-XX:+AggressiveOpts
-Xss2m
-Xmn512m
-Xms512m
-Xmx4096m
I recently finished my master’s degree. Now I am sharing my dissertation so other people can continue the work I started.
Secure programming is the practice of writing programs that are resistant to attacks by malicious people or programs. Programmers of secure software have to be continuously aware of security vulnerabilities when writing their program statements. They also ought to continuously perform actions for preventing or removing vulnerabilities from their programs. In order to support these activities, static analysis techniques have been devised to find vulnerabilities in the source code. However, most of these techniques are built to encourage vulnerability detection a posteriori, only when developers have already fully produced (and compiled) one or more modules of a program. Therefore, this approach, also known as late detection, does not support secure programming but rather encourages posterior security analysis. The lateness of vulnerability detection is also influenced by the high rate of false positives, yielded by pattern matching, the underlying mechanism used by existing static analysis techniques. The goal of this dissertation is twofold. First, we propose to perform continuous detection of security vulnerabilities while the developer is editing each program statement, also known as early detection. Early detection can leverage his knowledge on the context of the code being created, contrary to late detection when developers struggle to recall and fix the intricacies of the vulnerable code they produced from hours to weeks ago. Our continuous vulnerability detector is incorporated into the editor of an integrated software development environment. Second, we explore a technique originally created and commonly used for implementing optimizations on compilers, called data flow analysis, hereinafter referred as DFA. DFA has the ability to follow the path of an object until its origins or to paths where it had its content changed. DFA might be suitable for finding if an object has a vulnerable path. To this end, we have implemented a proof-of-concept Eclipse plugin for continuous vulnerability detection in Java programs. We also performed two empirical studies based on several industry-strength systems to evaluate if the code security can be improved through DFA and early vulnerability detection. Our studies confirmed that: (i) the use of data flow analysis significantly reduces the rate of false positives when compared to existing techniques, without being detrimental to the detector performance, and (ii) early detection improves the awareness among developers and encourages programmers to fix security vulnerabilities promptly.
If you want to read the whole dissertation, you can download it here. I would love to receive your feedback about it.
Keywords
Early detection; security vulnerability; data flow analysis; secure programming.
One thing I noticed when I first started testing security applications, was that each one, had their own understanding of what is a security vulnerability and which methods should be verified and flagged as vulnerable. I later found out this page (https://www.owasp.org/index.php/Searching_for_Code_in_J2EE/Java) on OWASP. It contains some methods that should be sanitized but I believe it is not the full list.
So, I have created my own list from what I found on other applications, blogs and etc and I was wondering if you (my reader) could help me make this list perfect. If we manage to do this, I think it would be great to update OWASP page. What do you think ?
With this list of methods I performed an evaluation on 5 applications (BlueBlog, PersonaBlog, WebGoat, Roller and Pebble) using 4 Eclipse plug-ins (ASIDE, CodePro, Lapse+ and ESVD(my plug-in)). I got some very promising results. I am really excited.
Do you think there are methods missing or some of these methods should be removed from the list ?
My plug-in is still a prototype but I am receiving some very good feedback. You can see more on:
01 – early-vulnerability-detection-supporting-secure-programming
02 – https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/
My list of “Sources“, “Sinks” and “Sanitization” methods:
Continue reading Which methods should be considered “Sources”, “Sinks” or “Sanitization” ?
Dear reader,
I was wondering if you could spend some minutes of your precious time by helping me. As part of my dissertation entitled “Early Vulnerability Detection for Supporting Secure Programming“, I developed an Eclipse plug-in (still just a prototype) that performs security vulnerability detection while the developer is creating/editing the source code.You can install the plug-in as you usually do when working with Eclipse, however, if you have any doubts on “How to Install the plug-in”, there is a How-To in the attached pdf.
The plug-in’s link:
https://marketplace.eclipse.org/content/early-security-vulnerability-detector-esvd/
You can test the plug-in with some of your own projects, however, if you want you can download, import and test a sample project created by me which contains dozens of known security vulnerabilities. More about this project in the attached pdf.
The sample’s link:
https://esvd.thecodemaster.net/plugin/latest/WebDemo.zip
I would really appreciate your feedback on regards to ANYTHING. The images used, the text to inform the vulnerabilities, the options provided by the plug-in, the English words, false positives, false negatives and anything else that comes to your mind.
Supported vulnerabilities:
01 – Command Injection
02 – Cookie Poisoning
03 – Cross-Site Scripting (XSS)
04 – HTTP Response Splitting
05 – LDAP Injection
06 – Log Forging
07 – Path Traversal
08 – Reflection Injection
09 – Security Misconfiguration
10 – SQL Injection
11 – XPath Injection
Tutorials about the plug-in.
How to Install the plug-in / User Interface / WebDemo Project
Thank you in advance,
Luciano Sampaio
Today, we are going to show the implementation of the Merge Sort algorithm, which is the fifth one from our series of tutorials on sorting algorithms. If you haven’t read the first four tutorials on BubbleSort, InsertionSort, SelectionSort and CountingSort, I strongly recommend that you go there and read them, because we will reuse code that was explained there.
The application is really simple, it will just get an instance of a Sortable algorithm, which in this case will be a MergeSort object and pass some Integer and String arrays to it, but any object that implements Comparable can be passed as a parameter as well, then it will print the elements from the sorted arrays.
public class SorterApp {
public static void main(String[] args) {
SorterApp app = new SorterApp();
app.run();
}
private void run() {
sort(new Integer[] { 2, 42, -3, 2, 4 });
sort(new Integer[] { 1, 2, 3, 4, 5 });
sort(new Integer[] { 3, 1, 5, 4, 2 });
sort(new Integer[] { 5, 4, 3, 2, 1 });
System.out.println();
sort(new String[] { "a", "b", "c", "d", "e" });
sort(new String[] { "c", "a", "e", "d", "b" });
sort(new String[] { "e", "d", "c", "b", "a" });
}
private <T> extends Comparable<T> void sort(T[] values) {
Sortable sorter = newSortable(5);
sorter.sortAscending(values);
// sorter.sortDescending(values);
Utils.printArray(values);
}
private Sortable newSortable(int sortableAlgorithm) {
switch (sortableAlgorithm) {
case 1:
return new BubbleSort();
case 2:
return new InsertionSort();
case 3:
return new SelectionSort();
case 4:
return new CountingSort();
case 5:
return new MergeSort();
default:
return new BubbleSort();
}
}
}
Continue reading Merge Sort Algorithm using Generics in Java
Today, we are going to show the implementation of the Merge Sort algorithm, which is the fifth one from our series of tutorials on sorting algorithms. If you haven’t read the first four tutorials on BubbleSort, InsertionSort, SelectionSort and CountingSort, I strongly recommend that you go there and read them, because we will reuse code that was explained there.
The application is really simple, it will just get an instance of a Sortable algorithm, which in this case will be a MergeSort object and pass some Integer and String arrays to it, but any object that implements Comparable can be passed as a parameter as well, then it will print the elements from the sorted arrays.
public class SorterApp {
public static void main(String[] args) {
SorterApp app = new SorterApp();
app.run();
}
private void run() {
sort(new Integer[] { 2, 42, -3, 2, 4 });
sort(new Integer[] { 1, 2, 3, 4, 5 });
sort(new Integer[] { 3, 1, 5, 4, 2 });
sort(new Integer[] { 5, 4, 3, 2, 1 });
System.out.println();
sort(new String[] { "a", "b", "c", "d", "e" });
sort(new String[] { "c", "a", "e", "d", "b" });
sort(new String[] { "e", "d", "c", "b", "a" });
}
private <T> extends Comparable<T> void sort(T[] values) {
Sortable sorter = newSortable(5);
sorter.sortAscending(values);
// sorter.sortDescending(values);
Utils.printArray(values);
}
private Sortable newSortable(int sortableAlgorithm) {
switch (sortableAlgorithm) {
case 1:
return new BubbleSort();
case 2:
return new InsertionSort();
case 3:
return new SelectionSort();
case 4:
return new CountingSort();
case 5:
return new MergeSort();
default:
return new BubbleSort();
}
}
}
Continue reading Merge Sort Algorithm using Generics in Java
Today, we are going to show the implementation of the Counting sort algorithm, which is the forth one from our series of tutorials on sorting algorithms. If you haven’t read the first three tutorials on BubbleSort, InsertionSort and SelectionSort, I strongly recommend that you read them, because we will reuse code that was explained there.
The application is really simple, it will just get an instance of a Sortable algorithm, which in this case will be a CountingSort object and pass some Integer and String arrays to it, but unlike the other three algorithms that are able to sort any object that implements Comparable, this algorithm only works with Integers (positive and negative values), the arrays of String will be ignored. The last part of the code is to print the sorted arrays.
public class SorterApp {
public static void main(String[] args) {
SorterApp app = new SorterApp();
app.run();
}
private void run() {
sort(new Integer[] { 2, 42, -3, 2, 4 });
sort(new Integer[] { 1, 2, 3, 4, 5 });
sort(new Integer[] { 3, 1, 5, 4, 2 });
sort(new Integer[] { 5, 4, 3, 2, 1 });
System.out.println();
sort(new String[] { "a", "b", "c", "d", "e" });
sort(new String[] { "c", "a", "e", "d", "b" });
sort(new String[] { "e", "d", "c", "b", "a" });
}
private <T extends Comparable<T>> void sort(T[] values) {
Sortable sorter = newSortable(4);
sorter.sortAscending(values);
// sorter.sortDescending(values);
Utils.printArray(values);
}
private Sortable newSortable(int sortableAlgorithm) {
switch (sortableAlgorithm) {
case 1:
return new BubbleSort();
case 2:
return new InsertionSort();
case 3:
return new SelectionSort();
case 4:
return new CountingSort();
default:
return new BubbleSort();
}
}
}
Today, we are going to show the implementation of the Selection Sort algorithm, which is the third one from our series of tutorials on sorting algorithms. If you haven’t read the first two tutorials on BubbleSort and InsertionSort, I strongly recommend that you go there and read them, because we will reuse code that was explained there.
The application is really simple, it will just get an instance of a Sortable algorithm, which in this case will be an SelectionSort object and pass some Integer and String arrays to it, but any object that implements Comparable can be passed as a parameter as well, then it will print the elements from the arrays.
public class SorterApp {
public static void main(String[] args) {
SorterApp app = new SorterApp();
app.run();
}
private void run() {
sort(new Integer[] { 1, 2, 3, 4, 5 });
sort(new Integer[] { 3, 1, 5, 4, 2 });
sort(new Integer[] { 5, 4, 3, 2, 1 });
System.out.println();
sort(new String[] { "a", "b", "c", "d", "e" });
sort(new String[] { "c", "a", "e", "d", "b" });
sort(new String[] { "e", "d", "c", "b", "a" });
}
private <T> extends Comparable<T> void sort(T[] values) {
Sortable sorter = newSortable(3);
sorter.sortAscending(values);
// sorter.sortDescending(values);
Utils.printArray(values);
}
private Sortable newSortable(int sortableAlgorithm) {
switch (sortableAlgorithm) {
case 1:
return new BubbleSort();
case 2:
return new InsertionSort();
case 3:
return new SelectionSort();
default:
return new BubbleSort();
}
}
}
You can see on the code below that the sortAscending and sortDescending invoke the same private method sort with the difference of just 2 parameters. This is done because the code to sort in ascending or descending order is pretty much the same; the difference is just one small detail.
Continue reading Selection Sort Algorithm using Generics in JavaToday, we are going to show the implementation of the Insertion Sort, which is the second algorithm of our series of tutorials on sorting algorithms. If you haven’t read the first tutorial on BubbleSort, I strongly recommend that you go there and read it, because we will reuse code that was explained there.
The application is really simple, it will just get an instance of a Sortable algorithm, which in this case will be an InsertionSort object and pass some Integer and String arrays to it, but any object that implements Comparable can be passed as a parameter as well, then it will print the elements from the arrays.
public class SorterApp { public static void main(String[] args) { SorterApp app = new SorterApp(); app.run(); } private void run() { sort(new Integer[] { 1, 2, 3, 4, 5 }); sort(new Integer[] { 3, 1, 5, 4, 2 }); sort(new Integer[] { 5, 4, 3, 2, 1 }); System.out.println(); sort(new String[] { "a", "b", "c", "d", "e" }); sort(new String[] { "c", "a", "e", "d", "b" }); sort(new String[] { "e", "d", "c", "b", "a" }); } private &amp;amp;amp;amp;amp;amp;lt;T extends Comparable&amp;amp;amp;amp;amp;amp;lt;T&amp;amp;amp;amp;amp;amp;gt;&amp;amp;amp;amp;amp;amp;gt; void sort(T[] values) { Sortable sorter = newSortable(2); sorter.sortAscending(values); // sorter.sortDescending(values); Utils.printArray(values); } private Sortable newSortable(int sortableAlgorithm) { switch (sortableAlgorithm) { case 1: return new BubbleSort(); case 2: return new InsertionSort(); default: return new BubbleSort(); } } }Continue reading Insertion Sort Algorithm using Generics in Java
This is our first tutorial about sorting algorithms and we are going to start by showing the Bubble Sort. It gets its name from the way smaller elements “bubble” to the top of the list.
We will create other sorting algorithms, so the first thing we need to do is prepare the structure of classes and packages that we are going to use.
Every sorting algorithm that we are going to create will have at least 2 public methods, which are: sortAscending and sortDescending. To make sure this will always be true, we are going to create an Interface called Sortable.
public interface Sortable {
<T> extends Comparable<T> void sortAscending(T[] values);
<T> extends Comparable<T> void sortDescending(T[] values);
}
Continue reading Bubble Sort Algorithm using Generics in Java If you write Java code and works with Eclipse, you probably know that Eclipse allows you to change many of its default preferences, but once you’ve done that you will not want to do it again and again every time you change a computer or when there is a new teammate on your team, right?
Well, Eclipse allows you to export and import these preferences helping you not waste time.
To export you need to do the following:
Continue reading Sharing Eclipse preferences with your teammates