Vol 2 No.3

Vol 2 No.3

Special Issue on Software Optimization and Security

This special issue of the International Journal of Software Engineering (IJSE) presents state of the art research on current practices in Software Engineering (SE). The issue is motivated by the guiding theme current practices in Software Optimization and Security. The issue presents a collection of invited papers presented by prominent researchers and professionals in the Software Engineering Track of the 2009 International Conference on Information Technology: New Generation (ITNG). These papers were peer reviewed by the track reviewers and the Track Chairs. Extended versions of selected papers were invited for this issue and blind-reviewed by experts in the field.

The quality of the underlying software engineering processes and methods is essential for the success of software development. The ITNG SE Track provided researchers and practitioners a forum to present and discuss their ideas and experiences in current SE practices. The track received a wide range of research papers that address current practices in SE including surveys of methods and techniques, experience reports in application development, and reports on tool development. The presented work aimed to improve SE processes, methods, technologies, and development paradigms, and it covered different research areas in the SE field.

The goal of this issue is to present current research in the area of software optimization and security. The quality and relevance to current issues and challenges in software development make selected papers of interest to SE researchers and practitioners. Through their work, the authors have demonstrated valuable contributions to SE research and practices with emphasis on the development of tools to improve practices in two specific areas: compilation and translation (specifically, agent-oriented source-level debugging, byte code-level cross compilation, and checking design constraints at run-time), and application security (specifically, component-based implementation for network security, security risk assessment in web applications, and software watermarking application). The papers discussed tools and methods to enhance these areas of software development.

We would like to extend our sincere appreciation to the reviewers who contributed to the review process in a timely manner given the tied schedule we had for this issue. The quality of their reviews and feedback are invaluable. We also thank the authors for accepting our invitation and taking the time and effort to revise and prepare their submissions for this issue. We also would like to extend our gratitude to IJSE Editor-in-Chief and the Editorial Office staff for giving us the opportunity to compile this special issue. Their encouragement and support are invaluable.

Papers

  1. ABSTRACT  Design decisions and constraints of a software system can be specified precisely using a formal notation such as the Object Constraint Language (OCL). However, they are not executable, and assuring the conformance of an implementation to its design is hard. The inability of expressing design constraints in an implementation and checking them at runtime invites, among others, the problem of design drift and corrosion. We propose runtime checks as a solution to mitigate this problem. The key idea of our approach is to translate design constraints written in a formal notation such as OCL into aspects that, when applied to a particular implementation, check the constraints at run-time. Our approach enables runtime verification of design-implementation conformance and detects design corrosion. The approach is modular and plug-and-playable; the constraint checking logic is completely separated from the implementation modules which are oblivious of the former. We believe that a significant portion of constraints translation can be automated.

  2. ABSTRACT Model driven approaches raise the level of abstraction during software development, where the focus of the development process is no longer on programming, but instead on the creation of different models. The OMG is addressing this new methodology with their Model Driven Architecture (MDA). The Query/ Views/Transformation (QVT) specification is part of the OMG’s MDA framework for combining declarative and imperative transformation languages between models. QVT-R uses a declarative (relational) approach to describe mappings between models, whereas QVT-O uses an imperative (operational) approach. Tools in this domain are still in their infancy and there exist no empirical study to compare QVT-O and QVT-R for complex application domains. In this paper we present a use case to show how both QVT-R and QVT-O can be used to map byte code instructions for Microsoft’s .NET virtual machine to Sun Microsystem’s Java Virtual Machine. We provide an extensive comparison between QVT-O and QVT-R and offer some best practices for using either transformation language.

  3. ABSTRACT As software applications become more complex they require more security, allowing them to reach an appropriate level of quality to manage information, and therefore achieving business objectives. Web applications represent one segment of software industry where security risk assessment is essential. Web engineering must address new challenges to provide new techniques and tools that guarantee high quality application development. This work focuses asset identification, the initial step in security risk assessment for web applications. Risk assessment helps organizations determine security risks in information management systems. The formal approach to identifying information assets for risk assessment is investigated using the MAGERIT methodology and EBIOS method. This work is carried out at Simón Bolivar University (Venezuela) for its Student Opinion Survey Coordination web-based application. Under this research, a methodological tool for asset identification was developed to help the University achieve security risk assessment. Assets are identified according to their priorities in the organizational environment. This work contributes to Web Engineering in general, and to Information Security Management with emphasis on security risk assessment.

  4. ABSTRACT Dynamic Graph Watermarking (DGW) is vulnerable to attack. We propose the use of a multiple secret sharing scheme to improve the robustness of DGW. We propose using Mignotte Sequences as the way to create the watermark shares needed by the method. The new scheme is suitable for inclusion in the SandMark test program. All necessary algorithms are identified.

  5. ABSTRACT A computer network intrusion detection and prevention system consists of collecting network traffic data, discovering user behavior patterns as intrusion detection rules, and applying these rules to prevent malicious and misuse. Many commercial off-the-shelf (COTS) products have been developed to perform each of these tasks. In this paper, the component-based software engineering approach is exploited to integrate these COTS products as components into a computerized system to automatically detect intrusion rules from network traffic data and setup IPTables to prevent future potential attacks. The component- based software architecture of this kind of system is designed, COTS components are analyzed and selected, adaptor components to connect COTS products are developed, the system implementation is illustrated, and the preliminary system experiment is presented.

  6. ABSTRACT Standard debuggers are usually limited in the amount of analysis that they perform in order to assist with debugging. This paper presents UDB, an agent-oriented source-level debugger for the Unicon programming language with a novel architecture and capabilities. UDB combines classical debugging techniques such as those found in GDB with a growing set of extension agents. UDB demonstrates the feasibility of a source-level debugger built on top of a very high level event-based monitoring framework. The debugger is easily extended with new debugging agents that can employ a wide range of automatic debugging and dynamic analysis techniques.

  7. ABSTRACT In the reverse engineering of a software program, one of the key difficulties is actually to understand the software. While the published techniques work top down or bottom up, our approach works middle-out: before trying to understand the low level code, we first rebuild a hypothetical analysis model from the use cases of the system. This model then represents the target of the understanding task. In fact we try to map the code elements to the analysis objects. For this approach to be useable in large industrial software systems, it must be supported by a powerful tool. This paper presents the Eclipse plug-in we developed to support our methodology, as well as a reverse engineering scenario using this tool. We then discuss the technology we used and the result we obtained.