Professional Documents
Culture Documents
www.rise.com.br
Assessing Security in Software Product
Lines: A Maintenance Analysis
Context
Software Product Lines
Software Security
Motivation
Problem Statement
Summary of Proposal
Test Beds
Family of Experiments
Concluding Remarks and Future Work
Software Product Lines
Variability management
Enables a multitude of products to be built/composed that share
a set of artifacts
Shows how the SPL allows for and facilitates the differences
between the products.
Dynam ic L nk L braries
I nheritance
Overloading i
Properties Param eterization
Static L braries
Security
Recover from
Detect Attacks Resist Attack React to Attacks
Attacks
-Verify message integrity
- Authenticate subject Alert Actors Audit actions
-Verify storage integrity
- Authorize subject Apply institution Apply institution
-Maintain audit trail - Manage security policies policies
-Identify Intrusions
information
- By signature
- Filter data
- By behavior - Verify origin of the
message LEGEND
- Establish secure
channel Quality Attribute
- Hide data Security Tactics
- By encryption
- By steganography Techniques
Aspect-Oriented Programming
Point cuts and advices
Software Security Techniques
Experiment: Goal
Null Hypotheses:
Alternative Hypotheses:
Hypotheses
Null Hypotheses:
Alternative Hypotheses:
Hypotheses
Alternative Hypotheses:
Experiments Execution and Operation
{
Three SPLs 90 Releases
RiSE R1: T1 - CC
R2: T1 - AOP
Event
SPL
{
R30: T15 - AOP
R1: T1 - CC
RiSE R2: T1 - AOP
Store
SPL R30: T15 - AOP
Law
Office
SPL { R1: T1 - CC
R2: T1 - AOP
R30: T15 - AOP
Data Collection
Metric Tools
Metrics
Ckjm
Data
N of classes,
N of interfaces,
N of methods,
N of static methods,
N of static attributes,
N attributes,
N of parameters.
Analysis Procedure
Size
Size
Size
Separation of Concerns
Separation of Concerns
Separation of Concerns
Lack of Cohesion
Lack of Cohesion
- Authorization. There is no
significant difference for CC
or AOP, this way the null
hypothesis H02 was not
rejected.
Analysis and Interpretation
Lack of Cohesion
Coupling
Coupling
Coupling
Metrics selection
Apply some well known metrics and already empirically validated
Metric Tools selection
Cross-check tools results.
Small data sample
Randomization Tests combined with Statistical Methods
Biased data analysis
Double-check of analyzed data
Generalization
Used three SPL developed in different domains.
Related Work
Metric Tool.
Any Questions?
Any Questions?
Assessing Security in Software Product
Lines: A Maintenance Analysis