book_parrend.bib

@inbook{parrend2009javasec,
  abstract = {The Java environment is composed of two main parts: the Java language and the Java virtual machine. It is designed with the assumption that no software entity is to be trusted and therefore that each need to be checked. The first success of Java was the inception of Java Applets which enabled fully untrusted code provided by unknown web sites to be executed in a browser. This feature demonstrated the isolation brought by the Java Virtual Machine (JVM) between the applications and the underlying operating system. However, the evolution of Java systems from mono-application to multi-component systems induce new vulnerabilities developers are not aware of. This requires that additional security mechanisms are used to support secure Java environments. This survey presents an overview of the security issues for the Java language and Virtual Machine. The default security model is defined and explained. Its three main components are the Java language itself, the Bytecode validation at load time and modularity supports such as the class loaders and permission domains. Known vulnerabilities are presented. They originate either in the JVM or in the code of applications. Two approaches exist for describing code vulnerabilities: source code and Bytecode. This duality enables to identify them both during development through manual code review and tools, and in an automated manner during code deployment or installation. Security extensions for the Java Execution Environment and tools for writing secure Java code are presented. They are of three types: platform extensions, static analysis approaches and behavior injection. Platform extensions consist in strengthening the isolation between components (beans, etc.) and providing support for resource consumption accounting and control. Static analysis is often performed through generic tools that improve the code quality and thus reduce the number of exploitable bugs in the Java code. Some of these tools, such as FindBugs, encompass security-specific bugs, and some, as JSLint are dedicated to security analysis. Bytecode injection enables to introduce security checks in the core of the code. It can be performed with the developers involved, for instance through aspect-oriented programming, or transparently, through Bytecode injection or meta-programming. An overview of the existing protection mechanisms for Java systems according to the life-cycle moment they are enforced and to the development overhead they imply concludes this work},
  address = {New York},
  author = {Pierre Parrend},
  chapter = {Security for Java Platforms},
  keywords = {Java, Security, Survey},
  publisher = {Nova Publishers},
  timestamp = {2008.09.21},
  title = {Java Software},
  url = {http://www.rzo.free.fr/parrend09javasec.php},
  year = {2009}
}