A FRAMEWORK FOR PROTECTING EJB APPLICATIONS FROM MALICIOUS COMPONENTS

Hieu Dinh Vo, Masato Suzuki

Abstract

Enterprise JavaBeans (EJB) components in an EJB application can be obtained from various sources. These components may be in-house developed or bought from other vendors. In the latter case, the source code of the components is usually not available to application developers. The result is that the application may contain malicious components. We propose a framework called BFSec that protects EJB applications from vicious components. The framework examines bean methods invoked by each thread in applications and compares them with pre-defined business functions to check whether the latest calls of threads are proper. Unexpected calls, which are considered to be made by malicious components, will be blocked.

References

  1. Alur, D., Malks, D., Crupi, J., Booch, G. & Fowler, M. (2003) Core J2EE Patterns (Core Design Series): Best Practices and Design Strategies, Sun Microsystems, Inc.
  2. Clarke, D., Richmond, M. & Noble, J. (2003) Saving the world from bad beans: deployment-time confinement checking. SIGPLAN Not., 38, 374-387.
  3. Evered, M. (2003) Flexible enterprise access control with object-oriented view specification. Proceedings of the Australasian information security workshop conference on ACSW frontiers 2003 - Volume 21. Adelaide, Australia, Australian Computer Society.
  4. Gong, L. (2002) Java 2 Platform Security Architecture [online]. [Accessed Dec. 2007]. Available from WWW: http://java.sun.com/javase/6/docs/technotes/ guides/security/spec/security-spec.doc.html.
  5. Naumovich, G. & Centonze, P. (2004) Static analysis of role-based access control in J2EE applications. SIGSOFT Softw. Eng. Notes, 29, 1-10.
  6. Pistoia, M., Fink, S. J., Flynn, R. J. & Yahav, E. (2007) When Role Models Have Flaws: Static Validation of Enterprise Security Policies. Software Engineering, 2007. ICSE 2007. 29th International Conference on.
  7. Sreedhar, V. C. (2006) Data-centric security: role analysis and role typestates. Proceedings of the eleventh ACM symposium on Access control models and technologies. Lake Tahoe, California, USA, ACM.
  8. Sun (2005) Enterprise JavaBeans version 3.0 [online]. [Accessed: Dec. 2007]. Available from WWW: http://java.sun.com/products/ejb/.
  9. Sun (2006) The J2EE 1.4 Tutorial [online]. [Accessed: Dec. 2007]. Available from WWW: http://java.sun.com/j2ee/1.4/docs/tutorial/doc/.
  10. Vo, H. D. & Suzuki, M. (2007) An Approach for Specifying Access Control Policy in J2EE Applications. 14th Asia-Pacific Software Engineering Conference. Japan, IEEE.
Download


Paper Citation


in Harvard Style

Dinh Vo H. and Suzuki M. (2008). A FRAMEWORK FOR PROTECTING EJB APPLICATIONS FROM MALICIOUS COMPONENTS . In Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 1: ICEIS, ISBN 978-989-8111-36-4, pages 264-269. DOI: 10.5220/0001704502640269


in Bibtex Style

@conference{iceis08,
author={Hieu Dinh Vo and Masato Suzuki},
title={A FRAMEWORK FOR PROTECTING EJB APPLICATIONS FROM MALICIOUS COMPONENTS},
booktitle={Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 1: ICEIS,},
year={2008},
pages={264-269},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001704502640269},
isbn={978-989-8111-36-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Tenth International Conference on Enterprise Information Systems - Volume 1: ICEIS,
TI - A FRAMEWORK FOR PROTECTING EJB APPLICATIONS FROM MALICIOUS COMPONENTS
SN - 978-989-8111-36-4
AU - Dinh Vo H.
AU - Suzuki M.
PY - 2008
SP - 264
EP - 269
DO - 10.5220/0001704502640269