Source Code Analysis to Remove Security Vulnerabilities in Java Socket Programs: A Case Study

摘要

This paper presents the source code analysis of a file reader server socketprogram (connection-oriented sockets) developed in Java, to illustrate theidentification, impact analysis and solutions to remove five important softwaresecurity vulnerabilities, which if left unattended could severely impact theserver running the software and also the network hosting the server. The fivevulnerabilities we study in this paper are: (1) Resource Injection, (2) PathManipulation, (3) System Information Leak, (4) Denial of Service and (5)Unreleased Resource vulnerabilities. We analyze the reason why each of thesevulnerabilities occur in the file reader server socket program, discuss theimpact of leaving them unattended in the program, and propose solutions toremove each of these vulnerabilities from the program. We also analyze anypotential performance tradeoffs (such as increase in code size and loss offeatures) that could arise while incorporating the proposed solutions on theserver program. The proposed solutions are very generic in nature, and can besuitably modified to correct any such vulnerabilities in software developed inany other programming language. We use the Fortify Source Code Analyzer toconduct the source code analysis of the file reader server program, implementedon a Windows XP virtual machine with the standard J2SE v.7 development kit.