A hierarchical security assessment model for object-oriented programs
Alshammari, Bandar, Fidge, Colin J., & Corney, Diane (2011) A hierarchical security assessment model for object-oriented programs. In Hierons, Rob & Merayo, Mercedes (Eds.) Proceedings of the 11th International Conference on Quality Software (QSIC 2011), IEEE Computer Society, University Complutense of Madrid, Madrid.
We present a hierarchical model for assessing an object-oriented program's security. Security is quantified using structural properties of the program code to identify the ways in which
classified' data values may be transferred between objects. The model begins with a set of low-level security metrics based on traditional design characteristics of object-oriented classes, such as data encapsulation, cohesion and coupling. These metrics are then used to characterise higher-level properties concerning the overall readability and writability of classified data throughout the program. In turn, these metrics are then mapped to well-known security design principles such asassigning the least privilege' and `reducing the size of the attack surface'. Finally, the entire program's security is summarised as a single security index value. These metrics allow different versions of the same program, or different programs intended to perform the same task, to be compared for their relative security at a number of different abstraction levels. The model is validated via an experiment involving five open source Java programs, using a static analysis tool we have developed to automatically extract the security metrics from compiled Java bytecode.
Impact and interest:
Citation counts are sourced monthly from and citation databases.
Citations counts from theindexing service can be viewed at the linked Google Scholar™ search.
|Item Type:||Conference Paper|
|Keywords:||Object-orientation, Software Quality, Software Security, Software Metrics, Security Design Principles|
|Subjects:||Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Computer System Security (080303)
Australian and New Zealand Standard Research Classification > INFORMATION AND COMPUTING SCIENCES (080000) > COMPUTER SOFTWARE (080300) > Software Engineering (080309)
|Divisions:||Past > QUT Faculties & Divisions > Faculty of Science and Technology
Past > Institutes > Information Security Institute
|Copyright Owner:||Copyright 2011 IEEE|
|Copyright Statement:||Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.|
|Deposited On:||09 May 2011 00:50|
|Last Modified:||23 Jul 2014 14:42|
Repository Staff Only: item control page