Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

Slides:

Advertisements

Similar presentations

AspectWerkz 2 - and the road to AspectJ 5 Jonas Bonér Senior Software Engineer BEA Systems.

Advertisements

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

Introduction To System Analysis and Design

1 Introducing Collaboration to Single User Applications A Survey and Analysis of Recent Work by Brian Cornell For Collaborative Systems Fall 2006.

1/18 CS 693/793 Lecture 09 Special Topics in Domain Specific Languages CS 693/793-1C Spring 2004 Mo, We, Fr 10:10 – 11:00 CH 430.

Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”

16/22/2015 2:54 PM6/22/2015 2:54 PM6/22/2015 2:54 PMObject-Oriented Development Concept originated with simulating objects and their interactions. Adapted.

1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.

CSCI-383 Object-Oriented Programming & Design Lecture 15.

Operating Systems Protection & Security.

C++ Object Oriented 1. Class and Object The main purpose of C++ programming is to add object orientation to the C programming language and classes are.

GENERAL CONCEPTS OF OOPS INTRODUCTION With rapidly changing world and highly competitive and versatile nature of industry, the operations are becoming.

CISC6795: Spring Object-Oriented Programming: Polymorphism.

COP4020 Programming Languages

Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.

Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)

Supporting Heterogeneous Users in Collaborative Virtual Environments using AOP CoopIS 2001 September 5-7, Trento, Italy M. Pinto, M. Amor, L. Fuentes,

Abc Compiler Zak Fry. Who and Where Programming Tools Group at Oxford University, UK – Oege de Moor Sable Research Group at McGill University, Quebec.

Change Impact Analysis for AspectJ Programs Sai Zhang, Zhongxian Gu, Yu Lin and Jianjun Zhao Shanghai Jiao Tong University.

Aspect Oriented Programming Scott Nykl CSSE 411 Senior Seminar.

Plug-in System for the Xylia Extensible XML Editor Student: Jonathan Milley Supervisor: Dr. T. S. Norvell.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development 1.

Testing Grammars For Top Down Parsers By Asma M Paracha, Frantisek F. Franek Dept. of Computing & Software McMaster University Hamilton, Ont.

CSCI-383 Object-Oriented Programming & Design Lecture 13.

Aspect Oriented Programming Sumathie Sundaresan CS590 :: Summer 2007 June 30, 2007.

Aspect-Oriented Refactoring of the Apache Cocoon Shared-Object Resource Allocation System Jeff Dalton February 28th, 2003 Advisor: David G. Hannay Client:

Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition, Chapter 14: Protection.

Aspect Oriented Programming Gülşah KARADUMAN.

Copyright © 2012 Pearson Education, Inc. Chapter 13: Introduction to Classes.

Methodology: The AOP Refactoring Process Aspect-Oriented Refactoring of the Apache Cocoon Shared-Object Resource Allocation System Jeff Dalton Advisor:

AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.

CCC: An Aspect-Oriented Intermediate Language on.Net Platform Yingfei Xiong and Feng Wan University of Electronic Science and Technology of China, China.

Silberschatz, Galvin and Gagne  Operating System Concepts Chapter 18: Protection Goals of Protection Objects and Domains Access Matrix Implementation.

CSSE501 Object-Oriented Development. Chapter 4: Classes and Methods  Chapters 4 and 5 present two sides of OOP: Chapter 4 discusses the static, compile.

1 An Aspect-Oriented Implementation Method Sérgio Soares CIn – UFPE Orientador: Paulo Borba.

Dale Roberts Object Oriented Programming using Java - Introduction Dale Roberts, Lecturer Computer Science, IUPUI Department.

A Component Platform for Experimenting with Autonomic Composition A component framework for supporting composition of autonomic services and bio-inspired.

Inter-Type Declarations in AspectJ Awais Rashid Steffen Zschaler © Awais Rashid, Steffen Zschaler 2009.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor.

PRESENTER PRIYANKA GUPTA.  Testing the complete system with respect to requirements.  In System testing, the functionalities of the system are tested.

Object Oriented Programming

1 ECE 750 Topic 8 Meta-programming languages, systems, and applications Evolving Object-Oriented Designs with Refactorings – Lance Tokuda and Don Batory.

SSQSA present and future Gordana Rakić, Zoran Budimac Department of Mathematics and Informatics Faculty of Sciences University of Novi Sad

Fall 2015CISC/CMPE320 - Prof. McLeod1 CISC/CMPE320 Lecture Videos will no longer be posted. Assignment 3 is due Sunday, the 8 th, 7pm. Today: –System Design,

Interfaces F What is an Interface? F Creating an Interface F Implementing an Interface F What is Marker Interface?

Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.

Advanced Software Development Karl Lieberherr CSG 260 Fall Semester

AOSD'04, Lancaster, UK 1 Remote Pointcut - A Language Construct for Distributed AOP Muga Nishizawa (Tokyo Tech) Shigeru Chiba (Tokyo Tech) Michiaki Tatsubori.

Applying Aspect-Orientation in Designing Security Systems Shu Gao Florida International University Center for Advanced Distributed Systems Engineering.

Presented by Ted Higgins, SQL Server DBA An Introduction to Object – Oriented Programming.

5 Copyright © 2008, Oracle. All rights reserved. Testing and Validating a Repository.

CSCI 383 Object-Oriented Programming & Design Lecture 15 Martin van Bommel.

Software Engineering Lecture 7

The architecture of the P416 compiler

Chapter 14: System Protection

Types for Programs and Proofs

Aspect-Oriented Programming with the Eclipse AspectJ plug-in

Object-Oriented Programming & Design Lecture 14 Martin van Bommel

ADO.NET Entity Framework Marcus Tillett

The Object-Oriented Thought Process Chapter 05

JAsCo an Aspect-Oriented approach tailored for

Structuring Adaptive Applications using AspectJ and AOM

Chapter 14: Protection.

CISC/CMPE320 - Prof. McLeod

Parsing with IRONY Roman Ivantsov, MCSD

AspectAda Aspect-Oriented Programming for Ada95

C++ Object Oriented 1.

Presentation transcript:

Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

Topics Covered

Topics  Short Security Overview  Motivation for this project  What is this project?  Implementation  Future Work  References

Security Overview

Security in Software Engineering A non-functional requirement Applied as a patch at the end of SDLC Not a design-consideration Preference for non-invasive techniques Not a prime focus during development Leads to a disconnection between development and “security” cycle

Types of Security Domain Level Security Is dependent on an application Is dependent on an application Similar to Business Rules Similar to Business Rules Security policies, ACLs – Non-invasive Store them as rules in config files Store them as rules in config files E.g. xml files in J2EE E.g. xml files in J2EE Provided by language Not the focus anywhere Not the focus anywhere This project is about improvements to the security features provided by the language

Security provided by the language Language should provide features for security Similar to “public”, “private” there should be some “const” keyword similar to C++ Every method should declare its behavior For e.g. we might have a new set of keywords Immutable Immutable Inspector Inspector Mutator Mutator

Motivation

Enter AOP! Security loopholes may not be intentional Bug fixes may introduce security bugs More so with AOP (compartmentalization) Right time to correct in AOP whatever was not done in OOP Since AOP still in infancy, security focus can be imbibed

Aspect Security Aspects are powerful. Aspects are powerful. Need a controlled & safe way of aspect oriented development Need a controlled & safe way of aspect oriented development Need a stronger safety net than normal languages Need a stronger safety net than normal languages

Simple Demo !!

What is this project?

Ideally, …. Ideally, language should provide features for security Ideally, language should provide features for security Every method should declare its behavior Every method should declare its behavior If not, metadata will have to be used. If not, metadata will have to be used.

Requirements?? At the least, compiler should At the least, compiler should Warn if it can determine whether a possible security breach exists Warn if it can determine whether a possible security breach exists There exists possible loop-holes which can be exploited in future There exists possible loop-holes which can be exploited in future Guard against these by putting dynamic checks in place Guard against these by putting dynamic checks in place This is a bit ambitious, but not too much. This is a bit ambitious, but not too much.

What is a Secure Aspect? A secure aspect is an aspect which is secure A secure aspect is an aspect which is secure For object-oriented programs, an aspect should not For object-oriented programs, an aspect should not interfere with the OO part of the system interfere with the OO part of the system modify behavior of the object which it is trying to influence. modify behavior of the object which it is trying to influence. modify data of the object which it is trying to influence. modify data of the object which it is trying to influence.

What should a secure aspect do? A secure aspect should A secure aspect should Add behavior at a join point Add behavior at a join point Add checks for certain conditions Add checks for certain conditions Basically be an inspector Basically be an inspector

What a secure aspect should not do? A secure aspect should not A secure aspect should not Modify an object’s behavior at any join point Modify an object’s behavior at any join point Modify an object’s data at any join point Modify an object’s data at any join point Should not change an object’s hierarchy if the object is not open to change (……) Should not change an object’s hierarchy if the object is not open to change (……)

Implementation

How to do it? In order to determine the security aspects statically, step in at compile time influence the compiler with our security rules Security Rules can be hard-coded or in some XML file Rules in an XML file require development of a separate language syntax and its validation

Aspect Bench Compiler abc compiler from Oxford University Chosen because it is open-source Open and easy to extend Gives extension-writers the AST in objects which are easier to manipulate

abc Architecture

abc Modification Point

Proposed Change Compiler Front End Aspect Checker Static Weaving

Proof of Concept Aspect Checker checks aspects before weaving For this PoC, I am checking whether an aspect calls a setter method of the main class

Aspect Checker MainBankAccount::initialize() Set Account Id to 0 Aspect

Design of Aspect Checker GlobalAspectChecker BankAccountCheckerBankChecker AspectInfo abc Compiler AccountChecker Individual Checkers

Demo of Aspect Checker

Future Work

 Handle inter-type declarations  Handle weaving of aspect-checking code  Finalize design of AspectChecker

References

References   Building the abc AspectJ compiler with Polyglot and Soot – –abc Technical Report No. abc   abc : An extensible AspectJ compiler – –abc Technical Report No. abc   The abc scanner and parser, including an LALR(1) grammar for AspectJ

Thank You!!