Skip to content
GitLab

dependability toolbox usage · Changes

Page history
Update dependability toolbox usage authored by Miltos's avatar Miltos
Hide whitespace changes
Inline Side-by-side
dependability-toolbox-usage.md
View page @ 83265423
......@@ -268,6 +268,219 @@ As can be seen from the fragment above, the JSON report consists of four main el
- **security_index:** An object that contains the Security Index of the analyzed software.
### Vulnerability Prediction
The *Vulnerability Prediction* service is responsible for identifying security hotspots, i.e., source code files that are likely to contain vulnerabilities. It is based on Deep Learning Models that receive as input the tokens (i.e., keywords) retrieved directly from the source code of the selected software project (written either in Java, C, or C++ programming language) and provide an indication of how likely its software files contain vulnerabilities. This is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP GET request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
| Parameter | Description | Required | Valid Inputs |
|:------------:|:---------------------------------------------------------------:|:--------:|:-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|
| project | The URL of the software project that should be analyzed. | Yes | Any valid URL that points to an existing online Git repository (e.g., GitHub, GitLab, Bitbucket, etc.). |
| language | The programming language of the software project that needs to be analyzed. | Yes | One of the following string values: : <br/>·“java” if the selected software project is written in Java programming language. <br/> ·“cpp” if the selected software project is written in C/C++ programming language. <br/> Default value is "java". |
It should be noted that cases when the selected software project is private (i.e., proprietary), the credentials of the user need to be provided to the submitted request in the form of a Basic Authentication header. In order to ensure confidentiality, HTTPS is used for such private projects.
The output of the *Vulnerability Prediction* web service is a JSON file with the vulnerability report, which actually contains:
- the names of the analyzed source code files of the application
- their vulnerability status as produced by the applied model (i.e., 1 if they are potentially vulnerable and 0 if they are potentially clean), and
- the probability of containing vulnerabilities
For better understanding, an example is presented in the following demonstrating how the *Vulnerability Prediction* web service can be invoked through a curl command for assessing the security of a software project. In the given example, a simple [HelloWorldCompiled]() Java Project that it is available on GitHub is used.
In brief, we want to analyze the HelloWorldCompiled project, with the purpose to identify potential security hotspots that it may contain. Hence, in the parameters we set the following:
- **project:** https://github.com/siavvasm/HelloWorldJavaCompiled (the GitHub URL of the project)
- **language:** java (because it is a Java project)
Hence, the following HTTP GET Request needs to be submitted:
```
http://160.40.52.130:8087/DependabilityToolbox/VulnerabilityPrediction?project=https://github.com/siavvasm/HelloWorldJavaCompiled&lang=java
```
After submitting the request, the *Vulnerability Prediction* service in invoked and the selected project is analyzed. In brief, the service selects the most suitable Deep Learning Model for the selected software project, and perform text mining in order to produce vectors with tokens (i.e., keywords) for each one of the source code files of the project. Subsequently, these vectors are passed as input to the selected Deep Learning Model, which computes the likelihood of vulnerability and classifies the corresponding file as potentially vulnerble or benign. (for more information about the *Security Assessment Model* we refer the reader to the materials that are listed in the References section of the [Dependability Toolbox Description](dependability-toolbox-description) wiki page). After the successful execution of the analysis, a JSON report with the results is produced and sent as a response to the user. The produced JSON for the *HelloWorldCompiled* project is presented below:
```
{
"project_name": "HelloWorldJavaCompiled_285206122_1588846649600",
"date": "2020-05-07__10:17:31",
"commit": "50ae163281564f0b96325ccc4915e74587cd4dc3",
"results": [
{
"class_name": "AppTest.java",
"path": "/opt/apache-tomcat-8.0.53/bin/gitRepo/HelloWorldJavaCompiled_285206122_1588846649600/src/test/java/miltos/diploma",
"package": "/src/test/java/miltos/diploma",
"is_vulnerable": 0,
"sigmoid": 0.05907478556036949,
"confidence": "92.6157 %"
},
{
"class_name": "App.java",
"path": "/opt/apache-tomcat-8.0.53/bin/gitRepo/HelloWorldJavaCompiled_285206122_1588846649600/src/main/java/miltos/diploma",
"package": "/src/main/java/miltos/diploma",
"is_vulnerable": 0,
"sigmoid": 0.12370146811008453,
"confidence": "84.5373 %"
}
]
}
```
As can be seen from the above fragment, the JSON report comprises an array named “results”, which contains several JSON Objects. Each one of these JSON Objects contains relevant information for each source code file of the analyzed application. More specifically, it contains the following entries:
- **class_name:** The name of the source code file to which this JSON Object refers.
- **path:** The exact path of the source code file to which this JSON Object refers.
- **is_vulnerable:** The vulnerability status of the corresponding source code file. It takes two possible values, i.e., 0 if the model decides that the source code file is potentially clean, and 1 if the model decides that the source code file is potentially vulnerable.
- **sigmoid:** The actual output of the multi-layer perceptron. It corresponds to the probability of the source code file to be vulnerable. This value is actually used by the model in order to define the vulnerability status of the corresponding source code file (i.e., the value of the “is_vulnerable” entry of the corresponding JSON Object).
## Optimum Checkpoint Interval Recommendation
This web service is responsible for calculating the checkpoint interval of long loops, i.e., the checkpoint interval that strikes a satisfactory balance between reliability, performance, and energy consumption. It is actually an impelemntation of the novel mathematical model that was introduced as part of the SDK4ED Project. The calculation of the Optimum Checkpoint intervals is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP POST request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
The body of the POST request is a JSON file that contains a set of parameters that are necessary for the execution of the mathematical model. These parameters, along with a short description, are listed below:
* **CalcType **– Sets the type of calculation of Optimal Checkpoints. For now we may calculate sequential program and program with long loop.
* **g** – Failure probability of single instruction
* **B0e** – constant cost in time of starting the program
* **B0c** – constant cost in time of starting the program
* **L**– length of single long loop
* **ce**– cost of a single instruction in relative energy consumption unit
* **cc**– cost of single instruction in relative execution time unit
* **b0c** – constant execution time cost after failure occurs
* **b1c**– execution time cost related to executed instructions
* **b0e**– constant energy consumption cost after failure occurs
* **b1e**– energy consumption cost related to executed instructions
* **N** – number of checkpoints
* **alfa**– value representing how calculations relate to Energy consumption
* **beta**– values representing how calculations relate to Execution Time
* **B1e**– energy consumption cost before failure occurs related to single instruction
* **B1c** – execution time cost before failure occurs related to single instruction
* **Y**– Total fixed number of instructions
After server receives request it calculates data and responds with JSON. In this message there are data needed to present graphs and data on the webpage. JSON data sent from the server consist of 5 JSON objects:
* **energyConsumptionOverNumberOfInstructions**: provides data needed to present graph of energy consumption when checkpoints are used.
* **executionTimeOverNumberOfInstruction**: provides data to present graph of execution time when checkpoints are used.
* **energyConsumptionTable**: provides data to present table of energy consumption which we can get when checkpoints are set every given number of instructions
* **executionTimeTable**: provides data to present table of execution time which we can get when checkpoints are set every given number of instructions
* **calculationSummary**: provides data to present minimum execution Time and energy Consumption. It consists of 4 JSON Objects
* **nPlusIndex**: stores index of best energy consumption result
* **nPlusValue**: stores value of best energy consumption result
* **nStarIndex**: stores index of best execution time result
* **nStarValue**: stores value of best execution time result
For better understanding, an example is presented in the following demonstrating how the *Optimum Checkpoint Interval Recommendation* web service can be invoked for calculating the optimum checkpoint interval of a given loop.
Hence, the following HTTP POST Request needs to be submitted:
```
http://160.40.52.130:8087/DependabilityToolbox/OptimalCheckpoint
```
Having the following JSON Body:
```
{
"ProgramType":"FiniteRuntime",
"g":0.000005,
"Be":500.0,
"L":100.0,
"ce":0.00001,
"b0e":100.0,
"b1e":10.0,
"N":10000.0,
"g":0.000005,
"B":100000.0,
"L":100.0,
"c":1.0,
"b0":100.0,
"b1":10.0
}
```
This leads to the following JSON Response:
```
{
"energyConsumptionTable": {
"columns": [
{
"field": "y",
"label": "Energy Consumption"
},
{
"field": "x",
"label": "Number of Instructions"
}
]
},
"calculationSummary": {
"nPlusIndex": 42,
"nStarValue": 2.0402034010454506E7,
"nStarIndex": 1999,
"nPlusValue": 225200.35453072865
},
"executionTimeOverNumberOfInstructions": [
{
"mode": "line",
"margin": {
"r": 20,
"b": 50,
"t": 50,
"l": 20
},
"marker": {
"color": "red"
},
"type": "scatter",
"autosize": "true"
}
],
"executionTimeTable": {
"columns": [
{
"field": "y",
"label": "Execution Time"
},
{
"field": "x",
"label": "Number of Instructions"
}
]
},
"energyConsumptionOverNumberOfInstructions": [
{
"mode": "line",
"margin": {
"r": 20,
"b": 50,
"t": 50,
"l": 20
},
"marker": {
"color": "red"
},
"type": "scatter",
"autosize": "true"
}
]
}
```