An evaluation of Java application containers according to security requirements

14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05) Pub Date : 2005-06-13 DOI:10.1109/WETICE.2005.18

Almut Herzog, N. Shahmehri

{"title":"An evaluation of Java application containers according to security requirements","authors":"Almut Herzog, N. Shahmehri","doi":"10.1109/WETICE.2005.18","DOIUrl":null,"url":null,"abstract":"Web browsers, Web servers, Java application servers and OSGi frameworks are all instances of Java execution environments that tun more or less untrusted Java applications. In all these environments, Java applications can come from different sources. Consequently, application developers rarely know which other applications exist in the target Java execution environment. This paper investigates the requirements that need to be imposed on such a container from a security point of view and how the requirements have been implemented by different Java application containers. More specifically, we show a general risk analysis considering assets, threats and vulnerabilities of a Java container. This risk analysis exposes generic Java security problems and leads to a set of security requirements. These security requirements are then used to evaluate the security architecture of existing Java containers for Java applications, applets, servlets, OSGi bundles, and Enterprise Java Beans. For comparison, the requirements are also examined for a C++ application.","PeriodicalId":128074,"journal":{"name":"14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-06-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/WETICE.2005.18","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 10

Abstract

Web browsers, Web servers, Java application servers and OSGi frameworks are all instances of Java execution environments that tun more or less untrusted Java applications. In all these environments, Java applications can come from different sources. Consequently, application developers rarely know which other applications exist in the target Java execution environment. This paper investigates the requirements that need to be imposed on such a container from a security point of view and how the requirements have been implemented by different Java application containers. More specifically, we show a general risk analysis considering assets, threats and vulnerabilities of a Java container. This risk analysis exposes generic Java security problems and leads to a set of security requirements. These security requirements are then used to evaluate the security architecture of existing Java containers for Java applications, applets, servlets, OSGi bundles, and Enterprise Java Beans. For comparison, the requirements are also examined for a C++ application.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

根据安全需求对Java应用程序容器进行评估

Web浏览器、Web服务器、Java应用程序服务器和OSGi框架都是Java执行环境的实例，它们或多或少地运行不受信任的Java应用程序。在所有这些环境中，Java应用程序可以来自不同的来源。因此，应用程序开发人员很少知道目标Java执行环境中存在哪些其他应用程序。本文从安全性的角度研究了需要强加到这种容器上的需求，以及不同的Java应用程序容器是如何实现这些需求的。更具体地说，我们展示了考虑Java容器的资产、威胁和漏洞的一般风险分析。此风险分析暴露了一般的Java安全性问题，并导致了一组安全性需求。然后使用这些安全需求来评估用于Java应用程序、applet、servlet、OSGi包和Enterprise Java Beans的现有Java容器的安全体系结构。为了进行比较，还对c++应用程序的需求进行了检查。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05)

自引率

0.00%

发文量