Massey Documents by Type

Permanent URI for this communityhttps://mro.massey.ac.nz/handle/10179/294

Browse

Filters

Settings

Subject: search.filters.subject.Object-oriented programming (Computer science)

Search Results

Now showing 1 - 5 of 5
  • Thumbnail Image
    Item
    Security analyses for detecting deserialisation vulnerabilities : a thesis presented in partial fulfilment of the requirements for the degree of Doctor of Philosophy in Computer Science at Massey University, Palmerston North, New Zealand
    (Massey University, 2021) Rasheed, Shawn
    An important task in software security is to identify potential vulnerabilities. Attackers exploit security vulnerabilities in systems to obtain confidential information, to breach system integrity, and to make systems unavailable to legitimate users. In recent years, particularly 2012, there has been a rise in reported Java vulnerabilities. One type of vulnerability involves (de)serialisation, a commonly used feature to store objects or data structures to an external format and restore them. In 2015, a deserialisation vulnerability was reported involving Apache Commons Collections, a popular Java library, which affected numerous Java applications. Another major deserialisation-related vulnerability that affected 55\% of Android devices was reported in 2015. Both of these vulnerabilities allowed arbitrary code execution on vulnerable systems by malicious users, a serious risk, and this came as a call for the Java community to issue patches to fix serialisation related vulnerabilities in both the Java Development Kit and libraries. Despite attention to coding guidelines and defensive strategies, deserialisation remains a risky feature and a potential weakness in object-oriented applications. In fact, deserialisation related vulnerabilities (both denial-of-service and remote code execution) continue to be reported for Java applications. Further, deserialisation is a case of parsing where external data is parsed from their external representation to a program's internal data structures and hence, potentially similar vulnerabilities can be present in parsers for file formats and serialisation languages. The problem is, given a software package, to detect either injection or denial-of-service vulnerabilities and propose strategies to prevent attacks that exploit them. The research reported in this thesis casts detecting deserialisation related vulnerabilities as a program analysis task. The goal is to automatically discover this class of vulnerabilities using program analysis techniques, and to experimentally evaluate the efficiency and effectiveness of the proposed methods on real-world software. We use multiple techniques to detect reachability to sensitive methods and taint analysis to detect if untrusted user-input can result in security violations. Challenges in using program analysis for detecting deserialisation vulnerabilities include addressing soundness issues in analysing dynamic features in Java (e.g., native code). Another hurdle is that available techniques mostly target the analysis of applications rather than library code. In this thesis, we develop techniques to address soundness issues related to analysing Java code that uses serialisation, and we adapt dynamic techniques such as fuzzing to address precision issues in the results of our analysis. We also use the results from our analysis to study libraries in other languages, and check if they are vulnerable to deserialisation-type attacks. We then provide a discussion on mitigation measures for engineers to protect their software against such vulnerabilities. In our experiments, we show that we can find unreported vulnerabilities in Java code; and how these vulnerabilities are also present in widely-used serialisers for popular languages such as JavaScript, PHP and Rust. In our study, we discovered previously unknown denial-of-service security bugs in applications/libraries that parse external data formats such as YAML, PDF and SVG.
  • Thumbnail Image
    Item
    OOPS-Algol :an extension to PS-Algol to support object-orientated programming : a thesis presented in partial fulfilment of the requirements for the degree of Master of Science at Massey University
    (Massey University, 1989) Ryder, William Dennis
    Object-oriented programming is becoming a widely accepted paradigm to promote software reuse and data abstraction. Many languages are having object oriented capabilities added to them. PS-Algol is a language which supports procedures as first class data, and supports orthogonality of per­sistence. OOPS-Algol extends the PS-Algol language to support object-oriented programming. OOPS-Algol is different from most other object­ oriented languages in that it explicitly separates the implementation of a class's protocol from the descrip­tion of that protocol. The class hierarchy is used solely for defining the conceptual relationships between classes. The inheritance hierarchy is used to promote code sharing, without being constrained by the class hierarchy. This capability furthers progress towards the goal of separating the conceptual design of a system from its implementation.
  • Thumbnail Image
    Item
    Real world evaluation of aspect-oriented software development : a thesis submitted in partial fulfilment of the requirements for the degree of Master of Science in Computer Science at Massey University, Palmerston North, New Zealand
    (Massey University, 2006) Elgar, Christopher Mark
    Software development has improved over the past decade with the rise in the popularity of the Object-Oriented (OO) development approach. However, software projects continue to grow in complexity and continue to have alarmingly low rates of success. Aspect-Oriented Programming (AOP) is touted to be one solution to this software development problem. It shows promise of reducing programming complexity, making software more flexible and more amenable to change. The central concept introduced by AOP is the aspect. An aspect is used to modularise crosscutting concerns in a similar fashion to the way classes modularise business concerns. A crosscutting concern cannot be modularised in approaches such as OO because the code to realise the concern must be spread throughout the module (e.g. a tracing concent is implemented by adding code to every method in a system). AOP also introduces join points, pointcuts, and advice which are used with aspects to capture crosscutting concerns so they can be localised in a modular unit. OO took approximately 20 years to become a mainstream development approach. AOP was only invented in 1997. This project considers whether AOP is ready for commercial adoption. This requires analysis of the AOP implementations available, tool support, design processes, testing tools, standards, and support infrastructure. Only when AOP is evaluated across all these criteria can it be established whether it is ready to be used in commercial projects. Moreover, if companies are to invest time and money into adopting AOP, they must be aware of the benefits and risks associated with its adoption. This project attempts to quantify the potential benefits in adopting AOP, as well as identifying areas of risk. SolNet Solutions Ltd, an Information Technology (IT) company in Wellington, New Zealand, is used in this study as a target environment for integration of aspects into a commercial development process. SolNet is in the business of delivering large scale enterprise Java applications. To assist in this process they have developed a Common Services Architecture (CSA) containing components that can be reused to reduce risk and cost to clients. However, the CSA is complicated and SolNet have identified aspects as a potential solution to decrease the complexity. Aspects were found to bring substantial improvement to the Service Layer of SolNet. applications, including substantial reductions in complexity and size. This reduces the cost and time of development, as well as the risk associated with the projects. Moreover, the CSA was used in a more consistent fashion making the system easier to understand and maintain, and several crosscutting concerns were modularised as part of a reusable aspect library which could eventually form part of their CSA. It was found that AOP is approaching commercial readiness. However, more work is needed on defining standards for aspect languages and modelling of design elements. The current solutions in this area are commercially viable, but would greatly benefit from a standardised approach. Aspect systems can be difficult to test and the effect of the weaving process on Java serialisation requires further investigation.
  • Thumbnail Image
    Item
    An object-oriented database methodology for application development with extended relational or object-oriented DBMS : a thesis presented in partial fulfilment of the requirements for the degree of Master of Science in Computer Science at Massey University
    (Massey University, 1992) Liew, Benny
    Recently development methodologies have been proposed which describe themselves as "Object Oriented". While all of them offer approaches to extended data and behavioural modelling, none of them seem fully adequate to address the total concept of object-oriented development. They often do not provide constructs which lead to the use of databases, nor do they always recognise the shift from sequential to prototyping style which is inherent in much object-oriented technology. The objective of this thesis is to lay a framework for an object-oriented methodology suitable for OODBMS. Details of conventional methods for developing database applications, and of the recent OO methods, have been examined and compared in order to propose a coherent set of tasks and deliverables. Account has also been taken of designing for re-use, which has been one of the main selling points of the OO approach. The proposed methodology attempts to address related side issues, with particular focus on object concurrency, which seems particularly thinly covered in many of the current proposals. Many other side issues are also mentioned, but due to time constraints, they are not given any further discussion. The topic is an extremely multidisciplinary one, and a very wide range of expertise would be necessary to do justice to all these aspects. Mapping of the new methodology has been tried on two case study examples using Postgres and Ontos. Postgres is an extended relational DBMS developed as a research prototype at University of California, Berkeley. Ontos is the commercial object-oriented DBMS marketed by Ontos Incorporated, Burlington, Massachusetts. Some details of these implementation examples are included.
  • Thumbnail Image
    Item
    Managing user interface pattern collections : a thesis presented in partial fulfilment of the requirements for the degree of Master of Science in Computer Science at Massey University, Palmerston North, New Zealand
    (Massey University, 2006) Deng, Junhua
    The research presented in this thesis describes the development of a comprehensive UI pattern management tool, MUIP, to support researchers and UI designers manipulate and explore a repository of UI pattern collections. The concept of patterns originated from Alexander's pattern language for the architecture domain. Later, the software development and HCI communities adopted the pattern concept. Many disparate UI pattern collections have been developed and published using various media, such as books, internet, etc. Various pattern formats were used in these collections. In 2003, to cope with this problem, a group of HCI researchers developed a standardised pattern form, called PLML. Researchers have authored patterns, investigated the characteristics of pattern collections and also identified many of the functions required to manage pattern collections. A framework for MUIP has been developed in the light of the analysis of the relevant literature and a survey of existing pattern tools. The framework supports the following features: pattern authoring, manipulating forces, browsing patterns, searching patterns, versioning and customising patterns, relating patterns, manipulating collections and importing or exporting patterns. Patterns are described using the standard pattern form (PLML). An enhanced version of PLML, called PLML vl.2, has been developed so that pattern contents can be organised more effectively. Based on this framework, a specification of a comprehensive pattern management system for manipulating pattern collections was developed and a prototype implemented accordingly. A formal evaluation confirmed the usefulness of the prototype.