TY - GEN
T1 - Correlation analysis among Java nano-patterns and software vulnerabilities
AU - Sultana, Kazi Zakia
AU - Deo, Ajay
AU - Williams, Byron J.
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/4/25
Y1 - 2017/4/25
N2 - Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.
AB - Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-Affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.
KW - Nano-Patterns
KW - Security Vulnerabilities
KW - Software Patterns
KW - Static Analysis
UR - http://www.scopus.com/inward/record.url?scp=85019205069&partnerID=8YFLogxK
U2 - 10.1109/HASE.2017.18
DO - 10.1109/HASE.2017.18
M3 - Conference contribution
AN - SCOPUS:85019205069
T3 - Proceedings of IEEE International Symposium on High Assurance Systems Engineering
SP - 69
EP - 76
BT - Proceedings - IEEE 18th International Symposium on High Assurance Systems Engineering, HASE 2017
PB - IEEE Computer Society
T2 - 18th IEEE International Symposium on High Assurance Systems Engineering, HASE 2017
Y2 - 12 January 2017 through 14 January 2017
ER -