Abstract
Security metrics have been proposed to assess the security of software applications based on the principles of “reduce attack surface” and “grant least privilege.” While these metrics can help inform the developer in choosing designs that provide better security, they cannot on their own show exactly how to make an application more secure. Even if they could, the onerous task of updating the software to improve its security is left to the developer. In this paper we present an approach to automated improvement of software security based on search-based refactoring. We use the search-based refactoring platform, Code-Imp, to refactor the code in a fully-automated fashion. The fitness function used to guide the search is based on a number of software security metrics. The purpose is to improve the security of the software immediately prior to its release and deployment. To test the value of this approach we apply it to an industrial banking application that has a strong security dimension, namely Wife. The results show an average improvement of 27.5% in the metrics examined. A more detailed analysis reveals that 15.5% of metric improvement results in real improvement in program security, while the remaining 12% of metric improvement is attributable to hitherto undocumented weaknesses in the security metrics themselves.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented class designs. In: Proceedings of the International Conference on Quality Software, pp. 11–20. IEEE (2009)
Alshammari, B., Fidge, C., Corney, D.: A hierarchical security assessment model for object-oriented programs. In: Proceedings of the International Conference on Quality Software, pp. 218–227. IEEE, Los Alamitos (2011)
Alshammari, B., Fidge, C.J., Corney, D.: Assessing the impact of refactoring on security-critical object-oriented designs. In: Han, J., Thu, T.D. (eds.) Proceedings of the Asia Pacific Software Engineering Conference, pp. 186–195. IEEE Computer Society (2010)
Alshammari, B., Fidge, C.J., Corney, D.: Security metrics for object-oriented designs. In: Nobel, J., Fidge, C.J. (eds.) The 21st Australian Software Engineering Conference, pp. 55–64. IEEE, Hyatt Regency (2010)
Bansiya, J., Davis, C.: A hierarchical model for object-oriented design quality assessment. IEEE Transactions on Software Engineering 28, 4–17 (2002)
Bishop, M.A.: The Art and Science of Computer Security. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)
Blackwell, C.: A security architecture to protect against the insider threat from damage, fraud and theft. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW 2009, pp. 45:1–45:4. ACM, New York (2009)
Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, SESS 2008, pp. 57–64. ACM, New York (2008)
Fowler, M.: Refactoring: Improving the Design of Existing Code. Addison-Wesley, Boston (1999)
Harman, M., Tratt, L.: Pareto optimal search based refactoring at the design level. In: Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, GECCO 2007, pp. 1106–1113. ACM, New York (2007)
Hemati Moghadam, I., Ó Cinnéide, M.: Code-Imp: a tool for automated search-based refactoring. In: Proceedings of the 4th Workshop on Refactoring Tools, WRT 2011, pp. 41–44. ACM, New York (2011)
Wife swift application. In: Wife Swift Application. Prowide Open Source SWIFT (2012), http://www.prowidesoftware.com
Jensen, A., Cheng, B.: On the use of genetic programming for automated refactoring and the introduction of design patterns. In: Proceedings of the Conference on Genetic and Evolutionary Computation, pp. 1341–1348. ACM (July 2010)
Kilic, H., Koc, E., Cereci, I.: Search-Based Parallel Refactoring Using Population-Based Direct Approaches. In: Cohen, M.B., Ó Cinnéide, M. (eds.) SSBSE 2011. LNCS, vol. 6956, pp. 271–272. Springer, Heidelberg (2011)
McGraw, G.: Software Security: Building Security In. Addison-Wesley Professional (2006)
Hemati Moghadam, I., Ó Cinnéide, M.: Automated refactoring using design differencing. In: Proceedings of the European Conference on Software Maintenance and Reengineering, pp. 43–52. IEEE Computer Society (2012)
Ó Cinnéide, M., Boyle, D., Hemati Moghadam, I.: Automated refactoring for testability. In: Proceedings of the International Conference on Software Testing, Verification and Validation Workshops (March 2011)
O’Keeffe, M., Ó Cinnéide, M.: Automated design improvement by example. In: Proceeding of the Conference on New Trends in Software Methodologies, Tools and Techniques, pp. 315–329 (2007)
O’Keeffe, M., Ó Cinnéide, M.: Search-based refactoring: an empirical study. Journal of Software Maintenance and Evolution 20(5), 345–364 (2008)
O’Keeffe, M., Ó Cinnéide, M.: Search-based refactoring for software maintenance. Journal of Systems and Software 81(4), 502–516 (2008)
Seng, O., Stammel, J., Burkhart, D.: Search-based determination of refactorings for improving the class structure of object-oriented systems. In: GECCO 2012, pp. 1909–1916. ACM, Seattle (2006)
Smith, S.F., Thober, M.: Refactoring programs to secure information flows. In: Proceedings of the Workshop on Programming Languages and Analysis for Security, PLAS 2006, pp. 75–84. ACM, New York (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Ghaith, S., Ó Cinnéide, M. (2012). Improving Software Security Using Search-Based Refactoring. In: Fraser, G., Teixeira de Souza, J. (eds) Search Based Software Engineering. SSBSE 2012. Lecture Notes in Computer Science, vol 7515. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33119-0_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-33119-0_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33118-3
Online ISBN: 978-3-642-33119-0
eBook Packages: Computer ScienceComputer Science (R0)