Proceedings Article10.1109/HASE.2017.18
Correlation Analysis among Java Nano-Patterns and Software Vulnerabilities
Kazi Zakia Sultana,Ajay Deo,Byron J. Williams +2 more
- 01 Jan 2017
pp 69-76
22
TL;DR: It is found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-affected methods.
read more
Abstract: Ensuring software security is essential for developing a reliable software. A software can suffer from security problems due to the weakness in code constructs during software development. Our goal is to relate software security with different code constructs so that developers can be aware very early of their coding weaknesses that might be related to a software vulnerability. In this study, we chose Java nano-patterns as code constructs that are method-level patterns defined on the attributes of Java methods. This study aims to find out the correlation between software vulnerability and method-level structural code constructs known as nano-patterns. We found the vulnerable methods from 39 versions of three major releases of Apache Tomcat for our first case study. We extracted nano-patterns from the affected methods of these releases. We also extracted nano-patterns from the non-vulnerable methods of Apache Tomcat, and for this, we selected the last version of three major releases (6.0.45 for release 6, 7.0.69 for release 7 and 8.0.33 for release 8) as the non-vulnerable versions. Then, we compared the nano-pattern distributions in vulnerable versus non-vulnerable methods. In our second case study, we extracted nano-patterns from the affected methods of three vulnerable J2EE web applications: Blueblog 1.0, Personalblog 1.2.6 and Roller 0.9.9, all of which were deliberately made vulnerable for testing purpose. We found that some nano-patterns such as objCreator, staticFieldReader, typeManipulator, looper, exceptions, localWriter, arrReader are more prevalent in affected methods whereas some such as straightLine are more vivid in non-affected methods. We conclude that nano-patterns can be used as the indicator of vulnerability-proneness of code.
read more
Chat with Paper
AI Agents for this Paper
Find similar papers on Google Scholar, PubMed and Arxiv
Write a critical review of this paper
Analyze citations of this paper to find unaddressed research gaps
Citations
Using software metrics for predicting vulnerable classes and methods in Java projects: A machine learning approach
TL;DR: A comparative study is described on how the selected metrics perform at different granularity levels can help the developers in choosing the appropriate metrics (at the desired level of granularity) and provide evidence for their usefulness during vulnerability prediction.
44
Towards a software vulnerability prediction model using traceable code patterns and software metrics
Kazi Zakia Sultana
- 30 Oct 2017
TL;DR: It is found that patterns have a lower false negative rate and higher recall in detecting vulnerable code than the traditional software metrics, and this is used to build an effective vulnerability prediction model.
21
A hierarchical model for quantifying software security based on static analysis alerts and software metrics
TL;DR: In this article, a hierarchical security assessment model (SAM) is proposed to assess the internal security level of software products based on low-level indicators, i.e., security-relevant static analysis alerts and software metrics.
21
Evaluating micro patterns and software metrics in vulnerability prediction
Kazi Zakia Sultana,Byron J. Williams +1 more
- 01 Nov 2017
TL;DR: It is found that micro patterns have higher recall in detecting vulnerable classes than the software metrics, and can be used in developing a vulnerability prediction model to reduce security risks.
14
Explaining Static Analysis with Rule Graphs
Lisa Nguyen Quang Do,Eric Bodden +1 more
TL;DR: This article introduces the concept of rule graphs that expose to the developer selected information about the internal rules of data-flow analyses, and implements rule graphs on top of a taint analysis, and shows how the graphs can support the abovementioned tasks.
11
References
•Book
Handbook of Parametric and Nonparametric Statistical Procedures
David J. Sheskin
- 19 Jan 2007
TL;DR: This handbook provides you with everything you need to know about parametric and nonparametric statistical procedures, and helps you choose the best test for your data, interpret the results, and better evaluate the research of others.
•Book
Mathematical methods of statistics
Harald Cramér
- 01 Jan 1946
TL;DR: In this article, Cramer joins two major lines of development in the field: while British and American statisticians were developing the science of statistical inference, French and Russian probablists transformed the classical calculus of probability into a rigorous and purely mathematical theory.
1.3K
Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities
TL;DR: This work investigated whether software metrics obtained from source code and development history are discriminative and predictive of vulnerable code locations, and predicted over 80 percent of the known vulnerable files with less than 25 percent false positives for both projects.
Can traditional fault prediction models be used for vulnerability prediction
Yonghee Shin,Laurie Williams +1 more
TL;DR: The results suggest that fault prediction models based upon traditional metrics can substitute for specialized vulnerability prediction models, however, both fault prediction andulnerability prediction models require significant improvement to reduce false positives while providing high recall.
231
An empirical model to predict security vulnerabilities using code complexity metrics
Yonghee Shin,Laurie Williams +1 more
- 09 Oct 2008
TL;DR: The initial results show that complexity metrics can predict vulnerabilities at a low false positive rate, but at a high false negative rate.