A Taxonomy Of Aspect-Oriented Security

Aspect-Oriented Programming is gaining prominence,  particularly in the area of security. There are however no taxonomies available, that classify the proliferation of research done in the area of Aspect-Oriented Security. This paper attempts to categorize research outputs conducted in this area, and evaluate the usability of the aspect-oriented paradigm in terms of software security

AProSec: an Aspect for Programming Secure Web Applications

International audienceAdding security functions in existing Web application servers is now vital for the IS of companies and organizations. Writing crosscutting functions in complex software should take advantage of the modularity offered by new software development approaches. With Aspect-Oriented Programming (AOP), separating concerns when designing an application fosters reuse, parameterization and maintenance. In this paper, we design a security aspect called AProSec for detecting SQL injection and Cross Scripting Site (XSS) that are common attacks in web servers. We experiment this aspect with the AspectJ language and the JBoss AOP framework. With this experimentation, we show the advantage of runtime platforms such as JBoss AOP for changing security policies at runtime. Finally, we describe related work on security and AOP

FOAL 2004 Proceedings: Foundations of Aspect-Oriented Languages Workshop at AOSD 2004

Aspect-oriented programming is a paradigm in software engineering and FOAL logos courtesy of Luca Cardelli programming languages that promises better support for separation of concerns. The third Foundations of Aspect-Oriented Languages (FOAL) workshop was held at the Third International Conference on Aspect-Oriented Software Development in Lancaster, UK, on March 23, 2004. This workshop was designed to be a forum for research in formal foundations of aspect-oriented programming languages. The call for papers announced the areas of interest for FOAL as including, but not limited to: semantics of aspect-oriented languages, specification and verification for such languages, type systems, static analysis, theory of testing, theory of aspect composition, and theory of aspect translation (compilation) and rewriting. The call for papers welcomed all theoretical and foundational studies of foundations of aspect-oriented languages. The goals of this FOAL workshop were to: � Make progress on the foundations of aspect-oriented programming languages. � Exchange ideas about semantics and formal methods for aspect-oriented programming languages. � Foster interest within the programming language theory and types communities in aspect-oriented programming languages. � Foster interest within the formal methods community in aspect-oriented programming and the problems of reasoning about aspect-oriented programs. The papers at the workshop, which are included in the proceedings, were selected frompapers submitted by researchers worldwide. Due to time limitations at the workshop, not all of the submitted papers were selected for presentation. FOAL also welcomed an invited talk by James Riely (DePaul University), the abstract of which is included below. The workshop was organized by Gary T. Leavens (Iowa State University), Ralf L?ammel (CWI and Vrije Universiteit, Amsterdam), and Curtis Clifton (Iowa State University). The program committee was chaired by L?ammel and included L?ammel, Leavens, Clifton, Lodewijk Bergmans (University of Twente), John Tang Boyland (University of Wisconsin, Milwaukee), William R. Cook (University of Texas at Austin), Tzilla Elrad (Illinois Institute of Technology), Kathleen Fisher (AT&T Labs�Research), Radha Jagadeesan (DePaul University), Shmuel Katz (Technion�Israel Institute of Technology), Shriram Krishnamurthi (Brown University), Mira Mezini (Darmstadt University of Technology), Todd Millstein (University of California, Los Angeles), Benjamin C. Pierce (University of Pennsylvania), Henny Sipma (Stanford University), Mario S?udholt ( ?Ecole des Mines de Nantes), and David Walker (Princeton University). We thank the organizers of AOSD 2004 for hosting the workshop

An aspect oriented approach for security hardening : semantic foundations

Computer security is nowadays a very important field in computer science and security hardening of applications becomes of paramount importance. Aspect oriented programming (AOP) is a relatively new technology that allows separation of concerns such as security, synchronization, logging, etc. This increases the readability, understandability, maintainability, and security of software systems. Furthermore, AOP allows automatic injection of the crosscutting concerns into the application code using a weaving mechanism. This thesis comes to provide theoretical study of using AOP for security hardening of applications. The main contributions of this thesis are the following. We propose a comparative study of AOP approaches from a security perspective. We establish a security appropriateness analysis of AspectJ and we propose new security constructs for this language. Since aspects in AspectJ are weaved (combined) with the Java Virtual Machine Language (JVML) application code, we develop a formal semantics for the JVML. We propose also a semantics for AspectJ that formalizes the advice weaving. We develop a new AOP calculus, n_SAOP, based on lambda calculus extended with security pointcuts. Finally, we implement three new constructs in AspectJ, namely getLocal , setLocal , and dflow , for local variable accesses and data flow analysis. In conclusion, this thesis demonstrates the relevance, importance, and appropriateness of using the AOP programming paradigm in hardening the security of application

A Statically Typed Logic Context Query Language With Parametric Polymorphism and Subtyping

The objective of this thesis is programming language support for context-sensitive program adaptations. Driven by the requirements for context-aware adaptation languages, a statically typed Object-oriented logic Context Query Language  (OCQL) was developed, which is suitable for integration with adaptation languages based on the Java type system. The ambient information considered in context-aware applications often originates from several, potentially distributed sources. OCQL employs the Semantic Web-language RDF Schema to structure and combine distributed context information. OCQL offers parametric polymorphism, subtyping, and a fixed set of meta-predicates. Its type system is based on mode analysis and a subset of Java Generics. For this reason a mode-inference approach for normal logic programs that considers variable aliasing and sharing was extended to cover all-solution predicates. OCQL is complemented by a service-oriented context-management infrastructure that supports the integration of OCQL with runtime adaptation approaches. The applicability of the language and its infrastructure were demonstrated with the context-aware aspect language CSLogicAJ. CSLogicAJ aspects encapsulate context-aware behavior and define in which contextual situation and program execution state the behavior is woven into the running program. The thesis concludes with a case study analyzing how runtime adaptation of mobile applications can be supported by pure object-, service- and context-aware aspect-orientation. Our study has shown that CSLogicAJ can improve the modularization of context-aware applications and reduce anticipation of runtime adaptations when compared to other approaches

A verification approach for crosscutting features based on extension join points

Recently, one arguing question in the context of product line development is how to improve the modularization and composition of crosscutting features. However, little attention has been paid to the closely related issue of testing the crosscutting features. This paper proposes a verification approach for the crosscutting features of a product line based on the use of a previously proposed concept called Extension Join Points

An aspect-oriented model to monitor misuse

The efficacy of the aspect-oriented paradigm has been well established within several areas of software security as aspect-orientation facilitates the abstraction of these security-related tasks to reduce code complexity. The aim of this paper is to demonstrate that aspect-orientation may be used to monitor the information flows between objects in a system for the purposes of misuse detection. Misuse detection involves identifying behavior that is close to some previously defined pattern signature of a known intrusion