Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aspect Oriented Security Tim Hollebeek, Ph.D.

Published byBrittney Hicks Modified over 8 years ago

Similar presentations

Presentation on theme: "Aspect Oriented Security Tim Hollebeek, Ph.D."— Presentation transcript:

1 Aspect Oriented Security www.cigital.com Tim Hollebeek, Ph.D. tim@cigital.com

2 Overview Background and Motivation Aspect Oriented Programming Aspect Oriented Security Strategy and Progress

3 State of the World Then (1980’s): Network applications vulnerable to compromise due to well known software flaws Now: Network applications vulnerable to compromise due to well known software flaws Why don’t we have secure software? Many subtleties Too much to know Programming is hard Popular languages are not designed with security in mind What we know isn’t being applied to real software!

4 Nature of Software Security Security expertise is rare, and expensive to produce Software is large and complex Auditing is often impractical Yet: only as secure as “weakest link” Ability to apply security concerns uniformly throughout code would be useful

5 Aspect Oriented Programming Developer Source Code Source Code Application ? Developer Source code organized in terms of concerns instead of in terms of objects

6 Aspect Oriented Security Developers Security Expert Source Code Security Expertise Secure Application ? Developer is not a security expert

7 Aspect Oriented Security Developers Security Expert Source Code Security Aspect Secure Application Weaver Developer is not a security expert Security expertise is application independent

8 Aspect Oriented Security Programmers should not have to be security experts! Security experts should not have to know what application every programmer is building! Abstract security concerns away and deal with them separately Build technology to weave in the appropriate constructs Write once, apply everywhere Goal: Aspect language for static transformations that express security fixes and preventative measures Need: Portability of concerns, as well as separation

9 Architecture

10 Scope Language: C Traditional applications Many security problems –Buffer overflows, race conditions, unsafe library calls, TOCTOU, unchecked error codes, audit logging, critical sections (and others!) Problems are well known and well understood Many insecure programs could immediately benefit from working tool Results can be easily applied to new languages

11 Theory Aspects must be able to make moderately complex transformations to existing code Aspects must be portable, must integrate cleanly with other aspects without prior knowledge Merging multiple aspects –Based on the idea that semantics of original program are preserved Theory and experience from AOP community is helpful here

12 Key issues Security experts need sufficiently powerful primitives for expressing interesting transformations Tool must place little or no burden on users Filman and Friedman: “Aspect Oriented Programming is Quantification and Obliviousness” OOPSLA 2000

13 Progress to Date Build Integration –weaving integrates seamlessly into development environment Designed and implemented infrastructure for future weavers Prototype aspect language and weaver –syntax and semantics similar to AspectJ –explored what can be expressed –evaluated requirements/design considerations for further improvements

14 Future Work Aspect collision Reusable aspects –Aspect inheritance –Aspect extension (e.g., error recovery) Aspect language improvements –Extensibility –Expressiveness Configuration and build issues –Usability –Aspect configuration Integration –Linker, library issues –Other tools Design and implement security aspects, distribute tool

15 Conclusion Aspect Oriented Security  provides uniform framework for building secure software automatically C source Other languages  Separation of concerns Developer does not require security expertise Security expert does not require knowledge of program  Security aspects are reusable and extensible Automatic Integrated with normal build process

Download ppt "Aspect Oriented Security Tim Hollebeek, Ph.D."

Similar presentations

Scenarios for applying crosscutting concerns. Aspects should be visible throughout the full lifecycle of a software product. While most AOP-efforts currently.

Scenarios for applying crosscutting concerns. Aspects should be visible throughout the full lifecycle of a software product. While most AOP-efforts currently.
Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’

Achieve Benefit from IT Projects. Aim This presentation is prepared to support and give a general overview of the ‘How to Achieve Benefits from IT Projects’
The Top 10 Reasons Why Federated Can’t Succeed And Why it Will Anyway.

The Top 10 Reasons Why Federated Can’t Succeed And Why it Will Anyway.
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
Chapter 3 Process Models

Chapter 3 Process Models
ASTA Aspect Software Testing Assistant Juha Gustafsson, Juha Taina, Jukka Viljamaa University of Helsinki.

ASTA Aspect Software Testing Assistant Juha Gustafsson, Juha Taina, Jukka Viljamaa University of Helsinki.
1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.

1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.
Framework is l Reusable Code, often domain specific (GUI, Net, Web, etc) l expressed as l a set of classes and l the way objects in those classes collaborate.

Framework is l Reusable Code, often domain specific (GUI, Net, Web, etc) l expressed as l a set of classes and l the way objects in those classes collaborate.
Presented by: Thabet Kacem Spring 2010. Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.

Presented by: Thabet Kacem Spring Outline Contributions Introduction Proposed Approach Related Work Reconception of ADLs XTEAM Tool Chain Discussion.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.

Formal Methods in Software Engineering Credit Hours: 3+0 By: Qaisar Javaid Assistant Professor Formal Methods in Software Engineering1.
The Knowledge Industry Survival Strategy (KISS) Tony Clark, Thames Valley University, London, UK Jorn Bettin, Sofismo, Switzerland.

The Knowledge Industry Survival Strategy (KISS) Tony Clark, Thames Valley University, London, UK Jorn Bettin, Sofismo, Switzerland.
ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.

ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.
Software Services for Social Network tools implementation Aleksandar Dimov, PhD Sofia University

Software Services for Social Network tools implementation Aleksandar Dimov, PhD Sofia University
Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel

Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel
On the horizon Chapter twenty-five of: Szyperski, Clemens et al. Component Software - Beyond Object-Oriented Programming. Second Edition.

On the horizon Chapter twenty-five of: Szyperski, Clemens et al. Component Software - Beyond Object-Oriented Programming. Second Edition.
Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.

Software Issues Derived from Dr. Fawcett’s Slides Phil Pratt-Szeliga Fall 2009.
1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.

1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.
Object-Oriented Methods: Database Technology An introduction.

Object-Oriented Methods: Database Technology An introduction.
1 An introduction to design patterns Based on material produced by John Vlissides and Douglas C. Schmidt.

1 An introduction to design patterns Based on material produced by John Vlissides and Douglas C. Schmidt.

Similar presentations

Ads by Google