nach oben

Automated Software Engineering

Erschienen in:

01.11.2021

Prioritizing refactorings for security-critical code

verfasst von: Chaima Abid, Vahid Alizadeh, Marouane Kessentini, Mouna Dhaouadi, Rick Kazman

Erschienen in: Automated Software Engineering | Ausgabe 2/2021

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

It is vitally important to fix quality issues in security-critical code as they may be sources of vulnerabilities in the future. These quality issues may increase the attack surface if they are not quickly refactored. In this paper, we use the history of vulnerabilities and security bug reports along with a set of keywords to automatically identify a project’s security-critical files based on its source code, bug reports, pull-request descriptions and commit messages. After identifying these security-related files, we estimate their risks using static analysis to check their coupling with other project components. Then, our approach recommends refactorings to prioritize fixing quality issues in these security-critical files to improve quality attributes and remove identified code smells. To find a trade-off between the quality issues and security-critical files, we adopted a multi-objective search strategy. We evaluated our approach on six open source projects and one industrial system to check the correctness and relevance of the refactorings targeting security critical code. The results of our survey with practitioners supports our hypothesis that quality and security need to be considered together to provide relevant refactoring recommendations.

Nächster Artikel IIAG: a data-driven and theory-inspired approach for advising how to interact with new remote collaborators in OSS teams

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

http://cwe.mitre.org/about/index.html.

https://stackoverflow.com/.

https://www.bugzilla.org/.

https://stackoverflow.com/.

Abid, C., Kessentini, M., Alizadeh, V., Dhouadi, M., Kazman, R.: How does refactoring impact security when improving quality? A security-aware refactoring approach. IEEE Trans. Softw. Eng

Agrawal, A., Khan, R.: Role of coupling in vulnerability propagation. Softw. Eng. 2(1), 60–68 (2012)

Agrawal, A., Khan, R.: Assessing impact of cohesion on security-an object oriented design perspective. Pensee 76(2), 161–167 (2014)

Alizadeh, V., Kessentini, M.: Reducing interactive refactoring effort via clustering-based multi-objective search. In: Proceedings of the 33rd ACM/IEEE International Conference on Automated Software Engineering, pp. 464–474. ACM (2018)

Alizadeh, V., Kessentini, M., Mkaouer, W., Ocinneide, M., Ouni, A., Cai, Y.: An interactive and dynamic search-based approach to software refactoring recommendations. IEEE Trans. Softw. Eng. 46(9), 932–961 (2018)CrossRef

Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented class designs. In: 9th International Conference on Quality Software, 2009. QSIC’09, pp. 11–20. IEEE (2009)

Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented designs. In: Software Engineering Conference (ASWEC), 2010 21st Australian, pp. 55–64. IEEE (2010a)

Alshammari, B., Fidge, C., Corney, D.: Assessing the impact of refactoring on security-critical object-oriented designs. In: Asia Pacific Software Engineering Conference, pp. 186–195. IEEE (2010b)

Arcuri, A., Briand, L.: A practical guide for using statistical tests to assess randomized algorithms in software engineering. In: 2011 33rd International Conference on Software Engineering (ICSE), pp. 1–10. IEEE (2011)

Bansiya, J., Davis, C.G.: A hierarchical model for object-oriented design quality assessment. IEEE Trans. Softw. Eng. 28(1), 4–17 (2002)CrossRef

Bouillon, P., Großkinsky, E., Steimann, F.: Controlling accessibility in agile projects with the access modifier modifier. In: International Conference on Objects, Components, Models and Patterns, pp. 41–59. Springer (2008)

Brown, W.H., Malveau, R.C., McCormick, H.W., Mowbray, T.J.: AntiPatterns: Refactoring Software, Architectures, and Projects in Crisis. Wiley, Hoboken (1998)

Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Archit. 57(3), 294–313 (2011)CrossRef

Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, pp. 57–64. ACM (2008)

Cinnéide, M.Ó, Tratt, L., Harman, M., Counsell, S., Moghadam, I.H.: Experimental assessment of software metrics using automated refactoring. In: Proceedings of the ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, pp. 49–58. ACM (2012)

Cusumano, M.A.: Who is liable for bugs and security flaws in software? Commun. ACM 47(3), 25–27 (2004)CrossRef

Cve vulnerability data. https://www.cvedetails.com/ (2021)

CWE - 398: Indicator of Poor Code Quality. https://www.cvedetails.com/cwe-details/398/Indicator-of-Poor-Code-Quality.html (2009)

Deb, K., Pratap, A., Agarwal, S., Meyarivan, T.: A fast and elitist multiobjective genetic algorithm: NSGA-II. IEEE Trans. Evol. Comput. 6(2), 182–197 (2002)CrossRef

Fokaefs, M., Tsantalis, N., Stroulia, E., Chatzigeorgiou, A.: Jdeodorant: identification and application of extract class refactorings. In: 2011 33rd International Conference on Software Engineering (ICSE), pp. 1037–1039. IEEE (2011)

Fowler, M.: Refactoring: Improving the Design of Existing Code. Addison-Wesley Professional, Boston (2018)MATH

Ghaith, S., Cinnéide, M.Ó.: Improving software security using search-based refactoring. In: International Symposium on Search Based Software Engineering, pp. 121–135. Springer (2012)

Grothoff, C., Palsberg, J., Vitek, J.: Encapsulating objects with confined types. ACM Trans. Program. Lang. Syst. (TOPLAS) 29(6), 32 (2007)CrossRef

Haldar, V., Chandra, D., Franz, M.: Dynamic taint propagation for java. In: Proceedings of the 21st Annual Computer Security Applications Conference, ACSAC ’05, pp. 303–311. IEEE Computer Society (2005)

Han, J., Zheng, Y.: Security characterisation and integrity assurance for software components and component-based systems. In: Proceedings of 1998 Australasian Workshop on Software Architectures, Melbourne, pp. 83–89 (1998)

Harman, M., Jones, B.F.: Search-based software engineering. Inf. Softw. Technol. 43(14), 833–839 (2001)CrossRef

Harman, M., Tratt, L.: Pareto optimal search based refactoring at the design level. In: Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, pp. 1106–1113. ACM (2007)

Huang, K., Zhang, J., Tan, W., Feng, Z.: Shifting to mobile: network-based empirical study of mobile vulnerability market. IEEE Trans. Serv. Comput. 13(1), 144–157 (2016)CrossRef

Jensen, A.C., Cheng, B.H.: On the use of genetic programming for automated refactoring and the introduction of design patterns. In: Proceedings of the 12th Annual Conference on Genetic and Evolutionary Computation, pp. 1341–1348. ACM (2010)

Kobori, K., Matsushita, M., Inoue, K.: Evolution analysis for accessibility excessiveness in java. In: 2015 IEEE 22nd International Conference on Software Analysis, Evolution, and Reengineering (SANER), pp. 83–90. IEEE (2015)

Krsul, I.V.: Software Vulnerability Analysis. Purdue University, West Lafayette (1998)

Kessentini, M., Wimmer, M., Sahraoui, H., Boukadoum, M.: Generating transformation rules from examples for behavioral models. In: Proceedings of the Second International Workshop on Behaviour Modelling: Foundation and Applications, p. 2. ACM (2010)

Kessentini, M., Kessentini, W., Sahraoui, H., Boukadoum, M., Ouni, A.: Design defects detection and correction by example. In: 2011 IEEE 19th International Conference on Program Comprehension, pp. 81–90. IEEE (2011)

Kessentini, W., Wimmer, M., Sahraoui, H.: Integrating the designer in-the-loop for metamodel/model co-evolution via interactive computational search. In: Proceedings of the 21th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS ’18, pp. 101–111. ACM, New York, NY, USA (2018). https://doi.org/10.1145/3239372.3239375

Lee, S., Bae, G., Chae, H.S., Bae, D.-H., Kwon, Y.R.: Automated scheduling for clone-based refactoring using a competent GA. Softw. Pract. Exp. 41(5), 521–550 (2011)CrossRef

Lin, Y., Peng, X., Cai, Y., Dig, D., Zheng, D., Zhao, W.: Interactive and guided architectural refactoring with search-based recommendation. In: Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 535–546. ACM, (2016)

Livshits, V.B., Lam, M.S.: Finding security vulnerabilities in java applications with static analysis. In: Proceedings of the 14th Conference on USENIX Security Symposium—Volume 14, SSYM’05, p. 18. USENIX Association (2005)

Mansoor, U., Kessentini, M., Wimmer, M., Deb, K.: Multi-view refactoring of class and activity diagrams using a multi-objective evolutionary algorithm. Softw. Qual. J. 25(2), 473–501 (2017)CrossRef

Maruyama, K., Omori, T.: A security-aware refactoring tool for java programs. In: Proceedings of the 4th Workshop on Refactoring Tools, pp. 22–28. ACM (2011)

Mkaouer, M.W., Kessentini, M., Bechikh, S., Cinnéide, M.Ó.: A robust multi-objective approach for software refactoring under uncertainty. In: International Symposium on Search Based Software Engineering, pp. 168–183. Springer (2014a)

Mkaouer, M.W., Kessentini, M., Bechikh, S., Deb, K., Cinnéide, M.Ó: Recommendation system for software refactoring using innovization and interactive dynamic optimization. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, pp. 331–336. ACM (2014b)

Mkaouer, W., Kessentini, M., Shaout, A., Koligheu, P., Bechikh, S., Deb, K., Ouni, A.: Many-objective software remodularization using NSGA-III. ACM Trans. Softw. Eng. Methodol. (TOSEM) 24(3), 17 (2015)CrossRef

Mkaouer, M.W., Kessentini, M., Bechikh, S., Cinnéide, M.Ó., Deb, K.: On the use of many quality attributes for software refactoring: a many-objective search-based software engineering approach. Empir. Softw. Eng. 21(6), 2503–2545 (2016)CrossRef

Mkaouer, M.W., Kessentini, M., Cinnéide, M.Ó., Hayashi, S., Deb, K.: A robust multi-objective approach to balance severity and importance of refactoring opportunities. Empir. Softw. Eng. 22(2), 894–927 (2017)CrossRef

Müller, A.: Bytecode analysis for checking java access modifiers. In: Work in Progress and Poster Session, 8th Int. Conf. on Principles and Practice of Programming in Java (PPPJ 2010), Vienna, Austria, pp. 1–4 (2010)

Mumtaz, H., Alshayeb, M., Mahmood, S., Niazi, M.: An empirical study to improve software security through the application of code refactoring. Inf. Softw. Technol. 96, 112–125 (2018)CrossRef

Nikiforakis, N., Invernizzi, L., Kapravelos, A., Acker, S. Van, Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: You are what you include: Large-scale evaluation of remote javascript inclusions. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pp. 736–747. ACM (2012)

Nuuo cms. https://www.cvedetails.com/cve/CVE-2018-17890/ (2018)

O’Keeffe, M., Cinnéide, M.O.: Search-based refactoring for software maintenance. J. Syst. Softw. 81(4), 502–516 (2008)CrossRef

Opdyke, W.F.: Refactoring object-oriented frameworks. Ph.D. thesi, University of Illinois at Urbana-Champaign Champaign, IL, USA (1992)

Ouni, A., Kessentini, M., Sahraoui, H.: Search-based refactoring using recorded code changes. In: 2013 17th European Conference on Software Maintenance and Reengineering, pp. 221–230. IEEE (2013a)

Ouni, A., Kessentini, M., Sahraoui, H., Hamdi, M.S.: The use of development history in software refactoring using a multi-objective evolutionary algorithm. In: Proceedings of the 15th annual conference on Genetic and evolutionary computation, pp. 1461–1468. ACM (2013b)

Ouni, A., Kessentini, M., Sahraoui, H., Inoue, K., Hamdi, M.S.: Improving multi-objective code-smells correction using development history. J. Syst. Softw. 105, 18–39 (2015)CrossRef

Ouni, A., Kessentini, M., Sahraoui, H., Inoue, K., Deb, K.: Multi-criteria code refactoring using search-based software engineering: an industrial case study. ACM Trans. Softw. Eng. Methodol. (TOSEM) 25(3), 23 (2016)CrossRef

Ouni, A., Kessentini, M., Cinnéide, M.Ó., Sahraoui, H., Deb, K., Inoue, K.: More: a multi-objective refactoring recommendation approach to introducing design patterns and fixing code smells. J. Softw. Evol. Process 29(5), e1843 (2017)CrossRef

Palomba, F., Lucia, A. De, Bavota, G., Oliveto, R.: Anti-pattern detection: methods, challenges, and open issues. In: Advances in Computers, vol. 95, pp. 201–238. Elsevier (2014)

Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)CrossRef

Seng, O., Stammel, J., Burkhart, D.: Search-based determination of refactorings for improving the class structure of object-oriented systems. In: Proceedings of the 8th Annual Conference on Genetic and Evolutionary Computation, pp. 1909–1916. ACM (2006)

Shatnawi, R., Li, W.: An empirical assessment of refactoring impact on software quality using a hierarchical quality model. Int. J. Softw. Eng. Appl. 5(4), 127–149 (2011)

Srivastava, A.K., Kumar, S.: An effective computational technique for taxonomic position of security vulnerability in software development. J. Comput. Sci. 25, 388–396 (2018)CrossRef

Steimann, F., Thies, A.: From public to private to absent: refactoring java programs under constrained accessibility. In: European Conference on Object-Oriented Programming, pp. 419–443. Springer (2009)

Tang, Y., Zhao, F., Yang, Y., Lu, H., Zhou, Y., Xu, B.: Predicting vulnerable components via text mining or software metrics? An effort-aware perspective. In: 2015 IEEE International Conference on Software Quality, Reliability and Security, pp. 27–36. IEEE (2015)

Tsantalis, N., Chatzigeorgiou, A.: Ranking refactoring suggestions based on historical volatility. In: 2011 15th European Conference on Software Maintenance and Reengineering, pp. 25–34. IEEE (2011)

Vidal, S.A., Marcos, C., Díaz-Pace, J.A.: An approach to prioritize code smells for refactoring. Autom. Softw. Eng. 23(3), 501–532 (2016a)CrossRef

Vidal, S.A., Bergel, A., Marcos, C., Díaz-Pace, J.A.: Understanding and addressing exhibitionism in java empirical research about method accessibility. Empir. Softw. Eng. 21(2), 483–516 (2016b)CrossRef

Vidal, S., Bergel, A., Díaz-Pace, J.A., Marcos, C.: Over-exposed classes in java: an empirical study. Comput. Lang. Syst. Struct. 46, 1–19 (2016c)

Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: IEEE 25th International Symposium on Software Reliability Engineering, pp. 23–33. IEEE (2014)

Wang, W., Mahakala, K.R., Gupta, A., Hussein, N., Wang, Y.: A linear classifier based approach for identifying security requirements in open source software development. J. Ind. Inf. Integr. 14, 34–40 (2018)

Wright, J.L., McQueen, M., Wellman, L.: Analyses of two end-user software vulnerability exposure metrics (extended version). Inf. Secur. Tech. Rep. 17(4), 173–184 (2013)CrossRef

Yu, L., Pan, Y., Wu, Y.: Research on data normalization methods in multi-attribute evaluation. In: 2009 International Conference on Computational Intelligence and Software Engineering, pp. 1–5. IEEE (2009)

Zazworka, N., Seaman, C., Shull, F.: Prioritizing design debt investment opportunities. In: Proceedings of the 2nd Workshop on Managing Technical Debt, pp. 39–42. ACM (2011)

Zoller, C., Schmolitzky, A.: Measuring inappropriate generosity with access modifiers in java systems. In: 2012 Joint Conference of the 22nd International Workshop on Software Measurement and the 2012 Seventh International Conference on Software Process and Product Measurement, pp. 43–52. IEEE (2012)

Titel: Prioritizing refactorings for security-critical code
verfasst von: Chaima Abid
Vahid Alizadeh
Marouane Kessentini
Mouna Dhaouadi
Rick Kazman
Publikationsdatum: 01.11.2021
Verlag: Springer US
Erschienen in: Automated Software Engineering / Ausgabe 2/2021
Print ISSN: 0928-8910
Elektronische ISSN: 1573-7535
DOI: https://doi.org/10.1007/s10515-021-00281-2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 2/2021

Discriminating features-based cost-sensitive approach for software defect prediction

A model-driven framework for developing android-based classic multiplayer 2D board games

GUI visual aspect migration: a framework agnostic solution

New failure rate model for iterative software development life cycle process

Natural language ambiguity resolution by intelligent semantic annotation of software requirements

SSD based waste separation in smart garbage using augmented clustering NMS

Premium Partner