Article

Empirical relation between coupling and attackability in software systems:: a case study on DOS

Authors:

Michael Yanguo Liu,

Issa TraoreAuthors Info & Claims

PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security

Pages 57 - 64

https://doi.org/10.1145/1134744.1134756

Published: 10 June 2006 Publication History

Abstract

Over the last decades, software quality attributes such as maintainability, reliability, and understandability have been widely studied. In contrast, less attention has been paid to the field of software security. Attackability is a concept proposed recently in the research literature t to measure the extent that a software system or service could be the target of successful attacks. Like most external attributes, attackability is to some extent disconnected from the internal of software products. To improve the quality of software products we need to be able to affect its internal features. So, for attackability measures to be useful for software products enhancement, we need to identify related internal software attributes. We study in this paper the empirical relationship between attackability as an external software quality attribute with coupling as an internal software attribute. Specifically, we use a case study based on denial of service (DOS) attacks conducted against a on line medical record keeping system. Through regression analysis, we establish that there is a strong correlation between attackability and coupling.

References

[1]

S. Brocklehurst, B. Littlewood, T. Olovsson, E. Johsson, On Measurement of Operational Security, Proceedings of the 9th Annual Conference on Computer Assurance, 1994.

[2]

A. Chou, J. Yang, B. Chelf, S. Hallen, D. Engler, An empirical study of operating systems errors, ACM Symposium on Operating Systems Principles, Oct. 2001, pp. 73--88.

Digital Library

[3]

E. N. Fenton, M. Meil, A Critique of Software Defect Prediction Models, IEEE Transaction on Software Engineering, VOL, 25, No. 3, May/June, 1999.

Digital Library

[4]

J. Gray, A census of tandem system availability between 1985 and 1990, IEEE Transactions on Software Engineering, vol. 39, no. 4, Oct. 1990.

[5]

M. Howard, J. Pincus, J. M. Wing, Measuring Relative Attack Surfaces, Proceeding of Workshop on Advanced Developments in Software and System Security, 2003.

[6]

B. Littlewood, S. Brocklehurst, E. N. Fenton, P. Mellor, S. Page, D. Wright, Towards Operational Measures of Computer Security, Journal of Computer Security 2,2/3 (1993) p. 211--229.

[7]

I. Lee, R. Iyer, Faults, Symptoms, And Software Fault Tolerance In The Tandem GUARDIAN Operating System, Proceedings of the International Symposium on Fault-Tolerant Computing, 1993.

[8]

M. Y. Liu, I. Troare, UML-based Security Measures of Software Products. International Workshop on Methodologies for Pervasive and Embedded Software (MOMPES'04), 4th International Conference on Application of Concurrency to System Design (ACSD-04), Hamilton, Ontario, Canada, June 2004.

[9]

R. Ortalo, Y. Deswarte, M. Kaaniche, Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security. IEEE Transactions on Software Engineering 25,5 (1999) p.633--650.

Digital Library

[10]

M. Sullivan, R. Chillarge, Software Defects And Their Impact On System 118 Availability, Proceedings of the International Symposium on Fault-Tolerant Computing, June 1991.

[11]

J. Voas, A. Ghosh, G. McGraw, F. Charron, K. Miller, Defining an Adaptive Software Security Metric from a Dynamic Software Failure Tolerance Measure, Proceedings of the 11th Annual Conference on Computer Assurance, 1996.

[12]

M. Andrews, J. A. Whittaker, How to Break Web Software, Addison-Wekley, 2005.

[13]

http://www.javaperformancetuning.com/tools/jprobe/

[14]

http://tomcat.apache.org/

[15]

http://www.eviews.com/eviews4/

Cited By

Amin MTanner DSharma YNapier KBhowmik T(2024)Function-Level Software Metrics for Predicting Vulnerable Code2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI)10.1109/IRI62200.2024.00059(252-257)Online publication date: 7-Aug-2024
https://doi.org/10.1109/IRI62200.2024.00059
Jabeen GRahim SAfzal WKhan DKhan AHussain ZBibi T(2022)Machine learning techniques for software vulnerability prediction: a comparative studyApplied Intelligence10.1007/s10489-022-03350-552:15(17614-17635)Online publication date: 4-Apr-2022
https://doi.org/10.1007/s10489-022-03350-5
Medeiros NIvaki NCosta PVieira M(2018)An Approach for Trustworthiness Benchmarking Using Software Metrics2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC.2018.00019(84-93)Online publication date: Dec-2018
https://doi.org/10.1109/PRDC.2018.00019
Show More Cited By

Index Terms

Empirical relation between coupling and attackability in software systems:: a case study on DOS
1. Software and its engineering
  1. Software creation and management
    1. Software development techniques
      1. Reusability
        Software product lines

Recommendations

New internal metric for software clustering algorithms validity

Clustering (modularisation) techniques are often employed for the meaningful decomposition of a program aiming to understand it. In the software clustering context, several external metrics are presented to evaluate and validate the resultant clustering ...
Dynamic coupling metrics for object oriented software systems: a survey

Coupling measures are considered important due to their inherent relationships with external software quality attributes. The ongoing research on object oriented software quality has been focusing on devising dynamic metrics for software quality ...
A Practical View of Software Measurement and Implementation Experiences Within Motorola
Special issue on software measurement principles, techniques, and environments

A practical view of software measurement that formed the basis for a companywide software metrics initiative within Motorola is described. A multidimensional view of measurement is provided by identifying different dimensions (e.g., metric usefulness/...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

PLAS '06: Proceedings of the 2006 workshop on Programming languages and analysis for security

June 2006

102 pages

ISBN:1595933743

DOI:10.1145/1134744

General Chair:
Vugranam Sreedhar
IBM T.J. Watson Research Center, USA
,
Program Chair:
Steve Zdancewic
University of Pennsylvania, USA

Copyright © 2006 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

PLAS06

Sponsor:

PLAS06: Programming Languages and Analysis for Security Workshop

June 10, 2006

Ontario, Ottawa, Canada

Acceptance Rates

Overall Acceptance Rate 43 of 77 submissions, 56%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
475
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Amin MTanner DSharma YNapier KBhowmik T(2024)Function-Level Software Metrics for Predicting Vulnerable Code2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI)10.1109/IRI62200.2024.00059(252-257)Online publication date: 7-Aug-2024
https://doi.org/10.1109/IRI62200.2024.00059
Jabeen GRahim SAfzal WKhan DKhan AHussain ZBibi T(2022)Machine learning techniques for software vulnerability prediction: a comparative studyApplied Intelligence10.1007/s10489-022-03350-552:15(17614-17635)Online publication date: 4-Apr-2022
https://doi.org/10.1007/s10489-022-03350-5
Medeiros NIvaki NCosta PVieira M(2018)An Approach for Trustworthiness Benchmarking Using Software Metrics2018 IEEE 23rd Pacific Rim International Symposium on Dependable Computing (PRDC)10.1109/PRDC.2018.00019(84-93)Online publication date: Dec-2018
https://doi.org/10.1109/PRDC.2018.00019
Alenezi MAlmomani I(2018)Empirical Analysis of Static Code Metrics for Predicting Risk Scores in Android Applications5th International Symposium on Data Mining Applications10.1007/978-3-319-78753-4_8(84-94)Online publication date: 29-Mar-2018
https://doi.org/10.1007/978-3-319-78753-4_8
Medeiros NIvaki NCosta PVieira M(2017)Software Metrics as Indicators of Security Vulnerabilities2017 IEEE 28th International Symposium on Software Reliability Engineering (ISSRE)10.1109/ISSRE.2017.11(216-227)Online publication date: Oct-2017
https://doi.org/10.1109/ISSRE.2017.11
Alshammari BFidge CCorney D(2011)A Hierarchical Security Assessment Model for Object-Oriented ProgramsProceedings of the 2011 11th International Conference on Quality Software10.1109/QSIC.2011.31(218-227)Online publication date: 13-Jul-2011
https://dl.acm.org/doi/10.1109/QSIC.2011.31
Agrawal AKhan R(2011)A framework for vulnerability minimization — Object oriented design perspective2011 2nd International Conference on Computer and Communication Technology (ICCCT-2011)10.1109/ICCCT.2011.6075131(499-504)Online publication date: Sep-2011
https://doi.org/10.1109/ICCCT.2011.6075131
Chowdhury IZulkernine M(2011)Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilitiesJournal of Systems Architecture: the EUROMICRO Journal10.1016/j.sysarc.2010.06.00357:3(294-313)Online publication date: 1-Mar-2011
https://dl.acm.org/doi/10.1016/j.sysarc.2010.06.003
Bandy CCunningham HRuth PKraft N(2010)Using allopoietic agents in replicated software to respond to errors, faults, and attacksProceedings of the 48th annual ACM Southeast Conference10.1145/1900008.1900091(1-4)Online publication date: 15-Apr-2010
https://dl.acm.org/doi/10.1145/1900008.1900091
Chowdhury IZulkernine MShin SOssowski SSchumacher MPalakal MHung C(2010)Can complexity, coupling, and cohesion metrics be used as early indicators of vulnerabilities?Proceedings of the 2010 ACM Symposium on Applied Computing10.1145/1774088.1774504(1963-1969)Online publication date: 22-Mar-2010
https://dl.acm.org/doi/10.1145/1774088.1774504
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten