Manifestation of security patterns in code We have collected security patterns that can be used to secure Android applications by mapping them to secure coding guidelines. For the three mostly mentioned security patterns from these guidelines we have distilled implementation variants based on the Android API. We have also depicted how diverse the object configuration among the variants of one security pattern is and described 27 in total. This pattern variant collection can be helpful for developers and analysts to obtain an overview of the several possibilities to implement a certain security feature in an Android application.
Detection of security patterns Only a few analysis tools take the well-known design patterns into account to support program comprehension at that point [503]. However, none of them considers the detection of security patterns. We have split the security-pattern detection in two parts.
In the first part we have used the hierarchical reflexion method implemented in the Bauhaus tool to detect security patterns at the architectural level. This work has highlighted possible issues on using security patterns for an (automatic) detection approach.
The second part presented how security patterns can be detected by their object interaction. This approach uses a low-level program representation to detect patterns with the help of COPGs, which are a further development of the OPG technique. To satisfy the need for detecting the interaction of many different objects that together form security patterns, we have enhanced the OPG concept to handle multiple objects. Our tool can be used for reviewing Android applications at later development stages when the security objectives are identified and a preliminary security scan prior to the software release is performed. It provides support for security audits by automatically detecting source code locations of implemented security features and tracing a security- relevant object’s configuration. Analysts can utilize the abstract representation of connected objects to understand security-object interactions.
The automatic pattern-variant detection has been evaluated in a case study with 25 non-trivial Android applications and shows acceptable results on precision and recall. In addition, this benchmark of benign Android apps can be used by researchers in other projects. Moreover, the automatic detection approach has been discussed with six software security experts from the SAFECode organization.
12.2
Future Research
This section presents and discusses collected items and ideas that are worth future research activities based on the presented topic.
12.2.1
Usage in Industry
By some (rare) studies (e.g., Hafiz et al. [208]) it has been shown that security patterns are used within the software development process. The list of collected software-security patterns in Section 4.4 is still long and some of them are tailored towards specific frameworks or contexts. We expect that not all patterns of this list are used to develop software. Therefore, it would be interesting to determine how many and which security patterns are of special interest for software development in industry. Imaginable are interviews with software security experts and/or conducting an online survey among security experts and industrial software developers.
Expert Interview
Expert interviews could be used to identify and prioritize software security patterns in matters of practical relevance and usage in commercial software systems. The interviewed experts can give insights into their procedure of assessing and analyzing software systems with regard to security. They can help to prioritize software security-patterns for further investigations by highlighting which security problems occur frequently and should be inspected more carefully than others. Moreover, it can be possibly clarified which role knowledge of software-security patterns plays within security audits and whether they are used to design commercial software systems.
Survey among Software Architects and Developers
Based on the previously described expert interview, a survey among software developers and architects in industry is conceivable. Here, developers could be interviewed directly with regard to the topic of security patterns. This could be of interest because many developers are not security experts. They have less knowledge on security, but they have to face the security topic during their work. Such a survey can provide insights into the attitude of a huge mass of developers towards developing secure systems. This survey could be exposed as an online survey to win many developers to participate. The goal of this survey is to identify which security patterns have practical relevance for developers. The frequently mentioned security patterns are of interest for further investigations in the area of designing, implementing, analyzing and reviewing software with regard to security.
12.2.2
Detection Improvement
This section presents several ways to improve the presented security pattern detection technique.
Security Pattern Variants
Section 8.1.2 presents a way to extract the shape of security patterns from API information. To overcome the discussed limitations, the Known Use section in a
12.2 – Future Research
security pattern description can be considered to obtain clues for suitable software systems that implement the security pattern. For example, the Check Point pattern is used at the login screen of Windows and Linux operating systems. Furthermore, software systems that provide the same (secured) functionality or service, e.g., FTP- Servers or mail servers can be inspected according to its security pattern usage. The main problem is here to find a particular security feature in the software. This can be done by reading the documentation (if available) or having an expert that evaluates the tools for implemented security features. Both ways can give clues for finding common used code snippets.
The collected variants can be compared to the API variants and "core" structures can be identified. These "core" structures can be used to implement a fuzzy search for security patterns in different systems and other pattern detection techniques can be used for their detection such as the described approaches in Section 11.2.1.
Behavioral Analysis
Enhancing static analysis with dynamic information is a powerful combination for analyses (see Chapter 11). The extraction of execution traces may be a good extension to the static program information of applications. Therefore, important behavioral aspects of security patterns must be identified, and the static analysis information base must be enhanced with dynamically collected information about the objects under surveillance. This step possibly enables one to additionally detect security patterns which rely more on behavior than object composition (Section 4.5.2). It is also conceivable to enhance techniques such as protocol recovery to distinct correctly from incorrectly implemented security patterns.
Security Anti-Pattern Detection
Besides design and security patterns, anti-patterns exist. They describe bad practices for a common problem [61]. Some prototypes exist which support the detection of anti-patterns in general [216, 253, 363]. They support in each case only special kinds of patterns like JEE or performance anti-patterns. The development of security anti-patterns that can detect wrong object combinations or problematic control-flow sequences within COPGs is conceivable. Therefore, the derived security pattern variants have to be inspected for possible insecure object configurations. The checking of control-flow sequences can be possibly done by enhancing existing protocol-recovery approaches such as the work presented by Quante and Koschke [375].
12.2.3
Visualization
The visualization of COPGs developed within the context of this thesis is quite basic. Thus, this section presents several improvements that can be made in visualizing security patterns to support analysts.
Usability aspects
The implemented COPG visualization could be enhanced. Features such as filtering certain nodes of interest, clustering nodes to groups, or views for certain aspects of the COPG are conceivable. For example, the Figure 10.2b in Section 10.2 displays a relatively small graph, but we have observed that COPGs can become large (up to 900 nodes) and hence quite confusing for an analyst. To use large COPGs effectively for reviews, one could display subviews of the COPGs, e.g., only call nodes could be shown or highlighted. In addition, a search feature for specific nodes or clusters of nodes can be implemented. For example, one can present a view for the encryption key or for the encryption mechanism.
Moreover, it could be beneficial to create different layout algorithms for COPGs whereby large graphs may be easier to browse. All these features may improve the usability of COPGs for program comprehension and should be further investigated by a controlled experiment.
Architectural View
The tool should also be able to create new views, comparable to views provided by the Bauhaus tool based on RFG information. These architectural views can be created containing only elements focusing on special purposes. It is conceivable to provide a view containing elements that are supposed to belong to a single security pattern. If one has identified more than one security pattern and created them on different views, one can create a new view by intersecting or uniting the view to visualize composed or merged security patterns as described by Schumacher [432]. Possibly this process can be automated when the tool has analyzed several security patterns. Presenting such combinations to analysts may facilitate the realization of adequately and inadequately programmed pattern collaborations. For instance, consider the combination of Single Access Point and Check Point pattern [437], where a badly implemented cooperation may raise security leaks.
Moreover, at architectural level security patterns can be marked as potential patterns and can be used to show deficiencies in the software architecture. With an automated check against the real source code, there can be detected architecture violations, such as calling a component not through a Check Point, that can induce security concept violations.
System View
With regard to the Android framework where several application can run aside, it would be nice to have an overview of a whole software system. Therefore, several analyzed applications could be combined in a single view at architectural level. Here, for example, in combination with taint analysis or other security analyses security bounds or layers of interacting applications could be modeled. With such a view data flows across applications and their implemented security provisions could be assessed more easily.
12.3 – Closing Words
Conducting User Studies
The benefit of the developed tool and the aforementioned visualization should be evaluated by conducting controlled experiments. One experiment could answer whether COPGs are useful for program comprehension tasks. Another experiment could probably answer if the previously described visualization extensions are beneficial to understand the security architecture of software systems.
The implemented tool allows one to conduct user studies including think-aloud tests (recording a user’s comments on employing the tool) [398] and controlled experiments (one group with the tool, another one without) [373]. The challenge with controlled experiments is to define a test case that is complex enough such that the security-critical code is scattered across the application. At the same time, not too much training should be necessary to understand the test scenario. Edmundson et al. showed that analysts with more security experience did not necessarily perform better on reviewing applications with regard to security problems [120]. Thus, selecting a proper set of analysts for the experiment is another problem and can implicitly falsify the results.
Integrating the Tool into a Security Development Lifecycle (SDL)
In addition, the developed tool could be evaluated by embedding it in a security audit process such as SDL to point out possible benefits. The tool shall support the security analyst rather than replacing her. In particular, the tool is meant for enterprises who have established a well-defined SDL to support security and development teams. Since our technique connects architectural aspects to the concrete software implementation, the tool can be used in the early implementation phases within an SDL as well as after the implementation has been finished. The former application, however, is preferred because it gives the analyst/architect early or immediate feedback of whether security patterns are adequately used within the implementation.
12.3
Closing Words
The work in this thesis started with the intention to detect security patterns like Gamma’s design patterns. It turned out that the detection was not so easy due to the unique nature of the security patterns. Therefore, an extensive work on the security patterns themselves was conducted. Thereby, problems, opportunities for improvement, and possibilities for further research on them were discovered. Hopefully, this basis will be used to employ more applications to support the program comprehension task of software maintainers and reviewers to improve and ensure security in software systems.
BIBLIOGRAPHY
[1] ACM. ACM Digital Library, 2018. URL http://portal.acm.org/. (Accessed: 01.11.2018). [2] Adobe. Adobe Acrobat Reader app, 2018. URL https://play.google.com/store/apps/
details?id=com.adobe.reader. (Accessed: 25.04.2018).
[3] Adobe. Adobe Sign app, 2018. URL https://play.google.com/store/apps/details?id= com.adobe.echosign. (Accessed: 25.04.2018).
[4] Hira Agrawal, James L. Alberi, Joseph R. Horgan, J. Jenny Li, Saul London, W. Eric Wong, Sudipto Ghosh, and Norman Wilde. Mining system tests to aid software maintenance. Computer, 31:64–73, 07 1998. ISSN 0018-9162.
[5] Ola Ajaj and Eduardo B. Fernandez. A pattern for the ws-trust standard for web services. In Proceedings of the Asian Conference on Pattern Languages of Programs, pages 1–11, 2010.
[6] Ola Ajaj and Eduardo B. Fernandez. A pattern for the ws-policy standard. In Proceedings of the Latin American Conference on Pattern Languages of Programming, 2010.
[7] Ola Ajaj and Eduardo B. Fernandez. A pattern for the ws-secureconversation standard for web services. In Proceedings of the Conference on Pattern Languages of Programs, pages 1–10, 2012.
[8] Mohammed Ghazi Al-Obeidallah, Miltos Petridis, and Stelios Kapetanakis. A survey on design pattern detection approaches. International Journal of Software Engineering (IJSE), 7:41–59, December 2016.
[9] Christopher Alexander. The Timeless Way of Building. Oxford University Press, 1979. ISBN 9780195024029.
[10] Christopher Alexander, Murray Silverstein, Shlomo Angel, Sara Ishikawa, and Denny Abrams. The Oregon Experiment. Oxford University Press, 1975. ISBN 978-0195018240.
[11] Christopher Alexander, Sara Ishikawa, and Murray Silverstein. A pattern language: towns, buildings, construction. Center for Environmental Structure series. Oxford University Press, New York, 1977. ISBN 9780195019193.
[12] Awny Alnusair, Tian Zhao, and Gongjun Yan. Rule-based detection of design patterns in program code. Int. J. Softw. Tools Technol. Transf., 16(3):315–334, June 2014. ISSN 1433- 2779.
[13] Deepak Alur, Dan Malks, and John Crupi. Core J2EE Patterns: Best Practices and Design Strategies. Prentice Hall PTR, Upper Saddle River, NJ, USA, 2001. ISBN 0130648841.
[14] Aleem Khalid Alvi and Mohammad Zulkernine. A natural classification scheme for software security patterns. In Proceedings of the International Conference on Dependable, Autonomic and Secure Computing, pages 113–120, 2011.
[15] Aleem Khalid Alvi and Mohammad Zulkernine. A comparative study of software security pattern classifications. In Proceedings of the International Conference on Availability, Reliability and Security, pages 582–589, 2012.
[16] Aleem Khalid Alvi and Mohammad Zulkernine. Security pattern detection using ordered matrix matching. In International Conference on Software Security and Assurance, pages 38–43, July 2017.
[17] Chris Alvin, Brian Peterson, and Supratik Mukhopadhyay. StaticGen: Static Generation of UML Sequence Diagrams, pages 173–190. Springer Berlin Heidelberg, Berlin, Heidelberg, 2017. ISBN 978-3-662-54494-5.
[18] Amazon Mobile LLC. AmazonShopping app, 2018. URL https://play.google.com/store/ apps/details?id=com.amazon.mShop.android.shopping. (Accessed: 25.04.2018).
[19] Apostolos Ampatzoglou, Sofia Charalampidou, and Ioannis Stamelos. Investigating the use of object-oriented design patterns in open-source software: A case study. In Evaluation of Novel Approaches to Software Engineering, volume 230 of Communications in Computer and Information Science, pages 106–120. Springer Berlin Heidelberg, 2011. ISBN 978-3-642- 23390-6.
[20] Apostolos Ampatzoglou, Sofia Charalampidou, and Ioannis Stamelos. Research state of the art on gof design patterns: A mapping study. Journal of Systems and Software, 86(7):1945– 1964, 2013. ISSN 0164-1212.
[21] Ross J. Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley & Sons, Inc., New York, NY, USA, 1st edition, 2001. ISBN 0471389226.
[22] Donglin Liang andMary Jean Harrold. Slicing objects using system dependence graphs. In Proceedings of the IEEE International Conference on Software Maintenance, Washington, DC, USA, 1998. IEEE Computer Society. ISBN 0-8186-8779-7.
[23] Giuliano Antoniol and Yann-Gaël Guéhéneuc. Feature identification: An epidemiological metaphor. IEEE Transactions on Software Engineering, 32(9):627–641, September 2006. ISSN 0098-5589.
[24] Giuliano Antoniol, Roberto Fiutem, and Luca Cristoforetti. Design pattern recovery in object-oriented software. In Proceedings of the International Workshop on Program Comprehension, page 153, Washington, DC, USA, 1998. IEEE Computer Society. ISBN 0-8186-8560-3.
[25] Erik Arisholm, Lionel C. Briand, Siw Elisabeth Hove, and Yvan Labiche. The impact of uml documentation on software maintenance: an experimental evaluation. IEEE Transactions on Software Engineering, 32(6):365–381, June 2006.
[26] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation, pages 259–269, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2784-8.
12.3 – BIBLIOGRAPHY
[27] Fatemeh Asadi, Massimiliano Di Penta, Giuliano Antoniol, and Yann-Gaël Guéhéneuc. A heuristic-based approach to identify concepts in execution traces. In Proceedings of the European Conference on Software Maintenance and Reengineering, pages 31–40, March 2010.
[28] Angel Asencio, Sam Cardman, David Harris, and Ellen Laderman. Relating expectations to automatically recovered design patterns. In Proceedings of the Working Conference on Reverse Engineering, pages 87–96, 2002.
[29] Paul G. Austrem. Runtime mix’n and match design pattern. In Proceedings of the Conference on Pattern Languages of Programs, pages 1–8, New York, NY, USA, 2008. ACM. ISBN 978- 1-60558-151-4.
[30] Zsolt Balanyi and Rudolf Ferenc. Mining design patterns from c++ source code. In Proceedings of the IEEE International Conference on Software Maintenance, Washington, DC, USA, 2003. IEEE Computer Society. ISBN 0-7695-1905-9.
[31] Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason I. Hong, and Lorrie Faith Cranor. The privacy and security behaviors of smartphone app developers. In Proceeding of the Workshop on Usable Security, 2014.
[32] Davide Balzarotti, Greg Banks, Marco Cova, Viktoria Felmetsger, Richard A. Kemmerer, William Robertson, Fredrik Valeur, and Giovanni Vigna. An experience in testing the security of real-world electronic voting systems. IEEE Transactions on Software Engineering, 36(4): 453–473, 2010. ISSN 0098-5589.
[33] Jagdish Bansiya. Automating design-pattern identification. Dr. Dobbs Journal, 1998. URL http://www.drdobbs.com/184410578. (Accessed: 01.11.2018).
[34] Steffen Bartsch, Karsten Sohr, Michaela Bunke, Oliver Hofrichter, and Bernhard J. Berger. The transitivity of trust problem in the interaction of android applications. CoRR, abs/1204.1458, 2012. URL http://arxiv.org/abs/1204.1458.
[35] Steffen Bartsch, Bernhard J. Berger, Michaela Bunke, and Karsten Sohr. The transitivity- of-trust problem in android application interaction. In Proceedings of the International Conference on Availability, Reliability and Security, pages 291–296, 2013.
[36] Bayrisches Landesamt für Datenschutz/Düsseldorfer Kreis. Orientierungshilfe zu den
datenschutzanforderungen an app-entwickler und app-anbieter, 2014. URL http:
//www.lda.bayern.de/lda/datenschutzaufsicht/lda_daten/Orientierungshilfe_ Apps_2014.pdf. (Accessed: 01.11.2018).
[37] Kent Beck and Ward Cunningham. Using pattern languages for object-oriented programs. Technical Report CR-87-43, Computer Research Laboratory, Tektronix, Inc., September 1987. URL http://c2.com/doc/oopsla87.html.
[38] Kent Beck and Ralph E. Johnson. Patterns generate architectures. In Proceedings of the European Conference on Object-Oriented Programming, pages 139–149, London, UK, 1994. Springer-Verlag. ISBN 3-540-58202-9.
[39] Nels E. Beckman, Kevin Bierhoff, and Jonathan Aldrich. Verifying correct usage of atomic blocks and typestate. SIGPLAN Not., 43(10):227–244, October 2008. ISSN 0362-1340.
[40] Dmitry Bedrin. jtracert, 2015. URL https://code.google.com/p/jtracert/. (Accessed: 10.07.2015).
[41] Dmitry Bedrin. jsonde, 2015. URL https://github.com/bedrin/jsonde. (Accessed:
[42] Mark Belk, Matt Coles, CassioGoldschmidt, Michael Howard, Kyle Randolph, Mikko
Saario, Reeny Sondhi, Izar Tarandach, Antti Vähä-Sipilä, and Yonko Yonchev.
Fundamental practices for secure software development 2nd edition. Technical report,
SAFECode, February 2011. URL https://www.safecode.org/wp-content/uploads/
2014/09/SAFECode_Dev_Practices0211.pdf.
[43] Bernhard J. Berger and Michaela Bunke. Software security comprehension. Softwaretechnik Trends, 31(2):2, 2011.
[44] Bernhard J. Berger, Michaela Bunke, and Karsten Sohr. An android security case study with bauhaus. In Proceedings of the Working Conference on Reverse Engineering, pages 179–183,