| ... | ... | @@ -39,7 +39,7 @@ In the following, a more detailed description of how these services can be used |
|
|
|
|
|
|
|
### Quantitative Security Assessment Service
|
|
|
|
|
|
|
|
The Quantitative Security Assessment web service allows the user to evaluate the internal security level of software applications written in Java, C, and C++ programming languages. This is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP GET request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
|
|
|
|
The *Quantitative Security Assessment (QSA)* web service allows the user to evaluate the internal security level of software applications written in Java, C, and C++ programming languages. This is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP GET request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
|
|
|
|
|
|
|
|
|
|
|
|
| Parameter | Description | Required | Valid Inputs |
|
| ... | ... | @@ -52,7 +52,7 @@ It should be noted that in case that the selected software project is private (i |
|
|
|
|
|
|
|
The output of the Quantitative Security Assessment web service is a JSON file containing the security assessment report, which includes the security index, the security scores of the model properties and characteristics, and the detailed static analysis results (provided that the user selected “yes” in the “inspection” parameter). The inspection parameter is very useful as it allows the selection of the level of detail of the produced security assessment report based on the user needs. The produced reports are usually very long especially for very large projects, since they contain the raw results, which are long lists of static analysis alerts. By setting the value of this parameter to ”no”, only the security index and the scores of the properties and the characteristics of the model are presented, leading to the production of much more lightweight security assessment reports.
|
|
|
|
|
|
|
|
For better understanding, an example is presented in the following demonstrating how the Quantitative Security Assessment web service can be invoked through a curl command for assessing the security of a software project. In the given example, a simple [HelloWorld]() Java Project that it is available on GitHub is used.
|
|
|
|
For better understanding, an example is presented in the following demonstrating how the Quantitative Security Assessment web service can be invoked through a curl command for assessing the security of a software project. In the given example, a simple [HelloWorldJavaCompiled](https://github.com/siavvasm/HelloWorldJavaCompiled) Java Project that it is available on GitHub is used.
|
|
|
|
|
|
|
|
In brief, we want to analyze the security level of the HelloWorldCompiled project. Hence, in the parameters we set the following:
|
|
|
|
|
| ... | ... | @@ -314,7 +314,7 @@ Hence, the following HTTP GET Request needs to be submitted: |
|
|
|
http://160.40.52.130:8087/DependabilityToolbox/VulnerabilityPrediction?project=https://github.com/siavvasm/HelloWorldJavaCompiled&lang=java
|
|
|
|
```
|
|
|
|
|
|
|
|
After submitting the request, the *Vulnerability Prediction* service in invoked and the selected project is analyzed. In brief, the service selects the most suitable Deep Learning Model for the selected software project, and perform text mining in order to produce vectors with tokens (i.e., keywords) for each one of the source code files of the project. Subsequently, these vectors are passed as input to the selected Deep Learning Model, which computes the likelihood of vulnerability and classifies the corresponding file as potentially vulnerble or benign. (for more information about the *Security Assessment Model* we refer the reader to the materials that are listed in the References section of the [Dependability Toolbox Description](dependability-toolbox-description) wiki page). After the successful execution of the analysis, a JSON report with the results is produced and sent as a response to the user. The produced JSON for the *HelloWorldCompiled* project is presented below:
|
|
|
|
After submitting the request, the *Vulnerability Prediction* service in invoked and the selected project is analyzed. In brief, the service selects the most suitable Deep Learning Model for the selected software project, and perform text mining in order to produce vectors with tokens (i.e., keywords) for each one of the source code files of the project. Subsequently, these vectors are passed as input to the selected Deep Learning Model, which computes the likelihood of vulnerability and classifies the corresponding file as potentially vulnerble or benign (for more information about the *Security Assessment Model* we refer the reader to the materials that are listed in the References section of the [Dependability Toolbox Description](dependability-toolbox-description) wiki page). After the successful execution of the analysis, a JSON report with the results is produced and sent as a response to the user. The produced JSON for the *HelloWorldCompiled* project is presented below:
|
|
|
|
|
|
|
|
```
|
|
|
|
{
|
| ... | ... | @@ -356,9 +356,7 @@ As can be seen from the above fragment, the JSON report comprises an array named |
|
|
|
|
|
|
|
This web service is responsible for calculating the checkpoint interval of long loops, i.e., the checkpoint interval that strikes a satisfactory balance between reliability, performance, and energy consumption. It is actually an impelemntation of the novel mathematical model that was introduced as part of the SDK4ED Project. The calculation of the Optimum Checkpoint intervals is achieved through a dedicated API exposed by the RESTful web server, which is, in fact, a simple HTTP POST request. Several inputs need to be provided as parameters to this request. These parameters are listed below:
|
|
|
|
|
|
|
|
The body of the POST request is a JSON file that contains a set of parameters that are necessary for the execution of the mathematical model. These parameters, along with a short description, are listed below:
|
|
|
|
|
|
|
|
* **CalcType **– Sets the type of calculation of Optimal Checkpoints. For now we may calculate sequential program and program with long loop.
|
|
|
|
* **CalcType**– Sets the type of calculation of Optimal Checkpoints. For now we may calculate sequential program and program with long loop.
|
|
|
|
* **g** – Failure probability of single instruction
|
|
|
|
* **B0e** – constant cost in time of starting the program
|
|
|
|
* **B0c** – constant cost in time of starting the program
|
| ... | ... | |
