Automated Software Engineering最新文献_第9页

Agile meets quantum: a novel genetic algorithm model for predicting the success of quantum software development project 敏捷与量子的结合：预测量子软件开发项目成功与否的新型遗传算法模型

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-04-04 DOI: 10.1007/s10515-024-00434-z

Arif Ali Khan, Muhammad Azeem Akbar, Valtteri Lahtinen, Marko Paavola, Mahmood Niazi, Mohammed Naif Alatawi, Shoayee Dlaim Alotaibi

{"title":"Agile meets quantum: a novel genetic algorithm model for predicting the success of quantum software development project","authors":"Arif Ali Khan, Muhammad Azeem Akbar, Valtteri Lahtinen, Marko Paavola, Mahmood Niazi, Mohammed Naif Alatawi, Shoayee Dlaim Alotaibi","doi":"10.1007/s10515-024-00434-z","DOIUrl":"10.1007/s10515-024-00434-z","url":null,"abstract":"<div><p>Quantum software systems represent a new realm in software engineering, utilizing quantum bits (Qubits) and quantum gates (Qgates) to solve the complex problems more efficiently than classical counterparts. Agile software development approaches are considered to address many inherent challenges in quantum software development, but their effective integration remains unexplored. This study investigates key causes of challenges that could hinders the adoption of traditional agile approaches in quantum software projects and develop an Agile-Quantum Software Project Success Prediction Model (AQSSPM). Firstly, we identified 19 causes of challenging factors discussed in our previous study, which are potentially impacting agile-quantum project success. Secondly, a survey was conducted to collect expert opinions on these causes and applied Genetic Algorithm (GA) with Naive Bayes Classifier (NBC) and Logistic Regression (LR) to develop the AQSSPM. Utilizing GA with NBC, project success probability improved from 53.17 to 99.68%, with cost reductions from 0.463 to 0.403%. Similarly, GA with LR increased success rates from 55.52 to 98.99%, and costs decreased from 0.496 to 0.409% after 100 iterations. Both methods result showed a strong positive correlation (rs = 0.955) in causes ranking, with no significant difference between them (<i>t</i> = 1.195, <i>p</i> = 0.240 > 0.05). The AQSSPM highlights critical focus areas for efficiently and successfully implementing agile-quantum projects considering the cost factor of a particular project.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://link.springer.com/content/pdf/10.1007/s10515-024-00434-z.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140598071","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Mitigating the impact of mislabeled data on deep predictive models: an empirical study of learning with noise approaches in software engineering tasks 减轻误标注数据对深度预测模型的影响：软件工程任务中利用噪声学习方法的实证研究

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-04-04 DOI: 10.1007/s10515-024-00435-y

Jian Shen, Zhong Li, Yifei Lu, Minxue Pan, Xuandong Li

{"title":"Mitigating the impact of mislabeled data on deep predictive models: an empirical study of learning with noise approaches in software engineering tasks","authors":"Jian Shen, Zhong Li, Yifei Lu, Minxue Pan, Xuandong Li","doi":"10.1007/s10515-024-00435-y","DOIUrl":"10.1007/s10515-024-00435-y","url":null,"abstract":"<div><p>Deep predictive models have been widely employed in software engineering (SE) tasks due to their remarkable success in artificial intelligence (AI). Most of these models are trained in a supervised manner, and their performance heavily relies on the quality of training data. Unfortunately, mislabeling or label noise is a common issue in SE datasets, which can significantly affect the validity of models trained on such datasets. Although learning with noise approaches based on deep learning (DL) have been proposed to address the issue of mislabeling in AI datasets, the distinct characteristics of SE datasets in terms of size and data quality raise questions about the effectiveness of these approaches within the SE context. In this paper, we conduct a comprehensive study to understand how mislabeled samples exist in SE datasets, how they impact deep predictive models, and how well existing learning with noise approaches perform on SE datasets. Through an empirical evaluation on two representative datasets for the Bug Report Classification and Software Defect Prediction tasks, our study reveals that learning with noise approaches have the potential to handle mislabeled samples in SE tasks, but their effectiveness is not always consistent. Our research shows that it is crucial to address mislabeled samples in SE tasks. To achieve this, it is essential to take into account the specific properties of the dataset to develop effective solutions. We also highlight the importance of addressing potential class distribution changes caused by mislabeled samples and present the limitations of existing approaches for addressing mislabeled samples. Therefore, we urge the development of more advanced techniques to improve the effectiveness and reliability of deep predictive models in SE tasks.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-04-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140598068","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency wallets WalletRadar：实现自动检测基于浏览器的加密货币钱包中的漏洞

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-31 DOI: 10.1007/s10515-024-00430-3

Pengcheng Xia, Yanhui Guo, Zhaowen Lin, Jun Wu, Pengbo Duan, Ningyu He, Kailong Wang, Tianming Liu, Yinliang Yue, Guoai Xu, Haoyu Wang

{"title":"WalletRadar: towards automating the detection of vulnerabilities in browser-based cryptocurrency wallets","authors":"Pengcheng Xia, Yanhui Guo, Zhaowen Lin, Jun Wu, Pengbo Duan, Ningyu He, Kailong Wang, Tianming Liu, Yinliang Yue, Guoai Xu, Haoyu Wang","doi":"10.1007/s10515-024-00430-3","DOIUrl":"10.1007/s10515-024-00430-3","url":null,"abstract":"<div><p>Cryptocurrency wallets, acting as fundamental infrastructure to the blockchain ecosystem, have seen significant user growth, particularly among browser-based wallets (i.e., browser extensions). However, this expansion accompanies security challenges, making these wallets prime targets for malicious activities. Despite a substantial user base, there is not only a significant gap in comprehensive security analysis but also a pressing need for specialized tools that can aid developers in reducing vulnerabilities during the development process. To fill the void, we present a comprehensive security analysis of browser-based wallets in this paper, along with the development of an automated tool designed for this purpose. We first compile a taxonomy of security vulnerabilities resident in cryptocurrency wallets by harvesting historical security reports. Based on this, we design <span>WalletRadar</span>, an automated detection framework that can accurately identify security issues based on static and dynamic analysis. Evaluation of 96 popular browser-based wallets shows <span>WalletRadar</span>’s effectiveness, by successfully automating the detection process in 90% of these wallets with high precision. This evaluation has led to the discovery of 116 security vulnerabilities corresponding to 70 wallets. By the time of this paper, we have received confirmations of 10 vulnerabilities from 8 wallet developers, with over $2,000 bug bounties. Further, we observed that 12 wallet developers have silently fixed 16 vulnerabilities after our Conflict of interest. <span>WalletRadar</span> can effectively automate the identification of security risks in cryptocurrency wallets, thereby enhancing software development quality and safety in the blockchain ecosystem.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140360349","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

6G secure quantum communication: a success probability prediction model 6G 安全量子通信：成功概率预测模型

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-29 DOI: 10.1007/s10515-024-00427-y

Muhammad Azeem Akbar, Arif Ali Khan, Sami Hyrynsalmi, Javed Ali Khan

{"title":"6G secure quantum communication: a success probability prediction model","authors":"Muhammad Azeem Akbar, Arif Ali Khan, Sami Hyrynsalmi, Javed Ali Khan","doi":"10.1007/s10515-024-00427-y","DOIUrl":"10.1007/s10515-024-00427-y","url":null,"abstract":"<div><p>The emergence of 6G networks initiates significant transformations in the communication technology landscape. Yet, the melding of quantum computing (QC) with 6G networks although promising an array of benefits, particularly in secure communication. Adapting QC into 6G requires a rigorous focus on numerous critical variables. This study aims to identify key variables in secure quantum communication (SQC) in 6G and develop a model for predicting the success probability of 6G-SQC projects. We identified key 6G-SQC variables from existing literature to achieve these objectives and collected training data by conducting a questionnaire survey. We then analyzed these variables using an optimization model, i.e., Genetic Algorithm (GA), with two different prediction methods the Naïve Bayes Classifier (NBC) and Logistic Regression (LR). The results of success probability prediction models indicate that as the 6G-SQC matures, project success probability significantly increases, and costs are notably reduced. Furthermore, the best fitness rankings for each 6G-SQC project variable determined using NBC and LR indicated a strong positive correlation (rs = 0.895). The t-test results (t = 0.752, <i>p</i> = 0.502 > 0.05) show no significant differences between the rankings calculated using both prediction models (NBC and LR). The results reveal that the developed success probability prediction model, based on 15 identified 6G-SQC project variables, highlights the areas where practitioners need to focus more to facilitate the cost-effective and successful implementation of 6G-SQC projects.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://link.springer.com/content/pdf/10.1007/s10515-024-00427-y.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140367888","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Bash comment generation via data augmentation and semantic-aware CodeBERT 通过数据增强和语义感知 CodeBERT 生成 Bash 注释

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-26 DOI: 10.1007/s10515-024-00431-2

Yiheng Shen, Xiaolin Ju, Xiang Chen, Guang Yang

{"title":"Bash comment generation via data augmentation and semantic-aware CodeBERT","authors":"Yiheng Shen, Xiaolin Ju, Xiang Chen, Guang Yang","doi":"10.1007/s10515-024-00431-2","DOIUrl":"10.1007/s10515-024-00431-2","url":null,"abstract":"<div><p>Understanding Bash code is challenging for developers due to its syntax flexibility and unique features. Bash lacks sufficient training data compared to comment generation tasks in popular programming languages. Furthermore, collecting more real Bash code and corresponding comments is time-consuming and labor-intensive. In this study, we propose a two-module method named Bash2Com for Bash code comments generation. The first module, NP-GD, is a gradient-based automatic data augmentation component that enhances normalization stability when generating adversarial examples. The second module, MASA, leverages CodeBERT to learn the rich semantics of Bash code. Specifically, MASA considers the representations learned at each layer of CodeBERT as a set of semantic information that captures recursive relationships within the code. To generate comments for different Bash snippets, MASA employs LSTM and attention mechanisms to dynamically concentrate on relevant representational information. Then, we utilize the Transformer decoder and beam search algorithm to generate code comments. To evaluate the effectiveness of Bash2Com, we consider a corpus of 10,592 Bash code and corresponding comments. Compared with the state-of-the-art baselines, our experimental results show that Bash2Com can outperform all baselines by at least 10.19%, 11.81%, 2.61%, and 6.13% in terms of the performance measures BLEU-3/4, METEOR, and ROUGR-L. Moreover, the rationality of NP-GD and MASA in Bash2Com are verified by ablation studies. Finally, we conduct a human evaluation to illustrate the effectiveness of Bash2Com from practitioners’ perspectives.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140298480","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Automated detection of class diagram smells using self-supervised learning 利用自监督学习自动检测类图气味

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-24 DOI: 10.1007/s10515-024-00429-w

Amal Alazba, Hamoud Aljamaan, Mohammad Alshayeb

{"title":"Automated detection of class diagram smells using self-supervised learning","authors":"Amal Alazba, Hamoud Aljamaan, Mohammad Alshayeb","doi":"10.1007/s10515-024-00429-w","DOIUrl":"10.1007/s10515-024-00429-w","url":null,"abstract":"<div><p>Design smells are symptoms of poorly designed solutions that may result in several maintenance issues. While various approaches, including traditional machine learning methods, have been proposed and shown to be effective in detecting design smells, they require extensive manually labeled data, which is expensive and challenging to scale. To leverage the vast amount of data that is now accessible, unsupervised semantic feature learning, or learning without requiring manual annotation labor, is essential. The goal of this paper is to propose a design smell detection method that is based on self-supervised learning. We propose Model Representation with Transformers (MoRT) to learn the UML class diagram features by training Transformers to recognize masked keywords. We empirically show how effective the defined proxy task is at learning semantic and structural properties. We thoroughly assess MoRT using four model smells: the Blob, Functional Decomposition, Spaghetti Code, and Swiss Army Knife. Furthermore, we compare our findings with supervised learning and feature-based methods. Finally, we ran a cross-project experiment to assess the generalizability of our approach. Results show that MoRT is highly effective in detecting design smells.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140201622","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Comparing apples and oranges? Investigating the consistency of CPU and memory profiler results across multiple java versions 比较苹果和橘子？调查跨多个 Java 版本的 CPU 和内存剖析器结果的一致性

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-22 DOI: 10.1007/s10515-024-00423-2

Myles Watkinson, Alexander E. I. Brownlee

{"title":"Comparing apples and oranges? Investigating the consistency of CPU and memory profiler results across multiple java versions","authors":"Myles Watkinson, Alexander E. I. Brownlee","doi":"10.1007/s10515-024-00423-2","DOIUrl":"10.1007/s10515-024-00423-2","url":null,"abstract":"<div><p>Profiling is an important tool in the software developer’s box, used to identify <i>hot</i> methods where most computational resources are used, to focus efforts at improving efficiency. Profilers are also important in the context of Genetic improvement (GI) of software. GI applies search-based optimisation to existing software with many examples of success in a variety of contexts. GI generates variants of the original program, testing each for functionality and properties such as run time or memory footprint, and profiling can be used to target the code variations to increase the search efficiency. We report on an experimental study comparing two profilers included with different versions of the Java Development Kit (JDK), HPROF (JDK 8) and Java Flight Recorder (JFR) (JDK 8, 9, and 17), within the GI toolbox Gin on six open-source applications, for both run time and memory use. We find that a core set of methods are labelled <i>hot</i> in most runs, with a long tail appearing rarely. We suggest five repeats enough to overcome this noise. Perhaps unsurprisingly, changing the profiler and JDK dramatically change the <i>hot</i> methods identified, so profiling must be rerun for new JDKs. We also show that using profiling for test case subset selection is unwise, often missing relevant members of the test suite. Similar general patterns are seen for memory profiling as for run time but the identified <i>hot</i> methods are often quite different.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://link.springer.com/content/pdf/10.1007/s10515-024-00423-2.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140201528","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Prompt enhance API recommendation: visualize the user’s real intention behind this query 提示增强应用程序接口推荐：可视化用户查询背后的真实意图

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-11 DOI: 10.1007/s10515-024-00425-0

Yong Wang, Linjun Chen, Cuiyun Gao, Yingtao Fang, Yong Li

{"title":"Prompt enhance API recommendation: visualize the user’s real intention behind this query","authors":"Yong Wang, Linjun Chen, Cuiyun Gao, Yingtao Fang, Yong Li","doi":"10.1007/s10515-024-00425-0","DOIUrl":"10.1007/s10515-024-00425-0","url":null,"abstract":"<div><p>Developers frequently rely on APIs in their daily programming tasks, as APIs have become an indispensable tool for program development. However, with a vast number of open-source libraries available, selecting the appropriate API quickly can be a common challenge for programmers. Previous research on API recommendation primarily focused on designing better approaches to interpret user input. However, in practical applications, it is often difficult for users, especially novice programmers, to express their real intentions due to the limitations of language expression and programming capabilities. To address this issue, this paper introduces PTAPI, an approach that visualizes the user’s real intentions based on their query to enhance recommendation performance. Firstly, PTAPI identifies the prompt template from Stack Overflow (SO) posts based on the user’s input. Secondly, the obtained prompt template is combined with the user’s input to generate a new question. Finally, the newly generated question leverages dual information sources from SO posts and API official documentation to provide recommendations. To evaluate the effectiveness of PTAPI, we conducted experiments at both the class-level and method-level. The experimental results demonstrate the effectiveness of the proposed approach, with a significant improvement in the success rate.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140114753","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Future of software development with generative AI 利用生成式人工智能开发软件的未来

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-11 DOI: 10.1007/s10515-024-00426-z

Jaakko Sauvola, Sasu Tarkoma, Mika Klemettinen, Jukka Riekki, David Doermann

{"title":"Future of software development with generative AI","authors":"Jaakko Sauvola, Sasu Tarkoma, Mika Klemettinen, Jukka Riekki, David Doermann","doi":"10.1007/s10515-024-00426-z","DOIUrl":"10.1007/s10515-024-00426-z","url":null,"abstract":"<div><p>Generative AI is regarded as a major disruption to software development. Platforms, repositories, clouds, and the automation of tools and processes have been proven to improve productivity, cost, and quality. Generative AI, with its rapidly expanding capabilities, is a major step forward in this field. As a new key enabling technology, it can be used for many purposes, from creative dimensions to replacing repetitive and manual tasks. The number of opportunities increases with the capabilities of large-language models (LLMs). This has raised concerns about ethics, education, regulation, intellectual property, and even criminal activities. We analyzed the potential of generative AI and LLM technologies for future software development paths. We propose four primary scenarios, model trajectories for transitions between them, and reflect against relevant software development operations. The motivation for this research is clear: the software development industry needs new tools to understand the potential, limitations, and risks of generative AI, as well as guidelines for using it.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://link.springer.com/content/pdf/10.1007/s10515-024-00426-z.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140098778","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0

Test-suite-guided discovery of least privilege for cloud infrastructure as code 在测试套件指导下发现云基础设施即代码的最小权限

IF 2 2区计算机科学

Automated Software Engineering Pub Date : 2024-03-05 DOI: 10.1007/s10515-024-00420-5

Ryo Shimizu, Yuna Nunomura, Hideyuki Kanuka

{"title":"Test-suite-guided discovery of least privilege for cloud infrastructure as code","authors":"Ryo Shimizu, Yuna Nunomura, Hideyuki Kanuka","doi":"10.1007/s10515-024-00420-5","DOIUrl":"10.1007/s10515-024-00420-5","url":null,"abstract":"<div><p>Infrastructure as code (IaC) for the cloud, which automatically configures a system’s cloud environment from source code, is an important practice thanks to its efficient, reproducible provisioning. On a cloud IaC definition (template), developers must carefully manage permission settings to minimize the risk of cyber-attacks. To this end, least privilege on IaC templates, i.e., the assignment of a necessary and sufficient set of permissions, is widely regarded as a best practice. However, the discovery of least privilege can be an error-prone, burdensome task for developers. This is partially because the execution of an action on the cloud sometimes implicitly requires permissions of other services, and since these are difficult to recognize without actual execution, developers are forced to manually iterate the execution of an action and the modification of permissions. In this work, we present an approach to automatically discover least privilege. Our approach utilizes a test suite, which represents what a system should achieve on the cloud, as an indicator of least privilege, and it iterates testing on the cloud and (re)configuration of permissions on the basis of the test results. We also propose a stepwise filtering technique that utilizes the co-occurrences of cloud services/actions and clustering-based pruning to efficiently rule out unnecessary permissions. Our experiments demonstrate that this filtering reduces the number of iterations compared to naive approaches, which directly affects the time and cost to discover least privilege. Moreover, three case studies show that our approach can identify least privilege on Amazon Web Services within a practical time.</p></div>","PeriodicalId":55414,"journal":{"name":"Automated Software Engineering","volume":"31 1","pages":""},"PeriodicalIF":2.0,"publicationDate":"2024-03-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140035686","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 0