Late 2012 and early 2013 saw several 0-day attacks against the Java SE platform, many in the form of sandbox bypasses that made use of caller-sensitive methods, trusted method chains, deserialisation, reflection and even type confusion. Several patch updates were made available in 2013 to rectify these issues.
The Java Vulnerability Detection project at Oracle Labs Australia, focuses on finding security bugs in the Java SE platform. Several techniques ranging from static to hybrid analyses are being used in this project. In this talk I give a high-level overview of some of the vulnerabilities and focus on our program analyses to detect such vulnerabilities.
This talk reports on work in progress.
Bio: Cristina Cifuentes (http://labs.oracle.com/people/cristina/) is an Architect and the Principal Investigator of the Java Vulnerability Detection project. She also serves as the Research Director for Oracle Labs Australia (http://labs.oracle.com/locations/australia). She used to be the Principal Investigator for the Parfait project, a static bug checker for the C/C++ language. Parfait was transferred to the product organisation in June 2012 and is currently used by thousands of developers at Oracle on a day-to-day basis.
Go to Attendee List