SECURE REFACTORING - Improving the Security Level of Existing Code

Katsuhisa Maruyama

Abstract

Software security is ever-increasingly becoming a serious issue; nevertheless, a large number of software programs are still defenseless against malicious attacks. This paper proposes a new class of refactoring, which is called secure refactoring. This refactoring is not intended to improve the maintainability of existing code. Instead, it helps programmers to increase the protection level of sensitive information stored in the code without changing its observable behavior. In this paper, four secure refactorings of Java source code and their respective mechanics based on static analysis are presented. All transformations of the proposed refactorings can be designed to be automated on our refactoring browser which supports the application of traditional refactorings.

References

  1. Bloch, J. (2001). Effective Java: Programming Language Guide. Addison-Wesley.
  2. Devanbu, P. T. and Stubblebine, S. (2000). Software engineering for security: A roadmap. In ICSE 7800: The Future of Softw. Eng., pages 227-239.
  3. Ferrante, J., Ottenstein, K. J., and Warren, J. D. (1987). The program dependence graph and its use in optimization. ACM TOPLAS, 9(3):319-349.
  4. Fowler, M. (1999). Refactoring: Improving the Design of Existing Code. Addison-Wesley.
  5. Gollmann, D. (2006). Computer Security, 2nd ed. John Wiley & Sons.
  6. Gosling, J., Joy, B., and Steele, G. (1996). The Java Language Specification. Addison-Wesley.
  7. Graff, M. G. and van Wyk, K. R. (2003). Secure Coding: Principles and Practices. O'Reilly & Associates Inc.
  8. Hoglund, G. and McGraw, G. (2004). Exploiting Software: How to Break Code. Addison-Wesley.
  9. Howard, M. and LeBlanc, D. (2002). Writing Secure Code, Second Edition. Microsoft Press.
  10. Kerievsky, J. (2004). Refactoring to Patterns. AddisonWesley.
  11. Landwehr, C. E., Bull, A. R., McDermott, J. P., and Choi, W. S. (1994). A taxonomy of computer program security flaws, with examples. ACM Computing Surveys, 26(3):211-254.
  12. Maruyama, K. and Yamamoto, S. (2005). Design and implementation of an extensible and modifiable refactoring tool. In Proc. IWPC'05, pages 195-204.
  13. McGraw, G. (2006). Software Security: Building Security in. Addison-Wesley.
  14. McGraw, G. and Felten, E. (1998). Twelve rules for developing more secure java code. Javaworld. http://www.javaworld.com/javaworld/jw-12- 1998/jw-12-securityrules.html.
  15. Mens, T. and Tourwé, T. (2004). A survey of software refactoring. IEEE Trans. Sofw. Eng., 30(2):126-139.
  16. Oaks, S. (2001). Java Security, 2nd ed. Addison-Wesley.
  17. Opdyke, W. F. (1992). Refactoring object-oriented frameworks. Technical report, Ph.D. thesis, University of Illinois, Urbana-Champaign.
  18. Parnas, D. L. (1972). On the criteria to be used in decomposing systems into modules. Comm. ACM, 15(12):1053-1058.
  19. Smith, S. F. and Thober, M. (2006). Refactoring programs to secure information flows. In Proc. PLAS'06, pages 75-84.
  20. SunMicrosystems (2000). Security code guidelines. http://java.sun.com/security/seccodeguide.html.
  21. Viega, J. and McGraw, G. (2001). Building Secure Software: How to Avoid Security Problems the Right Way. Addison-Wesley.
  22. Viega, J., McGraw, G., Mutdosch, T., and Felten, E. W. (2000). Statically scanning java code: Finding security vulnerabilities. IEEE Software, 17(5):68-74.
  23. Viega, J. and Messier, M. (2003). Secure Programming Cookbook for C and C++. O'Reilly & Associates Inc.
  24. Wheeler, D. A. (1999). Secure Programming for Linux and Unix HOWTO. http://www.dwheeler.com/secureprograms/.
  25. Whittaker, J. A. and Thompson, H. H. (2001). How to Break Software Security. Addison Wesley.
Download


Paper Citation


in Harvard Style

Maruyama K. (2007). SECURE REFACTORING - Improving the Security Level of Existing Code . In Proceedings of the Second International Conference on Software and Data Technologies - Volume 2: ICSOFT, ISBN 978-989-8111-06-7, pages 222-229. DOI: 10.5220/0001339102220229


in Bibtex Style

@conference{icsoft07,
author={Katsuhisa Maruyama},
title={SECURE REFACTORING - Improving the Security Level of Existing Code},
booktitle={Proceedings of the Second International Conference on Software and Data Technologies - Volume 2: ICSOFT,},
year={2007},
pages={222-229},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0001339102220229},
isbn={978-989-8111-06-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the Second International Conference on Software and Data Technologies - Volume 2: ICSOFT,
TI - SECURE REFACTORING - Improving the Security Level of Existing Code
SN - 978-989-8111-06-7
AU - Maruyama K.
PY - 2007
SP - 222
EP - 229
DO - 10.5220/0001339102220229