Correlation analysis among Java nano-patterns and software vulnerabilities

Kazi Zakia Sultana, Ajay Deo, Byron J. Williams

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

5 Citations (Scopus)

Abstract

Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.

Original languageEnglish
Title of host publicationProceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017
PublisherIEEE Computer Society
Pages69-76
Number of pages8
ISBN (Electronic)9781509046355
DOIs
StatePublished - 25 Apr 2017
Event18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017 - Singapore, Singapore
Duration: 12 Jan 201714 Jan 2017

Publication series

NameProceedings of IEEE International Symposium on High Assurance Systems Engineering
ISSN (Print)1530-2059

Conference

Conference18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017
CountrySingapore
CitySingapore
Period12/01/1714/01/17

Fingerprint

Software engineering
Testing

Keywords

  • Nano-Patterns
  • Security Vulnerabilities
  • Software Patterns
  • Static Analysis

Cite this

Sultana, K. Z., Deo, A., & Williams, B. J. (2017). Correlation analysis among Java nano-patterns and software vulnerabilities. In Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017 (pp. 69-76). [7911873] (Proceedings of IEEE International Symposium on High Assurance Systems Engineering). IEEE Computer Society. https://doi.org/10.1109/HASE.2017.18
Sultana, Kazi Zakia ; Deo, Ajay ; Williams, Byron J. / Correlation analysis among Java nano-patterns and software vulnerabilities. Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017. IEEE Computer Society, 2017. pp. 69-76 (Proceedings of IEEE International Symposium on High Assurance Systems Engineering).
@inproceedings{f8a8dda903e3488f8589393bdb6a877f,
title = "Correlation analysis among Java nano-patterns and software vulnerabilities",
abstract = "Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.",
keywords = "Nano-Patterns, Security Vulnerabilities, Software Patterns, Static Analysis",
author = "Sultana, {Kazi Zakia} and Ajay Deo and Williams, {Byron J.}",
year = "2017",
month = "4",
day = "25",
doi = "10.1109/HASE.2017.18",
language = "English",
series = "Proceedings of IEEE International Symposium on High Assurance Systems Engineering",
publisher = "IEEE Computer Society",
pages = "69--76",
booktitle = "Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017",

}

Sultana, KZ, Deo, A & Williams, BJ 2017, Correlation analysis among Java nano-patterns and software vulnerabilities. in Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017., 7911873, Proceedings of IEEE International Symposium on High Assurance Systems Engineering, IEEE Computer Society, pp. 69-76, 18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017, Singapore, Singapore, 12/01/17. https://doi.org/10.1109/HASE.2017.18

Correlation analysis among Java nano-patterns and software vulnerabilities. / Sultana, Kazi Zakia; Deo, Ajay; Williams, Byron J.

Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017. IEEE Computer Society, 2017. p. 69-76 7911873 (Proceedings of IEEE International Symposium on High Assurance Systems Engineering).

Research output: Chapter in Book/Report/Conference proceedingConference contributionResearchpeer-review

TY - GEN

T1 - Correlation analysis among Java nano-patterns and software vulnerabilities

AU - Sultana, Kazi Zakia

AU - Deo, Ajay

AU - Williams, Byron J.

PY - 2017/4/25

Y1 - 2017/4/25

N2 - Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.

AB - Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.

KW - Nano-Patterns

KW - Security Vulnerabilities

KW - Software Patterns

KW - Static Analysis

UR - http://www.scopus.com/inward/record.url?scp=85019205069&partnerID=8YFLogxK

U2 - 10.1109/HASE.2017.18

DO - 10.1109/HASE.2017.18

M3 - Conference contribution

T3 - Proceedings of IEEE International Symposium on High Assurance Systems Engineering

SP - 69

EP - 76

BT - Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017

PB - IEEE Computer Society

ER -

Sultana KZ, Deo A, Williams BJ. Correlation analysis among Java nano-patterns and software vulnerabilities. In Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017. IEEE Computer Society. 2017. p. 69-76. 7911873. (Proceedings of IEEE International Symposium on High Assurance Systems Engineering). https://doi.org/10.1109/HASE.2017.18