Correlation analysis among Java nano-patterns and software vulnerabilities

Kazi Zakia Sultana, Ajay Deo, Byron J. Williams

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

20 Scopus citations

Abstract

Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.

Original languageEnglish
Title of host publicationProceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017
PublisherIEEE Computer Society
Pages69-76
Number of pages8
ISBN (Electronic)9781509046355
DOIs
StatePublished - 25 Apr 2017
Event18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017 - Singapore, Singapore
Duration: 12 Jan 201714 Jan 2017

Publication series

NameProceedings of IEEE International Symposium on High Assurance Systems Engineering
ISSN (Print)1530-2059

Conference

Conference18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017
Country/TerritorySingapore
CitySingapore
Period12/01/1714/01/17

Keywords

  • Nano-Patterns
  • Security Vulnerabilities
  • Software Patterns
  • Static Analysis

Fingerprint

Dive into the research topics of 'Correlation analysis among Java nano-patterns and software vulnerabilities'. Together they form a unique fingerprint.

Cite this