Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Software Ingredients:

Published byAbraham Wood Modified over 8 years ago

Similar presentations

Presentation on theme: "Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Software Ingredients:"— Presentation transcript:

1 Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Software Ingredients: Detection of Third-party Component Reuse in Java Software Release Takashi Ishio †, Raula Gaikovina Kula †, Tetsuya Kanda †, Daniel M. German ‡, Katsuro Inoue † MSR2016 † Osaka University, Japan ‡ University of Victoria, Canada

2 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Motivation: Software Reuse In Java, many binary components are reused in a product binary. 1 Google Web Toolkit 2.7.0 All-in-one package for WebApp development Apache Ant Apache Commons Codec Apache Commons Collections Apache HttpClient Apache XalanHTMLUnit … is-made-of

3 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Is it safe? 2 Google Web Toolkit 2.7.0 Security Advisories #2014-002 Xalan-Java insufficient secure processing http://www.ocert.org/advisories/ocert-2014-002.html arbitrary code can be executed if … [Affected versions: before 2.7.2] All-in-one package for WebApp development Relevant? Product Documentation A partial list of components No version numbers

4 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Detection of Software Components 3 Google Web Toolkit 2.7.0 Apache Ant 1.6.5 Apache Commons Codec 1.8 Apache Commons Collections 3.2.1 Apache HttpClient 4.3.1 Apache Xalan 2.7.1 HtmlUnit 2.13 Vulnerability Note VU#576313 Apache Commons Collections library insecurely deserializes data. [Affected versions: 3.2.1, 4.0] https://www.kb.cert.org/vuls/id/576313 #2014-002 Xalan-Java insufficient secure processing http://www.ocert.org/advisories/ocert-2014-002.html arbitrary code can be executed if … [Affected versions: before 2.7.2] Our tool detects component names and their version numbers in a given jar file. is-made-of

5 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Actions based on Detection Result Upgrade the whole product if available Upgrade vulnerable components if available Use the product in a safe environment if upgrade is impossible Accept a risk (Continue to use the product) if vulnerability conditions are unsatisfiable 4

6 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A How to Detect Components 5 Input: a jar file gwt-dev-2.7.0.jar ant-1.6.4.jar ant-1.6.5.jar ant-1.7.0.jar collections-3.2.0.jar collections-3.2.1.jar collections-3.2.2.jar Component Database (e.g. Maven.org) includes? ant-1.6.5.jar collections-3.2.1.jar Output: jar files that are the most likely included in the input file

7 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A previous work: Software Bertillonage 6 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Database Input: Component Likely Included? X-1.0.jar0.5 ✔ X-1.1.jar0.286 Y-0.1.jar0.167 ✔ Z-0.2.jar0.333 ✔ A user has to manually identify original components using the information.

8 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University The key difference: Greedy search Strategy: –Select the largest, entirely copied jar file 7 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Input: Database

9 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University The key difference: Greedy search Strategy: –Select the largest, entirely copied jar file Greedy Search in this example: 1.Select X-1.0 because it provides 3 of 6 classes. 8 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Database Input: 3 classes

10 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University The key difference: Greedy search Strategy: –Select the largest, entirely copied jar file Greedy Search in this example: 1.Select X-1.0 because it provides 3 of 6 classes. 2.Select Z-0.2 because it provides 2 of 3 remaining classes. 9 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Database Input: 2 classes

11 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University The key difference: Greedy search Strategy: –Select the largest, entirely copied jar file Greedy Search in this example: 1.Select X-1.0 because it provides 3 of 6 classes. 2.Select Z-0.2 because it provides 2 of 3 remaining classes. 3.X-1.1 and Y-0.1 are not selected because they do not cover the remaining class G. 10 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Database Input:

12 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University The key difference: Greedy search 11 [target.jar] Class Signature A7fabc... Bff1dc... C07a21... E920b4... F6b9a3... Ga18e0... [X-1.0.jar] Class Signature A7fabc... Bff1dc... C07a21... [X-1.1.jar] Class Signature A7fabc... C07a21... D35e23... [Y-0.1.jar] Class Signature E920b4... [Z-0.2.jar] Class Signature E920b4... F6b9a3... Database Input: is-made-of Strategy: –Select the largest, entirely copied jar file Greedy Search in this example: 1.Select X-1.0 because it provides 3 of 6 classes. 2.Select Z-0.2 because it provides 2 of 3 remaining classes. 3.X-1.1 and Y-0.1 are not selected because they do not cover the remaining class G.

13 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University ant-1.6.5.jar commons- codec-1.8.jar collections- 3.2.1.jar Experiment to evaluate accuracy Comparison with the previous work –Component database: Sourcerer Dataset (172,232 jar files) A snapshot of Maven repository on August, 2012. –1,000 artificial products: We randomly selected 10—1,000 components and repackaged them into a single jar file. 12 ant-1.6.5.jar commons- codec-1.8.jar collections- 3.2.1.jar An artificially mixed jar file Our method and the previous work Copy classes ant-1.6.5.jar commons- codec-1.8.jar collections- 3.2.1.jar Verify the result (Compute precision and recall) Randomly selected components Reported components

14 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Result: Precision and Recall 13 The previous work Our method Precision:0.357  0.998 Improved! Recall:0.993  0.997

15 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Conclusion Our method detects components in a Java binary file. –Compare a binary with all the components in a database –Introduced a greedy search to select reused components Precision:0.357  0.998 Recall:0.993  0.997 –Our simple implementation (< 2.5KLOC) is available on GitHub http://www.github.com/takashi-ishio/JIngredients/ Future Work –Component detection in source code –Empirical studies on inter-project code reuse 14

16 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 15

17 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Limitation The experiment is performed on an ideal situation: The database included all the reused components. –In reality, it is not so easy to keep all the components. Our method and the previous work use identifiers (e.g. package names, class names) to compare classes. –Our method is applicable to release engineering activities and open source projects. –Our method is inapplicable to obfuscated code. We need a technique to identify similar classes in obfuscated code. 16

18 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Q. Component dependencies are managed by a tool such as Maven -- Is it insufficient? A.Insufficient. Because some components have an internal copy of their dependent components. For example, GWT re-packages all the dependent components to simplify dependencies. The dependent components, e.g. Ant and Xalan, do not appear in pom files of GWT users. 17

19 Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Q. Why don’t you use a MD5 file hash to compare classes? A file hash (e.g. SHA-1, MD5) cannot compare classes, because different compilers generate different binary files. –JDK version and debug information also affects binary files. Davies et al. reported that 48% of jar files in Debian GNU/Linux have no class files that were identical to any classes in the Maven Central Repository. 18

Download ppt "Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Software Ingredients:"

Similar presentations

Assieme: Finding and Leveraging Implicit References in a Web Search Interface for Programmers I am Raphael Hoffmann and this is joint work with James Fogarty.

Assieme: Finding and Leveraging Implicit References in a Web Search Interface for Programmers I am Raphael Hoffmann and this is joint work with James Fogarty.
Configuration management

Configuration management
Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.

Introduction to Maven 2.0 An open source build tool for Enterprise Java projects Mahen Goonewardene.
Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Identifying Source.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Identifying Source.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extraction of.
What is a Programming Language? The computer operates using binary numbers. The computer only knows about 1’s and 0’s. Humans can also use 1’s and 0’s,

What is a Programming Language? The computer operates using binary numbers. The computer only knows about 1’s and 0’s. Humans can also use 1’s and 0’s,
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extracting Code.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Extracting Code.
SWE Introduction to Software Engineering

SWE Introduction to Software Engineering
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A Prototype of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University A Prototype of.
CS 5150 1 CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.

CS CS 5150 Software Engineering Lecture 13 System Architecture and Design 1.
Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.

Swami NatarajanJuly 14, 2015 RIT Software Engineering Reliability: Introduction.
Stimulating reuse with an automated active code search tool Júlio Lins – André Santos (Advisor) –

Stimulating reuse with an automated active code search tool Júlio Lins – André Santos (Advisor) –
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Measuring Copying.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Industrial Application.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Industrial Application.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Where Does This.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Where Does This.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University ICSE 2003 Java.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University ICSE 2003 Java.
Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†

Yuki Manabe*, Daniel M. German†,‡ and Katsuro Inoue†
Detecting software clones in binaries Zaharije Radivojević, Saša Stojanović, Miloš Cvetanović School of Electrical Engineering, Belgrade University 14th.

Detecting software clones in binaries Zaharije Radivojević, Saša Stojanović, Miloš Cvetanović School of Electrical Engineering, Belgrade University 14th.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University What Kinds of.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University What Kinds of.

Similar presentations

Ads by Google