ABSTRACT
We propose an interactive approach where analysts reason about the security of a system using an abstraction of its runtime structure, as opposed to looking at the code. They interactively refine a hierarchical object graph, set security properties on abstract objects or edges, query the graph, and investigate the results by studying highlighted objects or edges or tracing to the code. Behind the scenes, an inference analysis and an extraction analysis maintain the soundness of the graph with respect to the code.
- M. Abi-Antoun and J. Aldrich. Static Extraction and Conformance Analysis of Hierarchical Runtime Architectural Structure using Annotations. In OOPSLA, 2009. Google ScholarDigital Library
- J. Aldrich and C. Chambers. Ownership Domains: Separating Aliasing Policy from Mechanism. In ECOOP, 2004.Google ScholarCross Ref
- F. Long, D. Mohindra, R. C. Seacord, D. F. Sutherland, and D. Svoboda. The CERT Oracle Secure Coding Standard for Java. Addison-Wesley, 2011. Google ScholarDigital Library
- SEI CERT Oracle Coding Standard for Java, 2016. www.securecoding.cert.org/confluence/display/java/.Google Scholar
- R. Vanciu and M. Abi-Antoun. Finding architectural flaws using constraints. In ASE, 2013.Google ScholarDigital Library
Index Terms
- Abstract runtime structure for reasoning about security: poster
Recommendations
Object-Oriented Structure Refinement -- A Graph Transformational Approach
In UML, the general structure of objects, their attributes and relations are modeled as a class graph, and an instance of a class graph is defined as an object graph. The class graph of a system determines the general properties of objects and how ...
Static extraction and conformance analysis of hierarchical runtime architectural structure using annotations
OOPSLA '09An object diagram makes explicit the object structures that are only implicit in a class diagram. An object diagram may be missing and must extracted from the code. Alternatively, an existing diagram may be inconsistent with the code, and must be ...
Are Object Graphs Extracted Using Abstract Interpretation Significantly Different from the Code?
SCAM '14: Proceedings of the 2014 IEEE 14th International Working Conference on Source Code Analysis and ManipulationTo evolve object-oriented code, one must understand both the code structure in terms of classes, and the runtime structure in terms of abstractions of objects that are being created and relations between those objects. To help with this understanding, ...
Comments