Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

Published byClarence Hopkins Modified over 8 years ago

Similar presentations

Presentation on theme: "Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)"— Presentation transcript:

1 Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

2 Topics Covered

3 Topics  Short Security Overview  Motivation for this project  What is this project?  Implementation  Future Work  References

4 Security Overview

5 Security in Software Engineering A non-functional requirement Applied as a patch at the end of SDLC Not a design-consideration Preference for non-invasive techniques Not a prime focus during development Leads to a disconnection between development and “security” cycle

6 Types of Security Domain Level Security Is dependent on an application Is dependent on an application Similar to Business Rules Similar to Business Rules Security policies, ACLs – Non-invasive Store them as rules in config files Store them as rules in config files E.g. xml files in J2EE E.g. xml files in J2EE Provided by language Not the focus anywhere Not the focus anywhere This project is about improvements to the security features provided by the language

7 Security provided by the language Language should provide features for security Similar to “public”, “private” there should be some “const” keyword similar to C++ Every method should declare its behavior For e.g. we might have a new set of keywords Immutable Immutable Inspector Inspector Mutator Mutator

8 Motivation

9 Enter AOP! Security loopholes may not be intentional Bug fixes may introduce security bugs More so with AOP (compartmentalization) Right time to correct in AOP whatever was not done in OOP Since AOP still in infancy, security focus can be imbibed

10 Aspect Security Aspects are powerful. Aspects are powerful. Need a controlled & safe way of aspect oriented development Need a controlled & safe way of aspect oriented development Need a stronger safety net than normal languages Need a stronger safety net than normal languages

11 Simple Demo !!

12 What is this project?

13 Ideally, …. Ideally, language should provide features for security Ideally, language should provide features for security Every method should declare its behavior Every method should declare its behavior If not, metadata will have to be used. If not, metadata will have to be used.

14 Requirements?? At the least, compiler should At the least, compiler should Warn if it can determine whether a possible security breach exists Warn if it can determine whether a possible security breach exists There exists possible loop-holes which can be exploited in future There exists possible loop-holes which can be exploited in future Guard against these by putting dynamic checks in place Guard against these by putting dynamic checks in place This is a bit ambitious, but not too much. This is a bit ambitious, but not too much.

15 What is a Secure Aspect? A secure aspect is an aspect which is secure A secure aspect is an aspect which is secure For object-oriented programs, an aspect should not For object-oriented programs, an aspect should not interfere with the OO part of the system interfere with the OO part of the system modify behavior of the object which it is trying to influence. modify behavior of the object which it is trying to influence. modify data of the object which it is trying to influence. modify data of the object which it is trying to influence.

16 What should a secure aspect do? A secure aspect should A secure aspect should Add behavior at a join point Add behavior at a join point Add checks for certain conditions Add checks for certain conditions Basically be an inspector Basically be an inspector

17 What a secure aspect should not do? A secure aspect should not A secure aspect should not Modify an object’s behavior at any join point Modify an object’s behavior at any join point Modify an object’s data at any join point Modify an object’s data at any join point Should not change an object’s hierarchy if the object is not open to change (……) Should not change an object’s hierarchy if the object is not open to change (……)

18 Implementation

19 How to do it? In order to determine the security aspects statically, step in at compile time influence the compiler with our security rules Security Rules can be hard-coded or in some XML file Rules in an XML file require development of a separate language syntax and its validation

20 Aspect Bench Compiler abc compiler from Oxford University Chosen because it is open-source Open and easy to extend Gives extension-writers the AST in objects which are easier to manipulate

21 abc Architecture

22 abc Modification Point

23 Proposed Change Compiler Front End Aspect Checker Static Weaving

24 Proof of Concept Aspect Checker checks aspects before weaving For this PoC, I am checking whether an aspect calls a setter method of the main class

25 Aspect Checker MainBankAccount::initialize() Set Account Id to 0 Aspect

26 Design of Aspect Checker GlobalAspectChecker BankAccountCheckerBankChecker AspectInfo abc Compiler AccountChecker Individual Checkers

27 Demo of Aspect Checker

28 Future Work

29  Handle inter-type declarations  Handle weaving of aspect-checking code  Finalize design of AspectChecker

30 References

31 References   Building the abc AspectJ compiler with Polyglot and Soot – –abc Technical Report No. abc-2004-2   abc : An extensible AspectJ compiler – –abc Technical Report No. abc-2004-1   The abc scanner and parser, including an LALR(1) grammar for AspectJ

32 Thank You!!

Download ppt "Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)"

Similar presentations

AspectWerkz 2 - and the road to AspectJ 5 Jonas Bonér Senior Software Engineer BEA Systems.

AspectWerkz 2 - and the road to AspectJ 5 Jonas Bonér Senior Software Engineer BEA Systems.
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.
AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.

AndroidCompiler. Layout Motivation Literature Review AndroidCompiler Future Works.
Introduction To System Analysis and Design

Introduction To System Analysis and Design
1 Introducing Collaboration to Single User Applications A Survey and Analysis of Recent Work by Brian Cornell For Collaborative Systems Fall 2006.

1 Introducing Collaboration to Single User Applications A Survey and Analysis of Recent Work by Brian Cornell For Collaborative Systems Fall 2006.
1/18 CS 693/793 Lecture 09 Special Topics in Domain Specific Languages CS 693/793-1C Spring 2004 Mo, We, Fr 10:10 – 11:00 CH 430.

1/18 CS 693/793 Lecture 09 Special Topics in Domain Specific Languages CS 693/793-1C Spring 2004 Mo, We, Fr 10:10 – 11:00 CH 430.
Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”

Aalborg Media Lab 21-Jun-15 Software Design Lecture 1 “ Introduction to Java and OOP”
16/22/2015 2:54 PM6/22/2015 2:54 PM6/22/2015 2:54 PMObject-Oriented Development Concept originated with simulating objects and their interactions. Adapted.

16/22/2015 2:54 PM6/22/2015 2:54 PM6/22/2015 2:54 PMObject-Oriented Development Concept originated with simulating objects and their interactions. Adapted.
1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.

1 CMSC 132: Object-Oriented Programming II Software Development III Department of Computer Science University of Maryland, College Park.
CSCI-383 Object-Oriented Programming & Design Lecture 15.

CSCI-383 Object-Oriented Programming & Design Lecture 15.
Operating Systems Protection & Security.

Operating Systems Protection & Security.
C++ Object Oriented 1. Class and Object The main purpose of C++ programming is to add object orientation to the C programming language and classes are.

C++ Object Oriented 1. Class and Object The main purpose of C++ programming is to add object orientation to the C programming language and classes are.
GENERAL CONCEPTS OF OOPS INTRODUCTION With rapidly changing world and highly competitive and versatile nature of industry, the operations are becoming.

GENERAL CONCEPTS OF OOPS INTRODUCTION With rapidly changing world and highly competitive and versatile nature of industry, the operations are becoming.
CISC6795: Spring 6795 1 Object-Oriented Programming: Polymorphism.

CISC6795: Spring Object-Oriented Programming: Polymorphism.
COP4020 Programming Languages

COP4020 Programming Languages
Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.

Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.
Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)

Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)
Supporting Heterogeneous Users in Collaborative Virtual Environments using AOP CoopIS 2001 September 5-7, 2001. Trento, Italy M. Pinto, M. Amor, L. Fuentes,

Supporting Heterogeneous Users in Collaborative Virtual Environments using AOP CoopIS 2001 September 5-7, Trento, Italy M. Pinto, M. Amor, L. Fuentes,
Abc Compiler Zak Fry. Who and Where Programming Tools Group at Oxford University, UK – Oege de Moor Sable Research Group at McGill University, Quebec.

Abc Compiler Zak Fry. Who and Where Programming Tools Group at Oxford University, UK – Oege de Moor Sable Research Group at McGill University, Quebec.

Similar presentations

Ads by Google