Skip to main content
SpringerLink
Log in

Improving Software Security Using Search-Based Refactoring

  • Conference paper
Search Based Software Engineering (SSBSE 2012)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 7515))

Included in the following conference series:

Abstract

Security metrics have been proposed to assess the security of software applications based on the principles of “reduce attack surface” and “grant least privilege.” While these metrics can help inform the developer in choosing designs that provide better security, they cannot on their own show exactly how to make an application more secure. Even if they could, the onerous task of updating the software to improve its security is left to the developer. In this paper we present an approach to automated improvement of software security based on search-based refactoring. We use the search-based refactoring platform, Code-Imp, to refactor the code in a fully-automated fashion. The fitness function used to guide the search is based on a number of software security metrics. The purpose is to improve the security of the software immediately prior to its release and deployment. To test the value of this approach we apply it to an industrial banking application that has a strong security dimension, namely Wife. The results show an average improvement of 27.5% in the metrics examined. A more detailed analysis reveals that 15.5% of metric improvement results in real improvement in program security, while the remaining 12% of metric improvement is attributable to hitherto undocumented weaknesses in the security metrics themselves.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alshammari, B., Fidge, C., Corney, D.: Security metrics for object-oriented class designs. In: Proceedings of the International Conference on Quality Software, pp. 11–20. IEEE (2009)

    Google Scholar 

  2. Alshammari, B., Fidge, C., Corney, D.: A hierarchical security assessment model for object-oriented programs. In: Proceedings of the International Conference on Quality Software, pp. 218–227. IEEE, Los Alamitos (2011)

    Google Scholar 

  3. Alshammari, B., Fidge, C.J., Corney, D.: Assessing the impact of refactoring on security-critical object-oriented designs. In: Han, J., Thu, T.D. (eds.) Proceedings of the Asia Pacific Software Engineering Conference, pp. 186–195. IEEE Computer Society (2010)

    Google Scholar 

  4. Alshammari, B., Fidge, C.J., Corney, D.: Security metrics for object-oriented designs. In: Nobel, J., Fidge, C.J. (eds.) The 21st Australian Software Engineering Conference, pp. 55–64. IEEE, Hyatt Regency (2010)

    Chapter  Google Scholar 

  5. Bansiya, J., Davis, C.: A hierarchical model for object-oriented design quality assessment. IEEE Transactions on Software Engineering 28, 4–17 (2002)

    Article  Google Scholar 

  6. Bishop, M.A.: The Art and Science of Computer Security. Addison-Wesley Longman Publishing Co., Inc., Boston (2002)

    Google Scholar 

  7. Blackwell, C.: A security architecture to protect against the insider threat from damage, fraud and theft. In: Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research, CSIIRW 2009, pp. 45:1–45:4. ACM, New York (2009)

    Google Scholar 

  8. Chowdhury, I., Chan, B., Zulkernine, M.: Security metrics for source code structures. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems, SESS 2008, pp. 57–64. ACM, New York (2008)

    Chapter  Google Scholar 

  9. Fowler, M.: Refactoring: Improving the Design of Existing Code. Addison-Wesley, Boston (1999)

    Google Scholar 

  10. Harman, M., Tratt, L.: Pareto optimal search based refactoring at the design level. In: Proceedings of the 9th Annual Conference on Genetic and Evolutionary Computation, GECCO 2007, pp. 1106–1113. ACM, New York (2007)

    Chapter  Google Scholar 

  11. Hemati Moghadam, I., Ó Cinnéide, M.: Code-Imp: a tool for automated search-based refactoring. In: Proceedings of the 4th Workshop on Refactoring Tools, WRT 2011, pp. 41–44. ACM, New York (2011)

    Chapter  Google Scholar 

  12. Wife swift application. In: Wife Swift Application. Prowide Open Source SWIFT (2012), http://www.prowidesoftware.com

  13. Jensen, A., Cheng, B.: On the use of genetic programming for automated refactoring and the introduction of design patterns. In: Proceedings of the Conference on Genetic and Evolutionary Computation, pp. 1341–1348. ACM (July 2010)

    Google Scholar 

  14. Kilic, H., Koc, E., Cereci, I.: Search-Based Parallel Refactoring Using Population-Based Direct Approaches. In: Cohen, M.B., Ó Cinnéide, M. (eds.) SSBSE 2011. LNCS, vol. 6956, pp. 271–272. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  15. McGraw, G.: Software Security: Building Security In. Addison-Wesley Professional (2006)

    Google Scholar 

  16. Hemati Moghadam, I., Ó Cinnéide, M.: Automated refactoring using design differencing. In: Proceedings of the European Conference on Software Maintenance and Reengineering, pp. 43–52. IEEE Computer Society (2012)

    Google Scholar 

  17. Ó Cinnéide, M., Boyle, D., Hemati Moghadam, I.: Automated refactoring for testability. In: Proceedings of the International Conference on Software Testing, Verification and Validation Workshops (March 2011)

    Google Scholar 

  18. O’Keeffe, M., Ó Cinnéide, M.: Automated design improvement by example. In: Proceeding of the Conference on New Trends in Software Methodologies, Tools and Techniques, pp. 315–329 (2007)

    Google Scholar 

  19. O’Keeffe, M., Ó Cinnéide, M.: Search-based refactoring: an empirical study. Journal of Software Maintenance and Evolution 20(5), 345–364 (2008)

    Google Scholar 

  20. O’Keeffe, M., Ó Cinnéide, M.: Search-based refactoring for software maintenance. Journal of Systems and Software 81(4), 502–516 (2008)

    Article  Google Scholar 

  21. Seng, O., Stammel, J., Burkhart, D.: Search-based determination of refactorings for improving the class structure of object-oriented systems. In: GECCO 2012, pp. 1909–1916. ACM, Seattle (2006)

    Google Scholar 

  22. Smith, S.F., Thober, M.: Refactoring programs to secure information flows. In: Proceedings of the Workshop on Programming Languages and Analysis for Security, PLAS 2006, pp. 75–84. ACM, New York (2006)

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IBM Dublin Software Lab., Ireland

    Shadi Ghaith

  2. School of Computer Science, University College Dublin, Ireland

    Mel Ó Cinnéide

Authors
  1. Shadi Ghaith
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Mel Ó Cinnéide
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, The University of Sheffield, Regent Court, 211 Portobello, S1 4DP, Sheffield, UK

    Gordon Fraser

  2. Department of Research and Graduate Studies, State University of Ceara, Av. Parajana 1700, 60714-903, Fortaleza, CE, Brazil

    Jerffeson Teixeira de Souza

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Ghaith, S., Ó Cinnéide, M. (2012). Improving Software Security Using Search-Based Refactoring. In: Fraser, G., Teixeira de Souza, J. (eds) Search Based Software Engineering. SSBSE 2012. Lecture Notes in Computer Science, vol 7515. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33119-0_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-33119-0_10

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-33118-3

  • Online ISBN: 978-3-642-33119-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation