Vassilios Karakoidas

Evaluating the Quality of Open Source Software

Traditionally, research on quality attributes was either kept under wraps within the organization that performed it, or carried out by outsiders using narrow, black-box techniques. The emergence of open source software has changed this picture allowing us to evaluate both software products and the processes that yield them. Thus, the software source code and the associated data stored in the version control system, the bug tracking databases, the mailing lists, and the wikis allow us to evaluate quality in a transparent way. Even better, the large number of (often competing) open source projects makes it possible to contrast the quality of comparable systems serving the same domain. Furthermore, by combining historical source code snapshots with significant events, such as bug discoveries and fixes, we can further dig into the causes and effects of problems. Here we present motivating examples, tools, and techniques that can be used to evaluate the quality of open source (and by extension also proprietary) software.

The bug catalog of the maven ecosystem

Examining software ecosystems can provide the research community with data regarding artifacts, processes, and communities. We present a dataset obtained from the Maven central repository ecosystem (approximately 265GB of data) by statically analyzing the repository to detect potential software bugs. For our analysis we used FindBugs, a tool that examines Java bytecode to detect numerous types of bugs. The dataset contains the metrics results that FindBugs reports for every project version (a JAR) included in the ecosystem. For every version we also stored specific metadata such as the JARs size, its dependencies and others. Our dataset can be used to produce interesting research results, as we show in specific examples.

Self-Configuring and Optimizing Mobile Ad Hoc Networks

We present he design and implementation of a working system that enables self-configuration and self-optimization in mobile ad hoc networks (MANETs) by exploiting context awareness and cross-layer design principles, combined with simple network management policies and network programmability. We propose the collaborative management of the MANET through a proactively constructed body of nodes in order to overcome the inherently dynamic nature of MANETs

Countering code injection attacks: a unified approach

Purpose – The purpose of this paper is to propose a generic approach that prevents a specific class of code injection attacks (CIAs) in a novel way.Design/methodology/approach – To defend against CIAs this approach involves detecting attacks by using location‐specific signatures to validate code statements. The signatures are unique identifiers that represent specific characteristics of a statements execution. The key property that differentiates the scheme presented in this paper is that these characteristics do not depend entirely on the code statement, but also take into account elements from its execution context.Findings – The approach was applied successfully to defend against attacks targeting structured query language (SQL), XML Path Language and JavaScript with positive results.Originality/value – Despite many countermeasures that have been proposed the number of CIAs has been increasing. Malicious users seem to find new ways to introduce compromised embedded executable code to applications by u...

A type-safe embedding of SQL into Java using the extensible compiler framework J%

Abstract J% is an extension of the Java programming language that efficiently supports the integration of domain-specific languages. In particular, J% allows the embedding of domain-specific language code into Java programs in a syntax-checked and type-safe manner. This paper presents J%׳s support for the sql language. J% checks the syntax and semantics of sql statements at compile-time. It supports query validation against a database schema or through execution to a live database server. The J% compiler generates code that uses standard jdbc api calls, enhancing runtime efficiency and security against sql injection attacks.

On domain-specific languages usage (why DLSs really matter)

Many years ago (I will not reveal my age!), I began working on my Ph.D. thesis concerning the area of Domain-Specific Languages (DSLs). Research was booming at the time and many research articles stated DSLs were very useful and could increase productivity, by reducing lines of code etc. All these claims seemed logical to me, but I always considered them something like urban legends. We all know they are correct, but cannot easily prove it. Keeping that on the back of my mind, I searched for a way to bring the “legend” down to measurable facts that would provide solid motivation for the importance DSLs in every day programming. I decided to do a simple experiment measuring DSL usage in open source programs. My attack vector was simple; I narrowed down my data set to Java programs and measured package usage of application libraries that implemented DSLs (see Table 1). I selected Java for two reasons; first, it was easier to find and mine open source projects semi-automatically with a little scripting (python) by using the maven repository and second, the Java Standard Development Kit includes many application libraries that enable DSL support. Initially, a snapshot (January 2012) of the Maven repository was downloaded locally. The repository contained various projects and their versions, which usually indicates a major release. All versions were filtered out and only the most recent was kept. The final project count included 12,959 projects, and more than 110 million Apart from military use, drones help to film movies, tend crops, research wildlife, inspect pipelines, and deliver pizza.

J%: Integrating Domain-Specific Languages with Java

J% (J-mod), is a Java language extension that supports integration with Domain-Specific Languages (DSLs). The integration is realized through an architecture that permits external modules to support DSLs. The DSL statements can be syntactically checked at compile-time. An additional facility allows the static type checking of Java variables that appear within DSL code. To support this process each DSL module comes as a library that is used both at compile time and during program execution.

Generating the blueprints of the Java ecosystem

Examining a large number of software artifacts can provide the research community with data regarding quality and design. We present a dataset obtained by statically analyzing 22730 jar files taken from the Maven central archive, which is the de-facto application library repository for the Java ecosystem. For our analysis we used three popular static analysis tools that calculate metrics regarding object-oriented design, program size, and package design. The dataset contains the metrics results that every tool reports for every selected jar of the ecosystem. Our dataset can be used to produce interesting research results, such as measure the domain-specific language usage.

Comparative language fuzz testing: programming languages vs. fat fingers

We explore how programs written in ten popular programming languages are affected by small changes of their source code. This allows us to analyze the extend to which these languages allow the detection of simple errors at compile or at run time. Our study is based on a diverse corpus of programs written in several programming languages systematically perturbed using a mutation-based fuzz generator. The results we obtained prove that languages with weak type systems are significantly likelier than languages that enforce strong typing to let fuzzed programs compile and run, and, in the end, produce erroneous results. More importantly, our study also demonstrates the potential of comparative language fuzz testing for evaluating programming language designs.

Blueprints for a Large-Scale Early Warning System

Modern aggressive types of malcode demonstrate that existing security applications are not able to neutralise them efficiently. We present a Large-Scale Early Warning System named PROTOS, which is able to gather intelligence from a large number of personal computers, acting as sensors, utilising their default security mechanisms and applications, to collect and analyse locally intercepted malicious network traffic and generate an estimation of the global malware activity.