Assessing the impact of refactoring on security-critical object-oriented designs

Refactoring focuses on improving the reusability, maintainability and performance of programs. However, the impact of refactoring on the security of a given program has received little attention. In this work, we focus on the design of object-oriented applications and use metrics to assess the impact of a number of standard refactoring rules on their security by evaluating the metrics before and after refactoring. This assessment tells us which refactoring steps can increase the security level of a given program from the point of view of potential information flow, allowing application designers to improve their system’s security at an early stage.

Comedy hints at the tragedy beneath [REVIEW]

THE Little Dog Laughed. By Douglas Carter Beane. Queensland Theatre Company. Cremorne Theatre, Brisbane. February 11. DOUGLAS Carter Beane's The Little Dog Laughed is a comedy about truth and its consequences. Set mainly in New York, the story follows film star Mitchell Green's developing relationship with Alex, a rentboy he calls one night while drunk and lonely in a hotel room. Scenes in which Mitchell and Alex test the strength of something they seem to have found together are punctuated by monologues from Mitchell's agent Diane and Alex's ex-girlfriend Ellen. We start to see glimpses of their separate lives, what their shared life might look like and, eventually, a crisis that brings all four characters together in the pursuit of a somewhat conflicted set of ideas about what happiness is and what it takes to be happy.

An integrated approach to tourism planning in a developing nation : a case study from Beloi (Timor-Leste)

In this chapter we present a case study set in Beloi, a fishing village located on Ataúro Island, 30 km across the sea from Díli, capital of Timor-Leste (East-Timor). We explore the tension between tourism development, food security and marine conservation in a developing country context. In order to better understand the relationships between the social, ecological and economic issues that arise in tourism planning we use an approach and associated methodology based on storytelling, complexity theory and concept mapping. Through testing scenarios with this methodology we hope to evaluate which trade-offs are acceptable to local people in return for the hoped-for economic boost from increased tourist visitation and associated developments.

The severity of chorioamnionitis in pregnant sheep is associated with in vivo variation of the surface-exposed multiple-banded antigen/gene of ureaplasma parvum

Ureaplasma species are the bacteria most frequently isolated from human amniotic fluid in asymptomatic pregnancies and placental infections. Ureaplasma parvum serovars 3 and 6 are the most prevalent serovars isolated from men and women. We hypothesized that the effects on the fetus and chorioamnion of chronic ureaplasma infection in amniotic fluid are dependent on the serovar, dose, and variation of the ureaplasma multiple banded antigen (MBA) and mba gene. We injected high- or low dose U. parvum serovar 3, serovar 6, or vehicle intra-amniotically into pregnant ewes at 55 days of gestation (term = 150 days) and examined the chorioamnion, amniotic fluid, and fetal lung tissue of animals delivered by cesarean section at 125 days of gestation. Variation of the multiple banded antigen/mba generated by serovar 3 and serovar 6 ureaplasmas in vivo were compared by PCR assay and Western blot. Ureaplasma inoculums demonstrated only one (serovar 3) or two (serovar 6) MBA variants in vitro, but numerous antigenic variants were generated in vivo: serovar 6 passage 1 amniotic fluid cultures contained more MBA size variants than serovar 3 (P = 0.005),and ureaplasma titers were inversely related to the number of variants (P = 0.025). The severity of chorioamnionitis varied between animals. Low numbers of mba size variants (five or fewer) within amniotic fluid were associated with severe inflammation, whereas the chorioamnion from animals with nine or more mba variants showed little or no inflammation. These differences in chorioamnion inflammation may explain why not all women with in utero Ureaplasma spp. experience adverse pregnancy outcomes.

A hierarchical security assessment model for object-oriented programs

We present a hierarchical model for assessing an object-oriented program's security. Security is quantified using structural properties of the program code to identify the ways in which `classified' data values may be transferred between objects. The model begins with a set of low-level security metrics based on traditional design characteristics of object-oriented classes, such as data encapsulation, cohesion and coupling. These metrics are then used to characterise higher-level properties concerning the overall readability and writability of classified data throughout the program. In turn, these metrics are then mapped to well-known security design principles such as `assigning the least privilege' and `reducing the size of the attack surface'. Finally, the entire program's security is summarised as a single security index value. These metrics allow different versions of the same program, or different programs intended to perform the same task, to be compared for their relative security at a number of different abstraction levels. The model is validated via an experiment involving five open source Java programs, using a static analysis tool we have developed to automatically extract the security metrics from compiled Java bytecode.

Linkage to chromosome 2q32.2-q33.3 in familial serrated neoplasia (Jass syndrome)

Abstract Causative genetic variants have to date been identified for only a small proportion of familial colorectal cancer (CRC). While conditions such as Familial Adenomatous Polyposis and Lynch syndrome have well defined genetic causes, the search for variants underlying the remainder of familial CRC is plagued by genetic heterogeneity. The recent identification of families with a heritable predisposition to malignancies arising through the serrated pathway (familial serrated neoplasia or Jass syndrome) provides an opportunity to study a subset of familial CRC in which heterogeneity may be greatly reduced. A genome-wide linkage screen was performed on a large family displaying a dominantly-inherited predisposition to serrated neoplasia genotyped using the Affymetrix GeneChip Human Mapping 10 K SNP Array. Parametric and nonparametric analyses were performed and resulting regions of interest, as well as previously reported CRC susceptibility loci at 3q22, 7q31 and 9q22, were followed up by finemapping in 10 serrated neoplasia families. Genome-wide linkage analysis revealed regions of interest at 2p25.2-p25.1, 2q24.3-q37.1 and 8p21.2-q12.1. Finemapping linkage and haplotype analyses identified 2q32.2-q33.3 as the region most likely to harbour linkage, with heterogeneity logarithm of the odds (HLOD) 2.09 and nonparametric linkage (NPL) score 2.36 (P = 0.004). Five primary candidate genes (CFLAR, CASP10, CASP8, FZD7 and BMPR2) were sequenced and no segregating variants identified. There was no evidence of linkage to previously reported loci on chromosomes 3, 7 and 9.

Tool-supported dataflow analysis of a security-critical embedded device

Defence organisations perform information security evaluations to confirm that electronic communications devices are safe to use in security-critical situations. Such evaluations include tracing all possible dataflow paths through the device, but this process is tedious and error-prone, so automated reachability analysis tools are needed to make security evaluations faster and more accurate. Previous research has produced a tool, SIFA, for dataflow analysis of basic digital circuitry, but it cannot analyse dataflow through microprocessors embedded within the circuit since this depends on the software they run. We have developed a static analysis tool that produces SIFA compatible dataflow graphs from embedded microcontroller programs written in C. In this paper we present a case study which shows how this new capability supports combined hardware and software dataflow analyses of a security critical communications device.

Data flow analysis of embedded program expressions

Data flow analysis techniques can be used to help assess threats to data confidentiality and integrity in security critical program code. However, a fundamental weakness of static analysis techniques is that they overestimate the ways in which data may propagate at run time. Discounting large numbers of these false-positive data flow paths wastes an information security evaluator's time and effort. Here we show how to automatically eliminate some false-positive data flow paths by precisely modelling how classified data is blocked by certain expressions in embedded C code. We present a library of detailed data flow models of individual expression elements and an algorithm for introducing these components into conventional data flow graphs. The resulting models can be used to accurately trace byte-level or even bit-level data flow through expressions that are normally treated as atomic. This allows us to identify expressions that safely downgrade their classified inputs and thereby eliminate false-positive data flow paths from the security evaluation process. To validate the approach we have implemented and tested it in an existing data flow analysis toolkit.

Integrating collaborative filtering and search-based techniques for personalized online product recommendation

The existing Collaborative Filtering (CF) technique that has been widely applied by e-commerce sites requires a large amount of ratings data to make meaningful recommendations. It is not directly applicable for recommending products that are not frequently purchased by users, such as cars and houses, as it is difficult to collect rating data for such products from the users. Many of the e-commerce sites for infrequently purchased products are still using basic search-based techniques whereby the products that match with the attributes given in the target user's query are retrieved and recommended to the user. However, search-based recommenders cannot provide personalized recommendations. For different users, the recommendations will be the same if they provide the same query regardless of any difference in their online navigation behaviour. This paper proposes to integrate collaborative filtering and search-based techniques to provide personalized recommendations for infrequently purchased products. Two different techniques are proposed, namely CFRRobin and CFAg Query. Instead of using the target user's query to search for products as normal search based systems do, the CFRRobin technique uses the products in which the target user's neighbours have shown interest as queries to retrieve relevant products, and then recommends to the target user a list of products by merging and ranking the returned products using the Round Robin method. The CFAg Query technique uses the products that the user's neighbours have shown interest in to derive an aggregated query, which is then used to retrieve products to recommend to the target user. Experiments conducted on a real e-commerce dataset show that both the proposed techniques CFRRobin and CFAg Query perform better than the standard Collaborative Filtering (CF) and the Basic Search (BS) approaches, which are widely applied by the current e-commerce applications. The CFRRobin and CFAg Query approaches also outperform the e- isting query expansion (QE) technique that was proposed for recommending infrequently purchased products.

An automated tool for assessing security-critical designs and programs

This paper describes in detail our Security-Critical Program Analyser (SCPA). SCPA is used to assess the security of a given program based on its design or source code with regard to data flow-based metrics. Furthermore, it allows software developers to generate a UML-like class diagram of their program and annotate its confidential classes, methods and attributes. SCPA is also capable of producing Java source code for the generated design of a given program. This source code can then be compiled and the resulting Java bytecode program can be used by the tool to assess the program's overall security based on our security metrics.

Security assessment of code refactoring rules

Refactoring is a common approach to producing better quality software. Its impact on many software quality properties, including reusability, maintainability and performance, has been studied and measured extensively. However, its impact on the information security of programs has received relatively little attention. In this work, we assess the impact of a number of the most common code-level refactoring rules on data security, using security metrics that are capable of measuring security from the viewpoint of potential information flow. The metrics are calculated for a given Java program using a static analysis tool we have developed to automatically analyse compiled Java bytecode. We ran our Java code analyser on various programs which were refactored according to each rule. New values of the metrics for the refactored programs then confirmed that the code changes had a measurable effect on information security.

Green crime and the role of environmental courts

Environmental issues continue to capture international headlines and remain the subject of intense intellectual, political and public debate. As a result, environmental law is widely recognised as the fastest growing area of international jurisprudence. This, combined with the rapid expansion of environmental agreements and policies, has created a burgeoning landscape of administrative, regulatory and judicial regimes. Emerging from these developments are increases in environmental offences, and more recently environmental crimes. The judicial processing of environmental or ‘green’ crimes is rapidly developing across many jurisdictions. Since 1979, Australia has played a lead role in criminal justice processing of environment offences through the New South Wales Land and Environment Court (NSW LEC). This article draws on case data, observations and interviews with court personnel, to examine the ways in which environmental justice is now administered through the existing court structures, and how it has changed since the Court’s inception.