Improving Software Security Using Search-Based Refactoring

Security metrics have been proposed to assess the security of software applications based on the principles of "reduce attack surface" and "grant least privilege." While these metrics can help inform the developer in choosing designs that provide better security, they cannot on their own show exactly how to make an application more secure. Even if they could, the onerous task of updating the software to improve its security is left to the developer. In this paper we present an approach to automated improvement of software security based on search-based refactoring. We use the search-based refactoring platform, Code-Imp, to refactor the code in a fully-automated fashion. The fitness function used to guide the search is based on a number of software security metrics. The purpose is to improve the security of the software immediately prior to its release and deployment. To test the value of this approach we apply it to an industrial banking application that has a strong security dimension, namely Wife. The results show an average improvement of 27.5% in the metrics examined. A more detailed analysis reveals that 15.5% of metric improvement results in real improvement in program security, while the remaining 12% of metric improvement is attributable to hitherto undocumented weaknesses in the security metrics themselves.

[1]  Mark Kent O'Keeffe,et al.  Search-based refactoring for software maintenance , 2008, J. Syst. Softw..

[2]  Mark Harman,et al.  Pareto optimal search based refactoring at the design level , 2007, GECCO '07.

[3]  Mel Ó Cinnéide,et al.  Automated Design Improvement by Example , 2007, SoMeT.

[4]  Matt Bishop,et al.  The Art and Science of Computer Security , 2002 .

[5]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[6]  Hürevren Kiliç,et al.  Search-Based Parallel Refactoring Using Population-Based Direct Approaches , 2011, SSBSE.

[7]  Carl G. Davis,et al.  A Hierarchical Model for Object-Oriented Design Quality Assessment , 2002, IEEE Trans. Software Eng..

[8]  Iman Hemati Moghadam,et al.  Automated Refactoring Using Design Differencing , 2012, 2012 16th European Conference on Software Maintenance and Reengineering.

[9]  Mel Ó Cinnéide,et al.  Journal of Software Maintenance and Evolution: Research and Practice Search-based Refactoring: an Empirical Study , 2022 .

[10]  Mohammad Zulkernine,et al.  Security metrics for source code structures , 2008, SESS '08.

[11]  Iman Hemati Moghadam,et al.  Code-Imp: a tool for automated search-based refactoring , 2011, WRT '11.

[12]  Colin J. Fidge,et al.  A Hierarchical Security Assessment Model for Object-Oriented Programs , 2011, 2011 11th International Conference on Quality Software.

[13]  Iman Hemati Moghadam,et al.  Automated Refactoring for Testability , 2011, 2011 IEEE Fourth International Conference on Software Testing, Verification and Validation Workshops.

[14]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Designs , 2010, 2010 21st Australian Software Engineering Conference.

[15]  Scott F. Smith,et al.  Refactoring programs to secure information flows , 2006, PLAS '06.

[16]  Mark Harman,et al.  Search-based software engineering , 2001, Inf. Softw. Technol..

[17]  Clive Blackwell,et al.  A security architecture to protect against the insider threat from damage, fraud and theft , 2009, CSIIRW '09.

[18]  Betty H. C. Cheng,et al.  On the use of genetic programming for automated refactoring and the introduction of design patterns , 2010, GECCO '10.

[19]  Colin J. Fidge,et al.  Security Metrics for Object-Oriented Class Designs , 2009, 2009 Ninth International Conference on Quality Software.

[20]  Colin J. Fidge,et al.  Assessing the Impact of Refactoring on Security-Critical Object-Oriented Designs , 2010, 2010 Asia Pacific Software Engineering Conference.

[21]  Johannes Stammel,et al.  Search-based determination of refactorings for improving the class structure of object-oriented systems , 2006, GECCO.