A fine-grained framework for quantifying secure management of state in object-oriented programs

    Research output: Contribution to journalArticlepeer-review


    Mismanagement of programs’ run-time state can lead to serious security vulnerabilities, and in object-oriented languages, the program state can be particularly difficult to reason about. In this paper, we outline a framework for assessing the extent to which mutable state is used in object-oriented programs, with a longer term aim of measuring the degree to which it is correlated with reported security vulnerabilities. The notion of method purity is used to characterize uses of mutable state. In previous work, several different and conflicting schemes for identifying pure methods in statically typed object-oriented languages have been proposed. Most existing tools measure only the presence or absence of a particular type of purity. This paper introduces a finer-grained classification of purity in object-oriented languages, in which five broad levels are extended with details of which additional effects (such as reading of mutable state and use of system I/O) are performed by a method. A portion of real-world code is analyzed to identify the way in which particular programming idioms make use of state. We confirm that a variety of different levels of purity occur in the analyzed packages, sometimes occurring in combination with additional computational effects (such as logging, system input, or reading from non-local, mutable state). Analysis of 46 methods from 6 classes found that 50% exhibited some level of purity, including 32% with strict purity (complete prohibition on mutation of variables). © 2016 Informa UK Limited, trading as Taylor & Francis Group
    Original languageEnglish
    Pages (from-to)9-16
    Number of pages8
    JournalInternational Journal of Computers and Applications
    Issue number1
    Publication statusPublished - 2017


    Dive into the research topics of 'A fine-grained framework for quantifying secure management of state in object-oriented programs'. Together they form a unique fingerprint.

    Cite this