A hierarchical security assessment model for object-oriented programs
Contribuinte(s) |
Hierons, Rob Merayo, Mercedes |
---|---|
Data(s) |
01/07/2011
|
Resumo |
We present a hierarchical model for assessing an object-oriented program's security. Security is quantified using structural properties of the program code to identify the ways in which `classified' data values may be transferred between objects. The model begins with a set of low-level security metrics based on traditional design characteristics of object-oriented classes, such as data encapsulation, cohesion and coupling. These metrics are then used to characterise higher-level properties concerning the overall readability and writability of classified data throughout the program. In turn, these metrics are then mapped to well-known security design principles such as `assigning the least privilege' and `reducing the size of the attack surface'. Finally, the entire program's security is summarised as a single security index value. These metrics allow different versions of the same program, or different programs intended to perform the same task, to be compared for their relative security at a number of different abstraction levels. The model is validated via an experiment involving five open source Java programs, using a static analysis tool we have developed to automatically extract the security metrics from compiled Java bytecode. |
Formato |
application/pdf |
Identificador | |
Publicador |
IEEE Computer Society |
Relação |
http://eprints.qut.edu.au/41590/1/PID1821153.pdf http://antares.sip.ucm.es/qsic2011/ Alshammari, Bandar, Fidge, Colin J., & Corney, Diane (2011) A hierarchical security assessment model for object-oriented programs. In Hierons, Rob & Merayo, Mercedes (Eds.) Proceedings of the 11th International Conference on Quality Software (QSIC 2011), IEEE Computer Society, University Complutense of Madrid, Madrid. http://purl.org/au-research/grants/ARC/LP0776344 |
Direitos |
Copyright 2011 IEEE Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE. |
Fonte |
Faculty of Science and Technology; Information Security Institute |
Palavras-Chave | #080303 Computer System Security #080309 Software Engineering #Object-orientation #Software Quality #Software Security #Software Metrics #Security Design Principles |
Tipo |
Conference Paper |