Massey Documents by Type

Permanent URI for this communityhttps://mro.massey.ac.nz/handle/10179/294

Browse

Filters

Settings

Has files: YesSubject: search.filters.subject.Java (Computer program language)

Search Results

Now showing 1 - 8 of 8
  • Thumbnail Image
    Item
    An investigation into the unsoundness of static program analysis : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand
    (Massey University, 2021) Sui, Li
    Static program analysis is widely used in many software applications such as in security analysis, compiler optimisation, program verification and code refactoring. In contrast to dynamic analysis, static analysis can perform a full program analysis without the need of running the program under analysis. While it provides full program coverage, one of the main issues with static analysis is imprecision -- i.e., the potential of reporting false positives due to overestimating actual program behaviours. For many years, research in static program analysis has focused on reducing such imprecision while improving scalability. However, static program analysis may also miss some critical parts of the program, resulting in program behaviours not being reported. A typical example of this is the case of dynamic language features, where certain behaviours are hard to model due to their dynamic nature. The term ``unsoundness'' has been used to describe those missed program behaviours. Compared to static analysis, dynamic analysis has the advantage of obtaining precise results, as it only captures what has been executed during run-time. However, dynamic analysis is also limited to the defined program executions. This thesis investigates the unsoundness issue in static program analysis. We first investigate causes of unsoundness in terms of Java dynamic language features and identify potential usage patterns of such features. We then report the results of a number of empirical experiments we conducted in order to identify and categorise the sources of unsoundness in state-of-the-art static analysis frameworks. Finally, we quantify and measure the level of unsoundness in static analysis in the presence of dynamic language features. The models developed in this thesis can be used by static analysis frameworks and tools to boost the soundness in those frameworks and tools.
  • Thumbnail Image
    Item
    Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand
    (Massey University, 2021) Rasheed, Shawn
    An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG.
  • Thumbnail Image
    Item
    A study of a Java based framework for telecommunications services : a dissertation submitted in fulfilment of the requirements for the degree of Master of Science in Computer Science, Massey University, New Zealand
    (Massey University, 2000) Ferry, David Ian
    In this report, we study some of the general issues surrounding the area of telecommunications service development including the history of telecommunications services, current service creation techniques and the network used by services. We also discuss the lack of service portability and reasons for it. The JAIN framework – a set of Java APIs for integrated networks – is introduced as an approach that elegantly addresses this. We present a survey of recent work in telecommunications services that relate to JAIN. This includes a discussion of the feature interaction problem, an overview of the Telecommunications Information Networking Architecture, in particular, its relationship with JAIN, and the rapidly advancing field of Internet Telephony. In order to demonstrate the effectiveness of the JAIN approach we present designs for two advanced services that use the JAIN framework. These services are Internet Call Waiting and Click-to-Dial. Finally, areas for future research are introduced.
  • Thumbnail Image
    Item
    A scalable application server on Beowulf clusters : a thesis presented in partial fulfilment of the requirement for the degree of Master of Information Science at Albany, Auckland, Massey University, New Zealand
    (Massey University, 2005) Zhou, Michael Zhiyong
    Application performance and scalability of a large distributed multi-tiered application is a core requirement for most of today's critical business applications. I have investigated the scalability of a J2EE application server using the standard ECperf benchmark application in the Massey Beowulf Clusters namely the Sisters and the Helix. My testing environment consists of Open Source software: The integrated JBoss-Tomcat as the application server and the web server, along with PostgreSQL as the database. My testing programs were run on the clustered application server, which provide replication of the Enterprise Java Bean (EJB) objects. I have completed various centralized and distributed tests using the JBoss Cluster. I concluded that clustering of the application server and web server will effectively increase the performance of the application running on them given sufficient system resources. The application performance will scale to a point where a bottleneck has occurred in the testing system, the bottleneck could be any resources included in the testing environment: the hardware, software, network and the application that is running. Performance tuning for a large-scale J2EE application is a complicated issue, which is related to the resources available. However, by carefully identifying the performance bottleneck in the system with hardware, software, network, operating system and application configuration. I can improve the performance of the J2EE applications running in a Beowulf Cluster. The software bottleneck can be solved by changing the default settings, on the other hand, hardware bottlenecks are harder unless more investment are made to purchase higher speed and capacity hardware.
  • Thumbnail Image
    Item
    The development of a Java image processing framework : a thesis presented in partial fulfillment of the requirements for the degree of Master of Technology in Computer Systems Engineering at Massey University
    (Massey University, 2000) McLaughlin, Jesse Louis
    Practical computer-based teaching methods are often used in conjunction with theory-based lecture sessions and textbooks when teaching image processing. In kind, electronic or on-line image processing courses commonly provide both theoretical and interactive components, however these are often disparate in that the software used to provide each component is independent rather than integrated. It is less common to find electronic instructional resources for image processing that integrate theoretical textual and practical interactive content together into one seamless package. An integrated approach has the advantage that the concepts are more easily conveyed and reinforced when taught 'side-by-side' this way. The World Wide Web offers an attractive medium for delivering an integrated instructional resource on image processing. Applets written in Java may be seamlessly integrated into a hypertext environment. These applets can provide practical demonstrations of image processing concepts along side the relevant hypertext-based theoretical content. One of the major barriers to realising this kind of resource is the development effort required to create the necessary applets. This research demonstrates that the provision of a software framework can significantly reduce the burden of developing these applets. Such a framework provides a common code base that can be drawn upon during applet development, thereby avoiding the need to start from scratch each time a new applet is needed. The framework's design is modelled on a dataflow view of image processing, allowing applets to be built in terms of interconnections between operations. This design is intended to provide the developer with an intuitive and easy-to-use application programming interface (API) for developing applets. The framework also provides APIs for the programmer to implement new operations and data types, thereby extending the capabilities of the framework. Further, the framework's design is general enough to allow it to be used for developing general purpose image processing programs, or other programs that lend themselves to development using a dataflow language. This thesis shows that the proposed framework achieves its aims through an example application of the development of an applet that demonstrates a thresholding operation.
  • Thumbnail Image
    Item
    The development of a Java based GIS viewing tool : a thesis presented in partial fulfilment of the requirements for the degree of Masters of Technology in Information Engineering at Massey University
    (Massey University, 1999) Maguire, James
    Geographic Information Systems (GIS) industry sources quote the ratio of power users to casual users at 1000:1, within New Zealand this figure has been found to be 30:1. The casual user is often under-supported, with slow and cumbersome viewing tools. This project implements a full data download system in Java for use with Genasys (New Zealand) GIS software. Three components were developed; a vector data handler, an image download system, and a database client. These components were integrated to form a powerful client that offered a significant performance increase over the "server based" client. The image download system outperformed the "server based" client by over 400%. The vector data handler outperformed the "server based" client by over 50%, while the database client was over 250% quicker. GIS users rated all components to be of significant benefit, offering improved performance over their current GIS viewing tools. The work completed in this thesis provides Genasys (New Zealand) a useful tool to enable powerful, fast and stable Java based GIS viewing clients. Keywords: GIS, Java, computer graphics, image pyramid.
  • Thumbnail Image
    Item
    The hand drawn web editor : a thesis presented in partial fulfilment of the requirements for the degree of Master of Science in Computer Science at Massey University
    (Massey University, 1999) Cui, Meihua
    The Web is increasingly the most important part of the Internet for many users. Millions of new Web pages are being posted in the Internet everyday. The Internet has also become a mass-medium for lecturers distributing the lecture notes. Most of the Web editors currently available in the market can not provide the users, especially the lecturers, with a convenient way to handle special scientific symbols or characters that are not on the keyboard directly. It always takes several steps to insert or edit those special characters. It slows down the data input dramatically. Hand Drawn Web Editor (HDWE) is a stand-alone electronic publishing application. It is designed to provide the user with the integrated environment to edit and browse Html documents. It can also provide a user with a Hand Drawn Panel (HDP) so that he or she can input and edit special scientific symbols and characters freely upon the request. The development environment, frameworks, tools have been discussed in detail. The full development life cycle has been documented using Rational Rose. Some problems have been encountered and their solutions have been described.
  • Thumbnail Image
    Item
    On the classification of cyclic dependencies in Java programs : a thesis presented in partial fulfilment of the requirements for the degree of Master of Science in Computer Science at Massey University, Manawatū, New Zealand
    (Massey University, 2013) Al-Mutawa, Hussain Abdullah A
    Software engineering guidelines and rules discourage cyclic dependencies between modules, yet empirical studies have shown that many software systems are burdened with them. This might indicate that not all cycles are as detrimental to software quality as previously thought. Clearly, a better understanding of the types of cyclic dependencies and their effect on software quality is required. As a first step in this direction, we look closely at the shapes formed by software dependency graphs containing cyclic dependencies. Such cyclic dependencies correspond to the concept of strongly connected components in graph theory. We propose an approach to classify strongly connected components according to their topologies. This allows us to distinguish between dense and sparse, symmetric and asymmetric structures. We extend on previous studies and investigate the relationship between cyclic dependencies and the package containment tree. We validate our approach with experiments based on a corpus of 103 open–source Java systems. We find that cyclic dependencies tend to form in branches of the package containment tree around parent packages that are not critical according to some researchers.