Model-Driven Aspect-Oriented Software Security Hardening

Security is of paramount importance in software engineering. Nevertheless, security solutions are generally fitted into existing software as an afterthought phase of the development process. However, given the complexity and the pervasiveness of today's software systems, adding security as an afterthought leads to huge cost in retrofitting security into the software and further can introduce additional vulnerabilities. Furthermore, security is a crosscutting concern that pervades the entire software. Consequently, the manual addition of security solutions may result in the scattering and the tangling of security features throughout the entire software design. Additionally, adding security manually is tedious and generally may lead to other security flaws. In this context, the need for a systematic approach to integrate security practices into the early phases of the software development process becomes crucial. In this thesis, we elaborate an aspect-oriented modeling framework for software security hardening at the UML design level. More precisely, the main contributions of our research are the following: (i) We define a UML profile for the specification of security hardening mechanisms as aspects. (ii) We design and implement a weaving framework for the systematic injection of security aspects into UML design models. (iii) We explore the theoretical foundations for aspect matching and weaving. (iv) We conduct real-life case studies to demonstrate the viability and the scalability of the proposed framework

A comparative analysis of cyberbullying and cyberstalking laws in the UAE, US, UK and Canada

© 2019 IEEE. Bullying and stalking through cyberspace have become serious phenomena in the Internet era, impacting mainly young users and teenagers. Many tragic incidents have occurred, especially in the West, including self-harm and suicide due to these problems. To protect the victims many countries such as the United Arab Emirates (UAE), the United States (US), the United Kingdom (UK) and Canada have codified laws dealing with cyber-crimes, including cyber-harassment. To determine the adequacy of such laws in addressing these issues, we present in this paper a legal analysis of the existing anti-bullying and stalking laws in the UAE, US, UK, and Canada. The purpose is to gain perspective on the characteristics of the laws and their ability to protect society from various forms of crimes associated with cyberbullying and cyberstalking. The paper also presents recommendations to help combat cyberbullying and cyberstalking and protect our youth from these issues

Graph-theoretic characterization of cyber-threat infrastructures

In this paper, we investigate cyber-threats and the underlying infrastructures. More precisely, we detect and analyze cyber-threat infrastructures for the purpose of unveiling key players (owners, domains, IPs, organizations, malware families, etc.) and the relationships between these players. To this end, we propose metrics to measure the badness of different infrastructure elements using graph theoretic concepts such as centrality concepts and Google PageRank. In addition, we quantify the sharing of infrastructure elements among different malware samples and families to unveil potential groups that are behind specific attacks. Moreover, we study the evolution of cyber-threat infrastructures over time to infer patterns of cyber-criminal activities. The proposed study provides the capability to derive insights and intelligence about cyber-threat infrastructures. Using one year dataset, we generate notable results regarding emerging threats and campaigns, important players behind threats, linkages between cyber-threat infrastructure elements, patterns of cyber-crimes, etc

Remote Data Acquisition Using Raspberry Pi3

© 2018 IEEE. In the current age of digitalization, the increasing rate of cybercrimes has become a great matter to the public and private sectors. To mitigate these issues, governments and companies began a journey of building technological solutions and training individuals in the digital forensic field. This has sprouted a growth of digital forensic tools, sold by vendors to detect and analyze cybercrimes, and report the findings to the forensic investigator. However, most of these tools are quite expensive to a point where medium and small size businesses would struggle to afford them. To overcome this issue, we propose, in this paper, an easy to use and inexpensive solution based on a miniature pocket size computer, namely Raspberry Pi, running an image of Kali Linux on the mini SD card. This Raspberry Pi is configured to conduct acquisition of various storage media via physical and remote (network) access

Dynamic Matching and Weaving Semantics in \lambda -Calculus

In this chapter, we present a denotational semantics for aspect matching and weaving in lambda-calculus. The proposed semantics is based on the so-called Continuation-Passing Style (CPS) since this style of semantics provides a precise, accurate, and elegant description of aspect-oriented mechanisms. We first formalize semantics for a core language based on lambda-calculus. Afterwards, we extend the semantics by considering flow-based pointcuts, such as control flow and data flow that are important from a security perspective

Dynamic Matching and Weaving Semantics in Executable UML

In this chapter, we elaborate a denotational semantics for aspect matching and weaving in Executable UML (xUML). More precisely, we specify xUML models using the standard Action Language for Foundational UML (Alf). As we did in the previous chapter, we start by formalizing the matching and the weaving processes for basic pointcuts. Then, we elaborate the semantics for the dataflow pointcut, which is relevant from a security perspective

Aspect-oriented security hardening of UML design models

© Springer International Publishing Switzerland 2015. This book comprehensively presents a novel approach to the systematic security hardening of software design models expressed in the standard UML language. It combines model-driven engineering and the aspect-oriented paradigm to integrate security practices into the early phases of the software development process. To this end, a UML profile has been developed for the specification of security hardening aspects on UML diagrams. In addition, a weaving framework, with the underlying theoretical foundations, has been designed for the systematic injection of security aspects into UML models. The work is organized as follows: chapter 1 presents an introduction to software security, model-driven engineering, UML and aspect-oriented technologies. Chapters 2 and 3 provide an overview of UML language and the main concepts of aspect-oriented modeling (AOM) respectively. Chapter 4 explores the area of model-driven architecture with a focus on model transformations. The main approaches that are adopted in the literature for security specification and hardening are presented in chapter 5. After these more general presentations, chapter 6 introduces the AOM profile for security aspects specification. Afterwards, chapter 7 details the design and the implementation of the security weaving framework, including several real-life case studies to illustrate its applicability. Chapter 8 elaborates an operational semantics for the matching/weaving processes in activity diagrams, while chapters 9 and 10 present a denotational semantics for aspect matching and weaving in executable models following a continuation-passing style. Finally, a summary and evaluation of the work presented are provided in chapter 11. The book will benefit researchers in academia and industry as well as students interested in learning about recent research advances in the field of software security engineering

Security Aspect Weaving

In this chapter, we present the design and implementation of the proposed security weaving framework. We start by providing a high-level overview that summarizes the main steps and the technologies that are followed to implement the weaving framework. Afterwards, we present the details of each weaving step. The proposed weaver is implemented as a model-to-model (M2M) transformation using the OMG standard Query/View/Transformation (QVT) language. In addition, it covers all the diagrams that are supported by our approach, i.e., class diagrams, state machine diagrams, activity diagrams, and sequence diagrams. For each diagram, we provide algorithms that implement its corresponding weaving adaptations. Moreover, we present the transformation rules that implement each aspect adaptation rule

Security Aspect Specification

In this chapter, we present the AOM profile proposed for the specification of security aspects on UML design models. The proposed profile covers the main UML diagrams that are used in software design, i.e., class diagrams, state machine diagrams, sequence diagrams, and activity diagrams. In addition, it covers most common AOP adaptations, i.e., adding new elements before, after, or around specific points, and removing existing elements. Moreover, we present a high-level and user-friendly pointcut language proposed to designate the locations where aspect adaptations should be injected into base models