Abstract
The system titled Secure Coding Assistant was developed to automate early detection for a subset of the Java secure coding rules specified by the SEI CERT at the Carnegie Mellon University. This system can help Java programmers significantly reduce security vulnerabilities in their code caused by the violations of secure coding rules. Since other software defects can also lead to security vulnerabilities, efforts have been taken to extend Secure Coding Assistant aiming at empowering programmers to detect, locate and remove code errors during coding time. This paper presents an enhancement to Secure Coding Assistant by a combination of Design by Contract and Programming Logic. Java programmers using this system are advised to provide their design contracts, i.e., logic assertions, for program structures of methods, if-then-else statements and while-loop statements. The design contracts defined by programmers can be automatically checked at the time of their program execution. To further facilitate the process of detecting and locating of code errors, using the programmers-defined design contracts, sub-design contracts can be automatically generated by the system based on the inference rules for the if-then-else statement and the while-loop statement in programming logic. The sub-design contracts generated by the system can also be automatically checked at dynamic time. In addition, based on the assignment axiom and the inference rule for the sequence statement in programming logic, the weakest pre-conditions of certain assignment sequences can be automatically generated from the post-conditions of the sequences, enabling programmers to statically analyze the correctness of the corresponding design contracts they specify. With the enhancement presented, Secure Coding Assistant can assist programmers for the early detections of not only secure coding rule violations but also errors in code. These early detections are performed in unison with the coding process to pursue software security.