Vulnerabilities in Java 9 Modules

Status: open

Bearbeiter: N.N.

Thesis Description:

With the release of version 9, Java introduces a module system declaring modules as first-class constructs.
A major goal of the new module system is the encapsulation of module-internal types.
Therefore, developers explicitly specify which packages of a module are exported, and which are internal. Any access to types contained in internal packages is prevented, both at compile- and run-time by the JVM and compiler.
While the module system encapsulates internal types, several means of interaction between modules exist that can result in vulnerabilities.
For instance, if a custom collection type, which always returns true for a call to its hasNext() method, is passed into a module, it may lead to a denial of service attack if the module iterates over the elements in the given collection.
To enable the secure development of Java 9 applications it is necessary to identify such vulnerabilities and ensure a proper module isolation.


In this thesis, you will identify vulnerabilities in Java 9 modules.
Therefore, you will first examine vulnerabilities studied by Parrend and Frénot [1, 2] in the context of OSGi.

Your task is to extend and adapt the authors’ concepts for Java 9 modules, as well as implementing the identified vulnerabilities in the form of proof-of-concept examples.
In addition, you will investigate further related work in the context of Rust and OSGi to identify further vulnerabilities patterns.

Skills required:

  • A solid understanding of Java
  • Preferable: experience with Java reflection and Invoke API
  • Optional: Experience with OSGi

Language:

Thesis language is English or German.

Learning Outcomes:

  • Experience in Secure Software Engineering 
  • A solid understanding of Java 9
  • A solid understanding of Java Vulnerabilities
  • Assimilate and apply knowledge from relevant literature

References:

  1. Goichon, F., Salagnac, G., Parrend, P., & Frénot, S. (2013). Static vulnerability detection in Java service-oriented components. Journal of Computer Virology and Hacking Techniques, 9(1), 15–26. doi.org/10.1007/s11416-012-0172-1
  2. Parrend, P., & Frénot, S. (2007). Java Components Vulnerabilities - An Experimental Classification Targeted at the OSGi Platform.

Contact:

Andreas Dann
Phone: +49 05251 60-6559
Room: F1.119
Email: adann@mail.upb.de