Titulo Estágio
Can Code Smells be Indicators of Software Security Vulnerabilities?
Áreas de especialidade
Engenharia de Software
Local do Estágio
DEI
Enquadramento
Building software without security vulnerabilities, despite the huge advances in software development processes, is still very difficult, if not impossible. A promising approach to deal with software security problems is to eliminate software flaws and bugs in the early phases of the software development, as the corrections are easier and less costly.
Software development and maintenance are continuous activities that have a never-ending cycle. While developers implement new functionalities or commit changes on a software system to fix bugs, they sometimes introduce “code smells”, which are early symptoms of poor design or implementation choices. It is consensual that code smells influence negatively the software quality, but can they be indicators of security problems in software? To answer to this question, we aim to perform an exploratory study on code smells and their relationship with security vulnerabilities.
Objetivo
The goal of this work is to identify correlations between code smells and security vulnerabilities in software systems. To do so, we are going to use a dataset that includes reported security vulnerabilities for functions, classes, and files of several versions of five widely used projects implemented in C/C++. The selected student will need to: 1) select a representative list of code smell detecting tools (e.g., inFusion, JDeodorant, PMD, and JSpIRIT); 2) apply the selected tools to several versions of the above projects; 3) insert the detected code smells into the dataset; 4) identify and calculate correlations between code smells and the security vulnerabilities.
Plano de Trabalhos - Semestre 1
[Some tasks might overlap; M=Month]
T1 (M1-M2): Knowledge transfer and State of the art analysis (i.e., study the concepts behind code smells and security vulnerabilities).
T2 (M3): Studying the dataset and preparing all materials required for the work (including the code smell detecting tools and source code of the projects).
T3 (M4): Applying the code smell detecting tools to the source code of the projects.
T4 (M5): Writing the Intermediate Report.
Plano de Trabalhos - Semestre 2
[Some tasks might overlap; M=Month]
T1 (M6): Integration the intermediate defense comments in the work and report.
T2 (M6): Inserting the detected code smells into the dataset.
T3 (M7): Identifying and calculating the correlation between the code smells and security vulnerabilities.
T4 (M8-M9): Writing a paper and submission to a related international conference.
T5 (M10): Writing the thesis.
Condições
The selected student will be integrated in the Software and Systems Engineering (SSE) group of CISUC and the work will be carried out in the facilities of the Department of Informatics Engineering at the University of Coimbra (CISUC - Software and Systems Engineering Group), where a work place and necessary computer resources will be provided.
Observações
Please contact the advisors for any question or clarification needed. There is the possibility to offer a BIC scholarship to the student.
Orientador
Naghmeh Ivaki
naghmeh@dei.uc.pt 📩