Static Analysis-Based Approaches for Secure Software Development

Software security is a matter of major concern for software development enterprises that wish to deliver highly secure software products to their customers. Static analysis is considered one of the most effective mechanisms for adding security to software products. The multitude of static analysis tools that are available provide a large number of raw results that may contain security-relevant information, which may be useful for the production of secure software. Several mechanisms that can facilitate the production of both secure and reliable software applications have been proposed over the years. In this paper, two such mechanisms, particularly the vulnerability prediction models (VPMs) and the optimum checkpoint recommendation (OCR) mechanisms, are theoretically examined, while their potential improvement by using static analysis is also investigated. In particular, we review the most significant contributions regarding these mechanisms, identify their most important open issues, and propose directions for future research, emphasizing on the potential adoption of static analysis for addressing the identified open issues. Hence, this paper can act as a reference for researchers that wish to contribute in these subfields, in order to gain solid understanding of the existing solutions and their open issues that require further research.

[1]  Liming Chen,et al.  N-VERSION PROGRAMMINC: A FAULT-TOLERANCE APPROACH TO RELlABlLlTY OF SOFTWARE OPERATlON , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[2]  Laurie A. Williams,et al.  Is complexity really the enemy of software security? , 2008, QoP '08.

[3]  L. Williams,et al.  Toward the Use of Automated Static Analysis Alerts for Early Identification of Vulnerability- and Attack-prone Components , 2007, Second International Conference on Internet Monitoring and Protection (ICIMP 2007).

[4]  Wouter Joosen,et al.  Software vulnerability prediction using text analysis techniques , 2012, MetriSec '12.

[5]  Gary McGraw,et al.  On Bricks and Walls: Why Building Secure Software is Hard , 2002, Computers & security.

[6]  Erol Gelenbe,et al.  Enhanced availability of transaction oriented systems using failure tests , 1992, [1992] Proceedings Third International Symposium on Software Reliability Engineering.

[7]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[8]  Laurie A. Williams,et al.  Can traditional fault prediction models be used for vulnerability prediction? , 2011, Empirical Software Engineering.

[9]  John Paul Walters,et al.  Application-Level Checkpointing Techniques for Parallel Programs , 2006, ICDCIT.

[10]  J. Duell The design and implementation of Berkeley Lab's linux checkpoint/restart , 2005 .

[11]  Michael Gegick,et al.  Prioritizing software security fortification throughcode-level metrics , 2008, QoP '08.

[12]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[13]  Bran Selic,et al.  A survey of fault tolerance mechanisms and checkpoint/restart implementations for high performance computing systems , 2013, The Journal of Supercomputing.

[14]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[15]  Yves Le Traon,et al.  Vulnerability Prediction Models: A Case Study on the Linux Kernel , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[16]  Laurie A. Williams,et al.  An empirical model to predict security vulnerabilities using code complexity metrics , 2008, ESEM '08.

[17]  Matthew Green,et al.  Developers are Not the Enemy!: The Need for Usable Security APIs , 2016, IEEE Security & Privacy.

[18]  Ashkan Sami,et al.  Evaluating and comparing complexity, coupling and a new proposed set of coupling metrics in cross-project vulnerability prediction , 2016, SAC.

[19]  Laurie A. Williams,et al.  An initial study on the use of execution complexity metrics as indicators of software vulnerabilities , 2011, SESS '11.

[20]  Andreas Zeller,et al.  Predicting vulnerable software components , 2007, CCS '07.

[21]  Baldoino Fonseca dos Santos Neto,et al.  Software Metrics and Security Vulnerabilities: Dataset and Exploratory Study , 2016, 2016 12th European Dependable Computing Conference (EDCC).

[22]  David Lo,et al.  Combining Software Metrics and Text Features for Vulnerable File Prediction , 2015, 2015 20th International Conference on Engineering of Complex Computer Systems (ICECCS).

[23]  Mohammad Zulkernine,et al.  Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities , 2011, J. Syst. Archit..

[24]  Gene Cooperman,et al.  DMTCP: Transparent checkpointing for cluster computations and the desktop , 2007, 2009 IEEE International Symposium on Parallel & Distributed Processing.

[25]  Laurie A. Williams,et al.  Challenges with applying vulnerability prediction models , 2015, HotSoS.

[26]  Erol Gelenbe,et al.  Virus Tests to Maximize Availability of Software Systems , 1994, Theor. Comput. Sci..

[27]  Stefan Kowalewski,et al.  A Hybrid Fault Tolerance Method for Recovery Block with a Weak Acceptance Test , 2008, 2008 IEEE/IFIP International Conference on Embedded and Ubiquitous Computing.

[28]  Barry W. Boehm,et al.  Software Defect Reduction Top 10 List , 2001, Computer.

[29]  Paul C. van Oorschot,et al.  The developer is the enemy , 2009, NSPW '08.

[30]  John W. Young,et al.  A first order approximation to the optimum checkpoint interval , 1974, CACM.

[31]  Marco Torchiano,et al.  Assessing the Effect of Screen Mockups on the Comprehension of Functional Requirements , 2014, TSEM.

[32]  Miron Livny,et al.  Checkpoint and Migration of UNIX Processes in the Condor Distributed Processing System , 1997 .

[33]  Yuming Zhou,et al.  Predicting Vulnerable Components via Text Mining or Software Metrics? An Effort-Aware Perspective , 2015, 2015 IEEE International Conference on Software Quality, Reliability and Security.

[34]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[35]  Alessandra Gorla,et al.  Automatic Workarounds: Exploiting the Intrinsic Redundancy of Web Applications , 2015, TSEM.

[36]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[37]  Andrew Lumsdaine,et al.  The Design and Implementation of Checkpoint/Restart Process Fault Tolerance for Open MPI , 2007, 2007 IEEE International Parallel and Distributed Processing Symposium.

[38]  Jongmoon Baik,et al.  Improving vulnerability prediction accuracy with Secure Coding Standard violation measures , 2016, 2016 International Conference on Big Data and Smart Computing (BigComp).

[39]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[40]  Erol Gelenbe,et al.  A model of roll-back recovery with multiple checkpoints , 1976, ICSE '76.

[41]  Gabriel Rodríguez,et al.  Portable Application-level Checkpointing for Hybrid MPI-OpenMP Applications , 2016, ICCS.

[42]  Gerhard Wellein,et al.  CRAFT: A Library for Easier Application-Level Checkpoint/Restart and Automatic Fault Tolerance , 2017, IEEE Transactions on Parallel and Distributed Systems.

[43]  Mohammad Zulkernine,et al.  Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities? , 2010, SAC '10.

[44]  Riccardo Scandariato,et al.  Predicting Vulnerable Components: Software Metrics vs Text Mining , 2014, 2014 IEEE 25th International Symposium on Software Reliability Engineering.

[45]  Ashkan Sami,et al.  Using complexity metrics to improve software security , 2013 .

[46]  Jason Duell,et al.  Requirements for Linux Checkpoint/Restart , 2002 .

[47]  Michael Gegick,et al.  Predicting Attack-prone Components , 2009, 2009 International Conference on Software Testing Verification and Validation.

[48]  Paul E. Black,et al.  Juliet 1.1 C/C++ and Java Test Suite , 2012, Computer.

[49]  Erol Gelenbe,et al.  Performance of rollback recovery systems under intermittent failures , 1978, CACM.

[50]  Ritu Arora,et al.  ITALC: Interactive Tool for Application-Level Checkpointing , 2017 .

[51]  Hiroaki Kobayashi,et al.  CheCL: Transparent Checkpointing and Process Migration of OpenCL Applications , 2011, 2011 IEEE International Parallel & Distributed Processing Symposium.

[52]  Gabriel Rodríguez,et al.  CPPC: a compiler-assisted tool for portable checkpointing of message-passing applications , 2010 .

[53]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[54]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[55]  Erol Gelenbe,et al.  Optimum checkpoints with age dependent failures , 2004, Acta Informatica.

[56]  Akbar Siami Namin,et al.  Predicting Vulnerable Software Components through N-Gram Analysis and Statistical Feature Selection , 2015, 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA).

[57]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[58]  Xiaozhen Xue,et al.  Predicting Vulnerable Software Components through Deep Neural Network , 2017, ICDLT '17.

[59]  Erol Gelenbe,et al.  On the Optimum Checkpoint Interval , 1979, JACM.