Development of a static analysis tool to find securty vulnerabilities in java applications

Thesis (Master)--Izmir Institute of Technology, Computer Engineering, Izmir, 2010Includes bibliographical references (leaves: 57-60)Text in English Abstract: Turkish and Englishix, 77 leavesThe scope of this thesis is to enhance a static analysis tool in order to find security limitations in java applications. This will contribute to the removal of some of the existing limitations related with the lack of java source codes. The generally used tools for a static analysis are FindBugs, Jlint, PMD, ESC/Java2, Checkstyle. In this study, it is aimed to utilize PMD static analysis tool which already has been developed to find defects Possible bugs (empty try/catch/finally/switch statements), Dead code (unused local variables, parameters and private methods), Suboptimal code (wasteful String/StringBuffer usage), Overcomplicated expressions (unnecessary if statements for loops that could be while loops), Duplicate code (copied/pasted code means copied/pasted bugs). On the other hand, faults possible unexpected exception, length may be less than zero, division by zero, stream not closed on all paths and should be a static inner class cases were not implemented by PMD static analysis tool. PMD performs syntactic checks and dataflow analysis on program source code.In addition to some detection of clearly erroneous code, many of the .bugs. PMD looks for are stylistic conventions whose violation might be suspicious under some circumstances. For example, having a try statement with an empty catch block might indicate that the caught error is incorrectly discarded. Because PMD includes many detectors for bugs that depend on programming style, PMD includes support for selecting which detectors or groups of detectors should be run. While PMD.s main structure was conserved, boundary overflow vulnerability rules have been implemented to PMD

Model-Driven Development of Interactive Multimedia Applications

The development of highly interactive multimedia applications is still a challenging and complex task. In addition to the application logic, multimedia applications typically provide a sophisticated user interface with integrated media objects. As a consequence, the development process involves different experts for software design, user interface design, and media design. There is still a lack of concepts for a systematic development which integrates these aspects. This thesis provides a model-driven development approach addressing this problem. Therefore it introduces the Multimedia Modeling Language (MML), a visual modeling language supporting a design phase in multimedia application development. The language is oriented on well-established software engineering concepts, like UML 2, and integrates concepts from the areas of multimedia development and model-based user interface development. MML allows the generation of code skeletons from the models. Thereby, the core idea is to generate code skeletons which can be directly processed in multimedia authoring tools. In this way, the strengths of both are combined: Authoring tools are used to perform the creative development tasks while models are used to design the overall application structure and to enable a well-coordinated development process. This is demonstrated using the professional authoring tool Adobe Flash. MML is supported by modeling and code generation tools which have been used to validate the approach over several years in various student projects and teaching courses. Additional prototypes have been developed to demonstrate, e.g., the ability to generate code for different target platforms. Finally, it is discussed how models can contribute in general to a better integration of well-structured software development and creative visual design

Building a cognitive gaming platform : User centric gaming experiences with organic movement

The increasing focus on efficiency and optimizing the way people think and work has led to a new area of serious gaming – cognitive games. The rise of modern web rendering technologies has enabled the creation of visually interesting cognitive games on browser based technologies. The goal of this study was to assess the applicability of using modern browser technologies to create a user centric cognitive gaming platform and the use of mathematical formulas in organic rendering. The approach discusses the current market situation and the products and methods of cognitive gaming as well as the technologies involved. The user centric approach is studied through user experience design as well as graphic design and animation aspects. The reference implementation is project CCA; a user centric cognitive gaming platform built on top of Adobe Flash that uses seemingly organic movement rendering. The technical implementation is discussed from the platform client-server aspect as well as an overview of the structure of the front end architecture. The rendering engine methods go through the 2D –based rendering of mathematical formulas, the use of continuous Bezier curves in organic movement and the creative ways of using Perlin noise to generate textures as well as movement. Optimization of complex rendering and platform building is an essential part of the process. The results show the viability of using modern browser based technologies in the creation of a cognitive gaming platform. Through the use of optimization and creative mathematical solutions, as well as tending to user experience needs a successful product is built. The project platform is used in medical trials, as well as the Science Changing the World Exhibition shown in science centers around Europe. This study stands as a testament to the possibilities of cognitive end user training and a guide on the aspects of building a suc-cessful gaming platform.Tehokkuuden optimointi on johtanut muutoksiin ihmisten ajattelu- ja työtavoissa. Kognitiiviset pelit kehittyivät vakavan pelaamisen alalajiksi vastaamaan tehokkuuden asettamiin tarpeisiin. Samaan aikaan nykyaikaiset selainteknologiat ja renderöintitekniikat ovat kehittyneet sille tasolle, että niillä voidaan luoda visuaalisesti näyttäviä kognitiivisia pelejä. Opinnäytetyön kohteena oli arvioida nykyaikaisten selainteknologioiden sopivuutta käyttäjäkeskeisen kognitiopelialustan luomiseen ja matemaattisten kaavojen käyttöä luonnollisen liikkeen ja muodon renderöinnissä. Tutkimuksen lähtökohtana oli nykyinen markkinatilanne kognitiopelaamisen alueella sekä siihen liittyvät tuotteet ja teknologiat. Käyttäjäkeskeistä lähestymistapaa tutkittiin käyttökokemussuunnittelun sekä graafisen suunnittelun ja animaatioiden kautta. Referenssitoteutuksena kehitettiin projekti CCA, käyttäjäkeskeinen kognitiivisen pelaamisen alusta, joka pohjautuu Adobe Flash-teknologiaan. CCA:n renderöintiteknologia perustuu luonnollisen liikkeen optimointiin. Pelialustan tekninen toteutus on modulaarinen palvelinintegroitu ratkaisu, jonka tarkoituksena on olla mahdollisimman muokattava taustajärjestelmän kautta. Renderöinti perustuu matemaattisten kaavojen 2-ulotteiseen ilmaisuun, jatkuvien Bezier-käyrien sekä erilaisten Perlin-kohinoiden luoviin käyttötapauksiin. Optimointi on elintärkeä osa monimutkaisen renderöintialustan rakentamisessa. Opinnäytetyön tulosten mukaan nykyaikaisilla selainteknologioilla voidaan rakentaa onnistunut kognitiivinen pelialusta. Optimoinnin ja luovien matemaattisten ratkaisujen sekä käyttäjälähtöisen suunnittelun ja toteutuksen avulla luodaan onnistunut tuote. Projektin tuote on käytössä kliinisissä kokeissa Suomessa ja Virossa, ja siitä eriytetty moninpeliversio kiertää tiedekeskuksissa ympäri Eurooppaa. Opinnäytetyön lopputulos on esimerkki käyttäjäkeskeisten kognitiopelien mahdollisuuksista ja toimii ohjeena selainpohjaisen pelialustan kehittämiselle

On the Fault-Proneness of Javascript Code Smells

RÉSUMÉ JavaScript est un langage de script qui a gagné beaucoup en popularité cette dernière décennie. Initialement utilisé exclusivement pour le développementWeb côté client, il a évolué pour devenir l’un des langages de programmation les plus populaires. Les développeurs l’utilisent aujourd’hui aussi bien pour le développement Web côté client que côté serveur. Comme pour les applications écrites dans d’autres langages de programmation, le code JavaScript peut contenir des mauvaises odeurs, qui sont des mauvais choix de conception ou d’implémentation pouvant affecter négativement la maintenabilité et la qualité des applications. Dans ce mémoire, nous étudions les mauvaises odeurs de code dans les applications serveurs JavaScript dans le but de comprendre l’impact des mauvaises odeurs de code sur la fiabilité des applications JavaScript. Grâce à des modèles d’analyse de survie, nous examinons le risque d’occurrence de fautes dans les fichiers contenant des mauvaises odeurs de code et les fichiers ne contenant pas de mauvaise odeur de code. Au total, nous avons analysé 12 mauvaises odeurs de code contenues dans 537 versions de cinq bibliothèques JavaScript parmi les plus populaires : express, grunt, bower, less.js et request. Les résultats obtenus montrent qu’en moyenne, le risque d’occurrence de fautes dans les fichiers sans mauvaise odeur de code est 65% inférieur à celui des fichiers contenants des mauvaises odeurs de code. Parmi les mauvaises odeurs étudiées “Variable Reassign” et “Assignment in conditional statements” sont celles qui présentent le plus grand risque d’occurrence de fautes. Afin de comprendre la perception des développeurs vis-à-vis des 12 mauvaises odeurs de code étudiés, nous avons effectué un sondage auprès de 1484 développeurs JavaScript. Les résultats montrent que les développeurs considèrent les mauvaises odeurs de code “Nested Callbacks,” “Variable Re-assign” et “Long Parameter List” comme étant de sérieux problèmes de conception qui entravent la maintenabilité et la fiabilité des applications JavaScript. Une évaluation qui corrobore les résultats de notre analyse quantitative. Globalement, les mauvaises odeurs de code augmentent le risque d’occurrence de fautes dans les applications JavaScript. Nous recommandons aux développeurs de les corriger tôt avant la mise en marché de leurs applications. ----------ABSTRACT JavaScript is a scripting programming language that has gained a lot of popularity this past decade. Initially used exclusively for client-side web development, it has evolved to become one of the most popular programming languages, with developers now using it for both client-side and server-side application development. Similar to pplications written in other programming languages, JavaScript applications contain code smells, which are poor design choices and implementation that can negatively impact maintainability and quality. In this thesis, we investigate code smells in JavaScript applications with the aim to understand how they affect the fault-proneness of software. We detect 12 types of code smells in 537 releases of five popular JavaScript libraries (i.e., express, grunt, bower, less.js, and request) and perform a survival analysis, comparing the time until the occurrence a fault, in files containing code smells and files without code smells. Results show that (1) on average, files without code smells have hazard rates 65% lower than files with code smells, and (2) Among the studied smells, “Variable Re-assign” and “Assignment In Conditional statements” code smells have the highest hazard rates. Additionally, we conduct a survey with 1,484 JavaScript developers to understand the perception of developers towards our studied code smells. We found that developers consider “Nested Callbacks,” “Variable Re-assign,” and “Long Parameter List” code smells to be serious design problems that hinder the intainability and reliability of applications ; assessment in line with the findings of our quantitative analysis. Overall, code smells affect negatively the fault-proneness of JavaScript applications. Therefore, developers should consider tracking and removing them early on before the release of software to the public

Python Programmers Have GPUs Too: Automatic Python Loop Parallelization with Staged Dependence Analysis

Python is a popular language for end-user software development in many application domains. End-users want to harness parallel compute resources effectively, by exploiting commodity manycore technology including GPUs. However, existing approaches to parallelism in Python are esoteric, and generally seem too complex for the typical end-user developer. We argue that implicit, or automatic, parallelization is the best way to deliver the benefits of manycore to end-users, since it avoids domain-specific languages, specialist libraries, complex annotations or restrictive language subsets. Auto-parallelization fits the Python philosophy, provides effective performance, and is convenient for non-expert developers. Despite being a dynamic language, we show that Python is a suitable target for auto-parallelization. In an empirical study of 3000+ open-source Python notebooks, we demonstrate that typical loop behaviour ‘in the wild’ is amenable to auto-parallelization. We show that staging the dependence analysis is an effective way to maximize performance. We apply classical dependence analysis techniques, then leverage the Python runtime’s rich introspection capabilities to resolve additional loop bounds and variable types in a just-in-time manner. The parallel loop nest code is then converted to CUDA kernels for GPU execution. We achieve orders of magnitude speedup over baseline interpreted execution and some speedup (up to 50x, although not consistently) over CPU JIT-compiled execution, across 12 loop-intensive standard benchmarks

Python Programmers Have GPUs Too: Automatic Python Loop Parallelization with Staged Dependence Analysis

Python is a popular language for end-user software development in many application domains. End-users want to harness parallel compute resources effectively, by exploiting commodity manycore technology including GPUs. However, existing approaches to parallelism in Python are esoteric, and generally seem too complex for the typical end-user developer. We argue that implicit, or automatic, parallelization is the best way to deliver the benefits of manycore to end-users, since it avoids domain-specific languages, specialist libraries, complex annotations or restrictive language subsets. Auto-parallelization fits the Python philosophy, provides effective performance, and is convenient for non-expert developers. Despite being a dynamic language, we show that Python is a suitable target for auto-parallelization. In an empirical study of 3000+ open-source Python notebooks, we demonstrate that typical loop behaviour ‘in the wild’ is amenable to auto-parallelization. We show that staging the dependence analysis is an effective way to maximize performance. We apply classical dependence analysis techniques, then leverage the Python runtime’s rich introspection capabilities to resolve additional loop bounds and variable types in a just-in-time manner. The parallel loop nest code is then converted to CUDA kernels for GPU execution. We achieve orders of magnitude speedup over baseline interpreted execution and some speedup (up to 50x, although not consistently) over CPU JIT-compiled execution, across 12 loop-intensive standard benchmarks

Collaborative coding in the cloud : providing a paradigm shift to the way software development is achieved in environments of the future

University of Technology, Sydney. Faculty of Engineering and Information Technology.This research aims to address a number of challenges surrounding traditional software development practices, including the need for team transparency, synergy between project components and developers who are weighed down by desktop based environments. A cloud computing model is discussed, including a hypothesis on the required platform to solve many of these challenges. A number of previous research agendas are raised; including extensions to the JEdit and Eclipse IDEs, purpose built collaborative platforms, and an IDE that operates on a mobile device. Two cases studies around Google Wave and Mozilla Bespin are raised, and how industry leaders are addressing these challenges. Through a qualitative survey, the needs of a developer and perceptions behind cloud computing are raised with a discrete range of industry professionals. A proposed model is provided, which aims at borrowing concepts traditionally found in social networking yet applies them toward a software development context, and highlights a number of recommendations for success. A research subset is then chosen to provide a technical implementation of a Google Wave agent, aimed at assisting distributed teams with cross communication and autonomous up-skill. Finally, the research outcome answers the question of whether an IDE can be deployed within cloud based architectures and be adopted by the software development community. Given the infancy of the platform, the research outcome finds that immediate deployment of the proposed platform cannot be realized, and that researchers are dependent on platform maturity before successful deployment and adoption can be achieved. The overall research provides a number of future research directions, including reassessment of the philosophy proposed throughout this research, implementation of the proposed framework, or improvements focused on the communication and collaboration agent developed. The research fulfills a number of research areas required in the arenas of communication and collaboration among the software engineering community

FROM A RESEARCH PROTOTYPE TO A DEPLOYED SYSTEM: THE CASE OF THE HECHT MUSEUM VISITOR\u27S GUIDE

Cultural heritage, Deployment, Mobile guides, Research prototype