A hierarchical security assessment model for object-oriented programs


Autoria(s): Alshammari, Bandar; Fidge, Colin J.; Corney, Diane
Contribuinte(s)

Hierons, Rob

Merayo, Mercedes

Data(s)

01/07/2011

Resumo

We present a hierarchical model for assessing an object-oriented program's security. Security is quantified using structural properties of the program code to identify the ways in which `classified' data values may be transferred between objects. The model begins with a set of low-level security metrics based on traditional design characteristics of object-oriented classes, such as data encapsulation, cohesion and coupling. These metrics are then used to characterise higher-level properties concerning the overall readability and writability of classified data throughout the program. In turn, these metrics are then mapped to well-known security design principles such as `assigning the least privilege' and `reducing the size of the attack surface'. Finally, the entire program's security is summarised as a single security index value. These metrics allow different versions of the same program, or different programs intended to perform the same task, to be compared for their relative security at a number of different abstraction levels. The model is validated via an experiment involving five open source Java programs, using a static analysis tool we have developed to automatically extract the security metrics from compiled Java bytecode.

Formato

application/pdf

Identificador

http://eprints.qut.edu.au/41590/

Publicador

IEEE Computer Society

Relação

http://eprints.qut.edu.au/41590/1/PID1821153.pdf

http://antares.sip.ucm.es/qsic2011/

Alshammari, Bandar, Fidge, Colin J., & Corney, Diane (2011) A hierarchical security assessment model for object-oriented programs. In Hierons, Rob & Merayo, Mercedes (Eds.) Proceedings of the 11th International Conference on Quality Software (QSIC 2011), IEEE Computer Society, University Complutense of Madrid, Madrid.

http://purl.org/au-research/grants/ARC/LP0776344

Direitos

Copyright 2011 IEEE

Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Fonte

Faculty of Science and Technology; Information Security Institute

Palavras-Chave #080303 Computer System Security #080309 Software Engineering #Object-orientation #Software Quality #Software Security #Software Metrics #Security Design Principles
Tipo

Conference Paper