160 likes | 475 Views
Design/Architecture Pattern Detection. A look at methods of detecting the presence of patterns within a program’s source code – with a possible goal to verify the correct use of security patterns. Dr. Michael VanHilst 1 September 2007. Task of Pattern Detection. Given a set of patterns, P
E N D
Design/Architecture Pattern Detection A look at methods of detecting the presence of patterns within a program’s source code – with a possible goal to verify the correct use of security patterns. Dr. Michael VanHilst 1 September 2007
Task of Pattern Detection • Given a set of patterns, P • Given a program, X • Identify the presence of all patterns p in X, where p is an element of P Our potential objective • Given sets of security patterns for specific security concerns • Confirm use of a known security pattern for each concern
Not “Pattern Mining” • Given a set of successful applications • Identify recurring patterns that solve interesting problems • This is not matching Robert Martin, Discovering patterns in existing applications, Pattern Languages of Program Design, 1995
Structural Pattern Matching Candidate matches to structural patterns • Graph matching (pattern = microarchitecture) • Nodes are classes • Arcs are relationships • Inheritance, aggregation, association • Add delegation/call relation • Extracted from class & sequence diagram • creational & behavioral patterns harder
Variations on Structure Matching • Various parsing strategies to generate class and call graphs from code • Different matching criteria • Different search algorithms • The fact that classes in a pattern have direct relationships to each other greatly reduces state explosions in many search algorithms
Structure Matching Papers • Rudolf K. Keller , Reinhard Schauer , Sébastien Robitaille , Patrick Pagé, Pattern-based reverse-engineering of design components, Proceedings of the 21st international conference on Software engineering, p.226-235, May 16-22, 1999, Los Angeles, California, United States • Jochen Seemann , Jürgen Wolff von Gudenberg, Pattern-based design recovery of Java software, ACM SIGSOFT Software Engineering Notes, v.23 n.6, p.10-16, Nov. 1998 • G. Antoniol , R. Fiutem , L. Cristoforetti, Design Pattern Recovery in Object-Oriented Software, Proceedings of the 6th International Workshop on Program Comprehension, p.153, June 24-26, 1998 (most cited paper) • Istituto per la Ricerca Scientifica e Tecnologica Povo (Trento), Italy • J. Bansiya. Automating design-pattern identication - DP++ is a tool for C++ programs. Dr. Dobbs Journal, 1998. • Brown, K. (1997). Design reverse-engineering and automated design pattern detection in Smalltalk. thesis • Christian Kramer , Lutz Prechelt, Design Recovery by Automated Search for Structural Design Patterns in Object-Oriented Software, Proceedings of the 3rd Working Conference on Reverse Engineering (WCRE '96), p.208, November 08-10, 1996 (delegation check was manual) • Uni Karlsruhe
Pattern Ambiguity Client Abstraction VirtualImplementor action() Operation() Virtual OperationImp() Bridge ConcreteImplementor Concrete OperationImp() Client Invoker VirtualCommand command() Operation() Virtual Execute() Command Receiver ConcreteCommand action() Concrete Execute()
MAISA • General structure recognition tool using constraint satisfaction • Add more constraints to improve accuracy • Parse code to intermediate UML models • Define constraints on model properties • (works for select structure patterns, not behavior) J. Gustafsson, L. Nenonen, and J. Paakki, University of Helsinki, 2000 – many papers
Pattern Fingerprints • Extend property characterizations to prune candidate classes in a pattern • Booleans for large/small class, deep/shallow inheritance, mostly class/instance variables, etc. • Train pattern recognizer on tagged corpus • Claim greater accuracy (80% vs. 40%) Y.G. Gueheneuc, H. Sahraoui, F. Zaidi, Fingerprinting design patterns, 11th Working Conference on Reverse Engineering (WCRE’04), pp. 172–181. (University of Montreal, many papers)
Behavior Matching • Query by Logic Meta Programming • Founded in Abstract Interpretation • Queries can have abstract/fuzzy values • Keeps structure models and properties • Adds execution trace • Recognizes Visitor based on its visit-then-execute trace Coen De Roover, Kris Gybels, Theo D'Hondt: Towards Abstract Interpretation for Recovering Design Information. Electr. Notes Theor. Comput. Sci. 131: 15-25 (2005) (Free University, Brussels)
Formal Content Analysis • Concepts have complete partial orders that form lattices • Concept lattices allow variations • not all mammals have legs • all legless mammals share other properties • Properties are still class relations and characteristics • Similar patterns form neighborhoods Frank Buchli, Detecting Software Patterns Using Formal Concept Analysis, thesis, University of Bern, 2003 (advisor Oscar Nierstrasz).
Detecting Patterns in Comments • “To identify the application of a pattern we search the log messages for the pattern name co-occurring with keywords taken from the pattern’s intend (italic words in the appendix) or the word ‘pattern.’” • Michael Hasler, “A Quantitative Study of the Application of Design Patterns in Java”, Working Papers on Information Processing and Information Management Nr. 01/2003, Institute of Information Processing and Information Management
Theorem Prover • Uses sigma calculus denotational semantics • Theorem prover based on reduction rules • Reduction rules make it easier to express equivalence variations (reduce this to that) • Reduction rules scale to patterns of patterns • Richer property and relationship semantics J. M. Smith and D. Stotts. SPQR: flexible automated design pattern extraction from source code. In Proc. Of the 18th IEEE International Conference on Automated Software Engineering, pages 215-224, October 2003. (UNC, results?)
Basic Pattern Components Client Objectifier action() Virtual Operation() Objectifier ConcreteObjectifier Concrete Operation() Initiator Handler makeRequest() handleRequest() Object Recursion Terminator Recursor handleRequest() handleRequest()
Task of Pattern Detection • Given a set of patterns, P • Given a program, X • Identify the presence of all patterns p in X, where p is an element of P Our potential objective • Given sets of security patterns for specific security concerns • Confirm use of a known security pattern for each concern
Security Pattern Verification? • Probabilistic matching doesn’t give much assurance (bad) • SPQR is formal and gives proof (good) • SPQR requires writing denotational semantics (bad) • Most work demonstrate only simple examples • Security patterns are large, perhaps less prone to ambiguity • We know what we seek (small search space)