Source Code Analysis to Remove Security Vulnerabilities in Java Socket Programs: A Case Study

This paper presents the source code analysis of a file reader server socket program (connection-orientedsockets) developed in Java, to illustrate the identification, impact analysis and solutions to remove fiveimportant software security vulnerabilities, which if left unattended could severely impact the serverrunning the software and also the network hosting the server. The five vulnerabilities we study in thispaper are: (1) Resource Injection, (2) Path Manipulation, (3) System Information Leak, (4) Denial ofService and (5) Unreleased Resource vulnerabilities. We analyze the reason why each of thesevulnerabilities occur in the file reader server socket program, discuss the impact of leaving themunattended in the program, and propose solutions to remove each of these vulnerabilities from theprogram. We also analyze any potential performance tradeoffs (such as increase in code size and loss offeatures) that could arise while incorporating the proposed solutions on the server program. Theproposed solutions are very generic in nature, and can be suitably modified to correct any suchvulnerabilities in software developed in any other programming language. We use the Fortify SourceCode Analyzer to conduct the source code analysis of the file reader server program, implemented on aWindows XP virtual machine with the standard J2SE v.7 development kit.