Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

An in-depth study of more than ten years of Java exploitation

: Holzinger, P.; Triller, S.; Bartel, A.; Bodden, E.


Katzenbeisser, S. ; Association for Computing Machinery -ACM-; Association for Computing Machinery -ACM-, Special Interest Group on Security, Audit and Control -SIGSAC-:
ACM SIGSAC Conference on Computer and Communications Security, CCS 2016. Proceedings : Oktober 24-28, 2016, Vienna, Austria
New York: ACM, 2016
ISBN: 978-1-4503-4139-4
Conference on Computer and Communications Security (CCS) <23, 2016, Vienna>
Conference Paper
Fraunhofer SIT ()

When created, the Java platform was among the first runtimes designed with security in mind. Yet, numerous Java versions were shown to contain far-reaching vulnerabilities, permitting denial-of-service attacks or even worse allowing intruders to bypass the runtime's sandbox mechanisms, opening the host system up to many kinds of further attacks. This paper presents a systematic in-depth study of 87 publicly available Java exploits found in the wild. By collecting, minimizing and categorizing those exploits, we identify their commonalities and root causes, with the goal of determining the weak spots in the Java security architecture and possible countermeasures. Our findings reveal that the exploits heavily rely on a set of nine weaknesses, including unauthorized use of restricted classes and confused deputies in combination with caller-sensitive methods. We further show that all attack vectors implemented by the exploits belong to one of three categories: single-step at tacks, restricted-class attacks, and information hiding attacks. The analysis allows us to propose ideas for improving the security architecture to spawn further research in this area.