3. The problem
What happens when I press the
Search button?
Two subsidiary questions:
• Why do I care?
APSEC 2018 2
4. The problem
What happens when I press the
Search button?
Two subsidiary questions:
• Why do I care?
• Why is that complicated?
APSEC 2018 2
5. Why is that complicated?
Modern and recent legacy
applications are:
APSEC 2018 3
6. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
APSEC 2018 3
7. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
APSEC 2018 3
8. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
• Complex late-bound
control mechanisms
APSEC 2018 3
9. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
• Complex late-bound
control mechanisms
• Configuration files
APSEC 2018 3
10. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
• Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
APSEC 2018 3
11. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
• Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
APSEC 2018 3
12. Why is that complicated?
Modern and recent legacy
applications are:
• Multi-tier
• Multi-language
• Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
• Rely on frameworks and
containers for various
services
APSEC 2018 3
16. Configuration files
• Assign property values
• Link intensions to extensions
• Link interfaces to implementations
InterfaceClient
code
references
Class A
Class B
Class C
implements
Binding specified in
configuration files
APSEC 2018 4
17. Configuration files
• Assign property values
• Link intensions to extensions
• Link interfaces to implementations
• Etc.
InterfaceClient
code
references
Class A
Class B
Class C
implements
Binding specified in
configuration files
APSEC 2018 4
18. Containers and frameworks
• Relieve developers from
the burden of invoking
infrastructure services
• Connect different pieces
of user code using
“hidden” mechanisms
• Don’t call us, we will call
you
• Static code analysis won’t
allow you to know when
we will call you
APSEC 2018 5
21. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
APSEC 2018 6
22. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
APSEC 2018 6
23. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
• Help propagate or anticipate changes to different parts of the application
APSEC 2018 6
24. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
• Help propagate or anticipate changes to different parts of the application
• Maintenance
APSEC 2018 6
25. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
• Help propagate or anticipate changes to different parts of the application
• Maintenance
• Understand the program to modify it
APSEC 2018 6
26. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
• Help propagate or anticipate changes to different parts of the application
• Maintenance
• Understand the program to modify it
• Reengineering
APSEC 2018 6
27. Why do we care?
• Debugging
• Help connect client-side with server-side traces!
• Change impact analysis
• Help propagate or anticipate changes to different parts of the application
• Maintenance
• Understand the program to modify it
• Reengineering
• Migrating an application from a source style to a destination style
• Use program “dependency structures” as inputs to identify potential
components in the target architecture
APSEC 2018 6
28. Plan
• Context
• A general approach to deriving program “dependency structures”
for J2EE applications
• Codifying container dependencies
• Evaluation
• Discussion
APSEC 2018 7
31. General approach
Modern and recent legacy
applications are:
•Multi-tier
• Analyze the various tiers together within the
same “namespace”
APSEC 2018 8
32. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
• Analyze the various tiers together within the
same “namespace”
APSEC 2018 8
33. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
APSEC 2018 8
34. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
APSEC 2018 8
35. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
• Analyze configuration files
APSEC 2018 8
36. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
• Analyze configuration files
APSEC 2018 8
37. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
• Analyze configuration files
• Perform limited scope data flow analysis to
circumscribe possibilities
APSEC 2018 8
38. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
•Rely on frameworks and
containers for various
services
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
• Analyze configuration files
• Perform limited scope data flow analysis to
circumscribe possibilities
APSEC 2018 8
39. General approach
Modern and recent legacy
applications are:
•Multi-tier
•Multi-language
•Complex late-bound
control mechanisms
• Configuration files
• Run-time data-driven
• Reflection capabilities
•Rely on frameworks and
containers for various
services
• Analyze the various tiers together within the
same “namespace”
• Use a language independent representation
of software artefacts (OMG’s KDM)
• Parse the various artefacts into that
representation
• Analyze configuration files
• Perform limited scope data flow analysis to
circumscribe possibilities
• Explicit codification of container services
dependencies
APSEC 2018 8
41. Plan
• Context
• A general approach to deriving program “dependency structures”
for J2EE applications
• Codifying container dependencies
• Evaluation
• Discussion
APSEC 2018 10
44. Codifying container
dependencies
Preparation phase:
• Study the container
/ technology at
hand
• Codify its
dependencies as:
• if <code pattern>
then <add
relationship>
Technology
specs
Dependency
rules
codify
APSEC 2018 11
45. Codifying container
dependencies
Preparation phase:
• Study the container
/ technology at
hand
• Codify its
dependencies as:
• if <code pattern>
then <add
relationship>
Usage phase:
Technology
specs
Dependency
rules
codify
APSEC 2018 11
46. Codifying container
dependencies
Preparation phase:
• Study the container
/ technology at
hand
• Codify its
dependencies as:
• if <code pattern>
then <add
relationship>
Usage phase:
Technology
specs
Dependency
rules
codify
Hello abcdd xys call
function what have
youHello abcdd xys
call function what
have you
Hello abcdd xys call
function what h
Application
to be
analyzed
APSEC 2018 11
47. Codifying container
dependencies
Preparation phase:
• Study the container
/ technology at
hand
• Codify its
dependencies as:
• if <code pattern>
then <add
relationship>
Usage phase:
•Analyze the input
applications to
generate KDM model
Technology
specs
Dependency
rules
codify
KDM model
Modisco
discoverers
Hello abcdd xys call
function what have
youHello abcdd xys
call function what
have you
Hello abcdd xys call
function what h
Application
to be
analyzed
APSEC 2018 11
48. Codifying container
dependencies
Preparation phase:
• Study the container
/ technology at
hand
• Codify its
dependencies as:
• if <code pattern>
then <add
relationship>
Usage phase:
•Analyze the input
applications to
generate KDM model
•Execute the
dependency rules on
KDM model to add
container call
dependencies
Technology
specs
Dependency
rules
codify
KDM model
augmented
KDM model
Rule
engine
Modisco
discoverers
Hello abcdd xys call
function what have
youHello abcdd xys
call function what
have you
Hello abcdd xys call
function what h
Application
to be
analyzed
APSEC 2018 11
49. Example: if call to Home.create(...) → add call to
BeanClass.ejbCreate(…)
APSEC 2018 12
50. Example: if call to Home.create(...) → add call to
BeanClass.ejbCreate(…)
APSEC 2018 12
51. Example: if call to Home.create(...) → add call to
BeanClass.ejbCreate(…)
APSEC 2018 12
53. Plan
• Context
• A general approach to deriving program “dependency structures”
for J2EE applications
• Codifying container dependencies
• Evaluation
• Discussion
APSEC 2018 14
54. Evaluation
• Ideally:
• How useful are the new dependencies to the task at hand
• Component identification within the context of architectural migration?
• Instead
• “Technical” validation:
• Are the rules correct?
• Prevalence of container (hidden) dependencies in call relationships in practice
• Effect of added dependencies on change impact analysis tasks
APSEC 2018 15
57. Plan
• Context
• A general approach to deriving program “dependency structures”
for J2EE applications
• Codifying container dependencies
• Evaluation
• Discussion
APSEC 2018 18