilities, 2007 Update, Available: http://www.owasp.org
[4]
{4} Bill Venners, "Inside the Java virtual Machine", The McGraw-Hill Companies, August 25, 1997.
[5]
{5} Steven S. Muchnick, "Advanced Compiler Design and Implementation", 1997.
[6]
{6} Alfred V. Aho, Ravi Sethi, and Jeffrey D. Ullman. "Compilers: Principles, Techniques, and Tools", Addison-Wesley, 1986.
[7]
{7} Zhao Jianjun, "Analyzing Comtrol Flow in Java", Department of Computer Science Engineering, Fukuoka Institute of Technology, 1990.
[8]
{8} Michael Martin, Benjamin Livshits, Monica S. Lam, "Finding Application Errors and Security Flaws Using PQL: a Program Query Language", Computer Science Department, Stanford University, 2005.
[9]
{9} Vivek Haldar, Deepak Chandra, Michael Franz, "Dynamic Taint Propagation for Java", University of California, 2005.
[10]
{10} V. Benjamin Livshits, Monica S. Lam, "Finding Security Vulnerabilities in Java Applications with Static Analysis", Computer Science Department, Stanford University, 2005.
[11]
{11} Chris Anley., "Advanced SQL injection in SQL Server applications.", 2002, Available:http://www.nextgenss.com.
[12]
{12} Klaus Havelund, "Java PathExplorer - A Runtime Verification Tool", Kestrel Technology, NASA Ames Research Center, 2001.
[13]
{13} Azadeh Farzan, Feng Chen, José Meseguer, Grigore Rosu, "Formal Analysis of Java Programs in JavaFAN", Department of Computer Science, University of Illinois at Urbana-Champaign, 2004.
[14]
{14} Kendra June Kratkiewicz, "Evaluating Static Analysis Tools for Detecting Buffer Overflows in C Code", Harvard University, March 2005.
[15]
{15} Paul E. Black, "SAMATE's Contribution to Information Assurance", National Institute of
Index Terms
- Data-flow based vulnerability analysis and java bytecode
Recommendations
The Vulnerability Analysis Framework for Java Bytecode
ICPADS '09: Proceedings of the 2009 15th International Conference on Parallel and Distributed SystemsSince Java web applications are used widely in Internet today, the security of it becomes an outstanding problem. The attacks, including SQL injection attack, XSS attack, and etc, are great challenges for the Java application. This paper presents the ...
Data-Flow Based Analysis of Java Bytecode Vulnerability
WAIM '08: Proceedings of the 2008 The Ninth International Conference on Web-Age Information ManagementJava is widely used because its security and platform independence. Although Java's security model is designed for protecting users from untrusted sources, Java's security is not under fully control at the application level. A large number of Java ...
Precise and efficient integration of interprocedural alias information into data-flow analysis
Data-flow analysis is a basis for program optimization and parallelizing transformations. The mechanism of passing reference parameters at call sites generates interprocedural aliases which complicate this analysis. Solutions have been developed for ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
November 2007
435 pages
ISBN:9789606766183
Publisher
World Scientific and Engineering Academy and Society (WSEAS)
Stevens Point, Wisconsin, United States
Publication History
Published: 21 November 2007
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 18Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 14 Nov 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in