Evaluation Of An Architectural-Level Approach For Finding Security Vulnerabilities

The cost of security vulnerabilities of a software system is high. As a result, many techniques have been developed to find the vulnerabilities at development time. Of particular interest are static analysis techniques that can consider all possible executions of a system. But, static analysis can suffer from a large number of false positives. A recently developed approach, Scoria, is a semi-automated static analysis that requires security architects to annotate the code, typecheck the annotations, extract a hierarchical object graph and write constraints in order to find security vulnerabilities in a system. This thesis evaluates Scoria on three systems (sizes 6 KLOC, 6 KLOC and 25 KLOC) from different application domains (Android and Web) and confirms that Scoria can find security vulnerabilities in those systems without an excessive number of false positives

Apparatuses and Methods for Producing Runtime Architectures of Computer Program Modules

Apparatuses and methods for producing run-time architectures of computer program modules. One embodiment includes creating an abstract graph from the computer program module and from containment information corresponding to the computer program module, wherein the abstract graph has nodes including types and objects, and wherein the abstract graph relates an object to a type, and wherein for a specific object the abstract graph relates the specific object to a type containing the specific object; and creating a runtime graph from the abstract graph, wherein the runtime graph is a representation of the true runtime object graph, wherein the runtime graph represents containment information such that, for a specific object, the runtime graph relates the specific object to another object that contains the specific object

Dynamic Validation of Software Architectural Connectors

In this work we present an approach to dynamically validate the usage of software connectors in the context of software architectures. By employing aspect oriented techniques the system’s execution is monitored in order to obtain an architectural view describing how processes communicate and interact with each other. This output can later be compared to the connectors specified in the architecture document to validate the consistency between the architecture specification and the implementation of the system. A case study is presented showing the potential of the approach. We believe the results are promising enough to consider future extensions including other architectural elements beyond connectors.Sociedad Argentina de Informática e Investigación Operativa (SADIO

Dynamic Validation of Software Architectural Connectors

In this work we present an approach to dynamically validate the usage of software connectors in the context of software architectures. By employing aspect oriented techniques the system’s execution is monitored in order to obtain an architectural view describing how processes communicate and interact with each other. This output can later be compared to the connectors specified in the architecture document to validate the consistency between the architecture specification and the implementation of the system. A case study is presented showing the potential of the approach. We believe the results are promising enough to consider future extensions including other architectural elements beyond connectors.Sociedad Argentina de Informática e Investigación Operativa (SADIO

Automated Refinement Of Hierarchical Object Graphs

Object graphs help explain the runtime structure of a system. To make object graphs convey design intent, one insight is to use abstraction by hierarchy, i.e., to show objects that are implementation details as children of architecturally-relevant objects from the application domain. But additional information is needed to express this object hierarchy, using ownership type qualifiers in the code. Adding qualifiers after the fact involves manual overhead, and requires developers to switch between adding qualifiers in the code and looking at abstract object graphs to understand the object structures that the qualifiers describe. We propose an approach where developers express their design intent by refining an object graph directly, while an inference analysis infers valid qualifiers in the code. We present, formalize and implement the inference analysis. Novel features of the inference analysis compared to closely related work include a larger set of qualifiers to support less restrictive object hierarchy (logical containment) in addition to strict hierarchy (strict encapsulation), as well as object uniqueness and object borrowing. A separate extraction analysis then uses these qualifiers and extracts an updated object graph. We evaluate the approach on two subject systems. One of the subject systems is reproduced from an experiment using related techniques and another ownership type system, which enables a meaningful comparison. For the other subject system, we use its documentation to pick refinements that express design intent. We compute metrics on the refinements (how many attempts on each subject system) and classify them by their type. We also compute metrics on the inferred qualifiers and metrics on the object graphs to enable quantitative comparison. Moreover, we qualitatively compare the hierarchical object graphs with the flat object graphs and with each other, by highlighting how they express design intent. Finally, we confirm that the approach can infer from refinements valid qualifiers such that the extracted object graphs reflect the design intent of the refinements

Dynamic Validation of Software Architectural Connectors

In this work we present an approach to dynamically validate the usage of software connectors in the context of software architectures. By employing aspect oriented techniques the system’s execution is monitored in order to obtain an architectural view describing how processes communicate and interact with each other. This output can later be compared to the connectors specified in the architecture document to validate the consistency between the architecture specification and the implementation of the system. A case study is presented showing the potential of the approach. We believe the results are promising enough to consider future extensions including other architectural elements beyond connectors.Sociedad Argentina de Informática e Investigación Operativa (SADIO

Microservice Architecture Reconstruction and Visualization Techniques: A Review

Microservice system solutions are driving digital transformation; however, fundamental tools and system perspectives are missing to better observe, understand, and manage these systems, their properties, and their dependencies. Microservices architecture leads towards decentralization, which implies many advantages to system operation; it, however, brings challenges to their development. Microservice systems often lack a system-centric perspective that would help engineers better cope with system evolution and quality assessment. In this work, we explored microservice-specific architecture reconstruction based on static analysis. Such reconstruction typically results in system models to visualize selected system-centric perspectives. Conventional models involve 2D methods; however, these methods are limited in utility when services proliferate. We considered various architectural perspectives relevant to microservices and assessed the relevancy of the traditional method, comparing it to alternative data visualization using 3D space. As a representative of the 3D method, we considered a 3D graph model presented in augmented reality. To begin testing the feasibility of deriving such perspectives from microservice systems, we developed and implemented prototype tools for software architecture reconstruction and visualization of compared perspectives. Using these prototypes, we performed a small user study with software practitioners to highlight the potentials and limitations of these innovative visualizations used for common practitioner reasoning and tasks