de
en
Schliessen
Detailsuche
Bibliotheken
Projekt
Impressum
Datenschutz
Schliessen
Publizieren
Besondere Sammlungen
Digitalisierungsservice
Hilfe
Impressum
Datenschutz
zum Inhalt
Detailsuche
Schnellsuche:
OK
Ergebnisliste
Titel
Titel
Inhalt
Inhalt
Seite
Seite
Im Werk suchen
Secure use of open-source software : a systematic study and techniques for Java / Andreas Peter Dann ; Advisors: Prof. Dr. Eric Bodden, Prof. Dr. Ben Hermann. Paderborn, 2024
Inhalt
Abstract
Acknowledgments
Contents
1 Introduction
1.1 Research Challenges
1.2 Thesis Contributions
1.3 Generality of Contributions
1.4 Thesis Structure
2 Background
2.1 Terminology & Dependency Management in Java
2.2 Dependency Management in Other Programming Languages
3 Systematic Study on the Usage of Open-Source Software and Challenges for Their Detection
3.1 Strategies for Detecting Vulnerabilities in Open-Source Software
3.2 Study Design
3.2.1 Research Questions
3.2.2 Study Objects & Methodology
3.3 Use of Open-Source Software at SAP
3.3.1 RQ1: What Are Practices for Using Open-Source Software at SAP?
3.3.2 RQ2: What Vulnerabilities Affect the 20 Most-Used Dependencies?
3.3.3 RQ3: How Do Developers Include Open-Source Software?
3.4 Prevalence & Impact of Modified Open-Source Software
3.4.1 RQ4: How Prominent Are the Modifications Outside SAP?
3.4.2 RQ5: What Is the Impact of the Modifications on Vulnerability Scanners?
3.5 Study Summary
3.6 Threats to Validity
3.7 Achilles: Test Suite for Detecting Modified Open-Source Software
3.7.1 Diverse Real-World Applications
3.7.2 Detecting Vulnerable Open-Source Software
3.7.3 Automation and Ease of Use
3.7.4 Organization and Distribution
3.8 SootDiff: An Approach for Identifying Modified Open-Source Software
3.8.1 Dissimilarities Introduced by Java Compilers
3.8.2 Jimple: Intermediate Bytecode Representation
3.8.3 Compare Modified Bytecode
3.8.4 Evaluation
3.9 Related Work
3.9.1 Case Studies: Use of Vulnerable Open-Source Software
3.9.2 Test Suites: Vulnerabilities in Open-Source Software
3.9.3 Code Clone Detection
3.10 Conclusion
4 An Automated Approach for Safely Updating Included Open-Source Software
4.1 Safe Backward Compatible Updates
4.1.1 Dependency Graph Updates
4.1.2 Source and Binary Compatibility
4.1.3 Semantic Compatibility
4.1.4 Blossom Compatibility
4.2 UpCy: Identify Safe Backward Compatible Updates
4.2.1 Algorithm
4.2.2 Graph Database of the Maven Central Repository
4.3 Evaluation
4.3.1 Research Questions
4.3.2 Study Objects & Methodology
4.3.3 Results
4.4 Threats to Validity
4.4.1 Finding Compatible Updates with UpCy
4.4.2 Evaluation
4.5 Related Work
4.5.1 Studies: How Developers Update (Vulnerable) Dependencies
4.5.2 Update Compatibility Analysis
4.5.3 Repository Dependency Graphs
4.6 Conclusion
5 Securely Integrating Open-Source Software with Java's Module System
5.1 Java's Security Architecture & Module System
5.1.1 Java 1.2 Security Model
5.1.2 The Java Platform Module System
5.1.3 Motivating Example of Sensitive Entities Escaping a Module
5.1.4 Excursion: The OSGi Platform
5.2 Precisely Defining a Module's Entry Points
5.2.1 Explicitly vs. Implicitly Reachable Entry Points
5.2.2 Logic-based Specification of the Entry-Point Model
5.2.3 Limitations of the Entry-Point Model
5.3 ModGuard: Identify Confidentiality or Integrity Violations of Modules
5.3.1 Algorithm
5.3.2 Limitations
5.4 Evaluation
5.4.1 Research Questions
5.4.2 Study Objects
5.4.3 Results
5.4.4 Case Study: CVE-2017-5648 in Tomcat (modules)
5.5 Limitations of Modules for the Secure Integration of Open-Source Software
5.6 Related Work
5.6.1 Sandboxes for Native Code
5.6.2 Encapsulation and Isolation of OSGi Bundles
5.6.3 Escape Analysis
5.6.4 Information-Flow Control
5.7 Conclusion
6 Conclusion and Outlook
Implementations and Data
Bibliography
List of Figures
List of Tables
Listings
Die detaillierte Suchanfrage erfordert aktiviertes Javascript.