Top

Software and Systems Modeling

Published in:

12-09-2016 | Regular Paper

An approach to clone detection in sequence diagrams and its application to security analysis

Authors: Manar H. Alalfi, Elizabeth P. Antony, James R. Cordy

Published in: Software and Systems Modeling | Issue 4/2018

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Duplication in software systems is an important issue in software quality assurance. While many methods for software clone detection in source code and structural models have been described in the literature, little has been done on similarity in the dynamic behaviour of interactive systems. In this paper, we present an approach to identifying near-miss interaction clones in reverse-engineered UML sequence diagrams. Our goal is to identify patterns of interaction (“conversations”) that can be used to characterize and abstract the run-time behaviour of web applications and other interactive systems. In order to leverage existing robust near-miss code clone technology, our approach is text-based, working on the level of XMI, the standard interchange serialization for UML. Clone detection in UML behavioural models, such as sequence diagrams, presents a number of challenges—first, it is not clear how to break a continuous stream of interaction between lifelines (representing the objects or actors in the system) into meaningful conversational units. Second, unlike programming languages, the XMI text representation for UML is highly non-local, using attributes to reference-related elements in the model file remotely. In this work, we use a set of contextualizing source transformations on the XMI text representation to localize related elements, exposing the hidden hierarchical structure of the model and allowing us to granularize behavioural interactions into conversational units. Then we adapt NICAD, a robust near-miss code clone detection tool, to help us identify conversational clones in reverse-engineered behavioural models. These conversational clones are then analysed to find worrisome interactions that may indicate security access violations.

previous article Holistic security requirements analysis for socio-technical systems

next article On the automated translational execution of the action language for foundational UML

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Al-Batran, B., Schätz, B., Hummel, B.: Semantic clone detection for model-based development of embedded systems. Model Driven Eng. Lang. Syst. 6981, 258–272 (2011)CrossRef

Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated reverse engineering of UML sequence diagrams for dynamic web applications. In: 1st International Workshop on Web Testing, WebTest 2009, pp. 287–294 (2009)

Alalfi, M.H., Cordy, J.R., Dean, T.R.: WAFA: fine-grained dynamic analysis of web applications. In: 11th International Symposium on Web Systems Evolution, WSE 2009, pp. 41–50 (2009)

Alalfi, M.H., Cordy, J.R., Dean, T.R.: Automated verification of role-based access control security models recovered from dynamic web applications. In: 14th International Symposium on Web Systems Evolution, WSE 2012, pp. 1–10 (2012)

Alalfi, M.H., Cordy, J.R., Dean, T.R.: Recovering role-based access control security models from dynamic web applications. In: 12th International Conference on Web Engineering, ICWE 2012, pp. 121–136 (2012)

Alalfi, M.H., Cordy, J.R., Dean, T.R., Stephan, M., Stevenson, A.: Models are code too: near-miss clone detection for Simulink models. In: 28th IEEE International Conference on Software Maintenance, ICSM 2012, pp. 295–304 (2012)

Antony, E.P., Alalfi, M.H., Cordy, J.R.: An approach to clone detection in behavioural models. In: 20th Working Conference on Reverse Engineering, WCRE 2013, Koblenz, Germany, October 14–17, 2013, pp. 472–476 (2013)

Brun, C., Pierantonio, A.: Model differences in the Eclipse modelling framework. The European Journal for the Informatics Professional, pp. 29–34 (2008)

Cordy, J.R.: The TXL source transformation language. Sci. Comput. Program. 61(3), 190–210 (2006)MathSciNetCrossRefMATH

10.

Cordy, J.R., Roy, C.K.: The NICAD clone detector. In: 19th IEEE International Conference on Program Comprehension, ICPC 2011, pp 219–220 (2011)

11.

Dean, T.R., Cordy, J.R., Malton, A.J., Schneider, K.A.: Agile parsing in TXL. Autom. Softw. Eng. 10(4), 311–336 (2003)CrossRef

12.

Farhadi, M.R., Fung, B.C.M., Charland, P., Debbabi, M.: BinClone: detecting code clones in malware. In: 8th International Conference on Software Security and Reliability, SERE 2014, pp. 78–87 (2014)

13.

Gauthier, F., Lavoie, T., Merlo, E.: Uncovering access control weaknesses and flaws with security-discordant software clones. In: 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 209–218 (2013)

14.

Karademir, S., Dean, T., Leblanc, S.: Using clone detection to find malware in Acrobat files. In: 23rd Conference of the Center for Advanced Studies on Collaborative Research, CASCON 2013, pp. 70–80 (2013)

15.

Liu, H., Ma, Z., Zhang, L., Shao, W.: Detecting duplications in sequence diagrams based on suffix trees. In: 13th Asia-Pacific Software Engineering Conference, APSEC 2006, pp. 269–276 (2006)

16.

Martin, D., Cordy, J.R.: Towards web services tagging by similarity detection. In: The Smart Internet, pp. 216–233 (2010)

17.

Nejati, S., Sabetzadeh, M., Chechik, M., Easterbrook, S., Zave, P.: Matching and merging of statecharts specifications. Int. Conf. Softw. Eng. ICSE 2007, 54–64 (2007)

18.

OWASP. Forced browsing. https://www.owasp.org/index.php/Forced_browsing. Accessed Nov 2013

19.

Rattan, D., Bhatia, R., Singh, M.: Model clone detection based on tree comparison. IEEE India Conference, INDICON 2012, pp. 1041–1046 (2012)

20.

Roy, C.K., Cordy, J.R.: NICAD: accurate detection of near-miss intentional clones using flexible pretty-printing and code normalization. In: 16th International Conference on Program Comprehension, pp. 172–181 (2008)

21.

Roy, C.K., Cordy, J.R., Koschke, R.: Comparison and evaluation of code clone detection techniques and tools: a qualitative approach. Sci. Comput. Program. 74(7), 470–495 (2009)MathSciNetCrossRefMATH

22.

23.

Rubin, J., Chechik, M.: From products to product lines using model matching and refactoring. In: 2nd International Workshop on Model-Driven Software Product Line Engineering, MAPLE 2010, pp. 155–162 (2010)

24.

Rubin, J., Chechik, M.: Combining related products into product lines. In: 15th International Conference on Fundamental Approaches to Software Engineering, FASE 2012, pp. 285–300 (2012)

25.

Shapland, R.: Forced browsing: understanding and halting simple browser attacks. http://www.computerweekly.com/answer/Forced-browsing-Understanding-and-halting-simple-browser-attacks. Accessed Dec 2013

26.

Stephan, M., Cordy, J.R.: A survey of methods and applications of model comparison. Technical Report 2011-582 Review 2, Queen’s University (2011)

27.

Störrle, H.: VMQL: a generic visual model query language. IEEE Symp. Vis. Lang. Hum. Cent. Comput. VL/HCC 2009, 199–206 (2009)

28.

Störrle, H.: Towards clone detection in UML domain models. In: VIII Nordic Workshop on Model-Driven Software Engineering, ECSA 2010 workshops, pp. 285–293 (2010)

29.

Störrle, H.: Towards clone detection in UML domain models. Softw. Syst. Model. 12(2), 307–329 (2013)CrossRef

30.

Störrle, H.: MACH 5 hypersonic. http://www2.compute.dtu.dk/~rvac/hypersonic/. Accessed Feb 2015

31.

Svajlenko, J., Roy, C.K.: Evaluating clone detection tools with bigclonebench. In: 2015 IEEE International Conference on Software Maintenance and Evolution, ICSME 2015, Bremen, Germany, September 29–October 1, 2015, pp. 131–140 (2015)

32.

WatirCraft. Watir. http://watir.com. Accessed Nov 2014

Title: An approach to clone detection in sequence diagrams and its application to security analysis
Authors: Manar H. Alalfi
Elizabeth P. Antony
James R. Cordy
Publication date: 12-09-2016
Publisher: Springer Berlin Heidelberg
Published in: Software and Systems Modeling / Issue 4/2018
Print ISSN: 1619-1366
Electronic ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-016-0557-6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 4/2018

Efficient parallel reasoning on fuzzy goal models for run time requirements verification

Agile model-based system development

Formalised EMFTVM bytecode language for sound verification of model transformations

Reusing metamodels and notation with Diagram Definition

On submodels and submetamodels with their relation

Scope in model transformations

Premium Partner