Control Flow Based Pointcuts for Security Hardening Concerns
In this paper, we present two new control flow based point-cuts to Aspect-Oriented Programming (AOP) languages that are needed for systematic hardening of security concerns. They allow to identify particular join points in a program’s control flow graph (CFG). The first proposed primitive is the GAFlow, the closest guaranteed ancestor, which returns the closest ancestor join point to the pointcuts of interest that is on all their runtime paths. The second proposed primitive is the GDFlow, the closest guaranteed descendant, which returns the closest child join point that can be reached by all paths starting from the pointcuts of interest. We find these pointcuts to be necessary because they are needed to perform many security hardening practices and, to the best of our knowledge, none of the existing pointcuts can provide their functionalities. Moreover, we show the viability and correctness of our proposed pointcuts by elaborating and implementing their algorithms and presenting the results of a testing case study.
KeywordsCritical Section Execution Path Control Flow Graph Security Hardening Library Initialization
- 2.Matt Bishop. How Attackers Break Programs, and How to Write More Secure Programs, http://nob.cs.ucdavis.edu/~bishop/secprog/sans2002/index.html (accessed 2007/04/19).
- 3.Ron Bodkin. Enterprise security aspects, 2004. http://citeseer.ist.psu.edu/ 702193.html (accessed 2007/04/19).
- 4.J. Bonér. Semantics for a synchronized block join point, 2005. http://jonasboner.com/2005/07/18/ semantics-for-a-synchronized-block-joint-point/ (accessed 2007/04/19).
- 5.B. De Win. Engineering Application Level Security through Aspect Oriented Software Development. PhD thesis, Katholieke Universiteit Leuven, 2004.Google Scholar
- 6.Ernesto Gomez. Cs624-notes on control flow graph. http://www.csci.csusb. edu/egomez/cs624/cfg.pdf.
- 7.B. harbulot and J.R. Gurd. A join point for loops in Aspect J. In Proceedings of the 4th workshop on Foundations of Aspect-Oriented Languages (FOAL 2005), March, 2005.Google Scholar
- 8.Michael Howard and David E. Leblanc. Writing Secure Code. Microsoft Press, Redmond, WA, USA, 2002.Google Scholar
- 9.M. Huang, C. Wang, and L. Zhang. Toward a reusable and generic security aspect library. In AOSD:AOSDSEC 04: AOSD Technology for Application level Security, March, 2004.Google Scholar
- 10.G. Kiczales. The fun has just begun, keynote talk at AOSD 2003, 2003. http://www.cs.ubc.ca/~gregor/papers/kiczales-aosd-2003.ppt (accessed 2007/04/19).
- 11.H. Masuhara and K. Kawauchi. Dataflow pointcut in aspect-oriented programming. In Proceedings of The First Asian Symposium on Programming Languages and Systems (APLAS’03), pages 105–121, 2003.Google Scholar
- 12.A. Mourad, M-A. Laverdière, and M. Debbabi. Security hardening of open source software. In Proceedings of the 2006 International Conference on Privacy, Security and Trust (PST 2006). ACM, 2006.Google Scholar
- 13.A. Mourad, M-A. Laverdière, and M. Debbabi. Towards an aspect oriented approach for the security hardening of code. In To appear in the Proceedings of the 3rd IEEE International Symposium on Security in Networks and Distributed Systems. IEEE Press, 2007.Google Scholar
- 14.Andrew C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228–241, 1999.Google Scholar
- 15.R. Seacord. Secure Coding in C and C++. SEI Series. Addison-Wesley, 2005.Google Scholar
- 16.Viren Shah. An aspect-oriented security assurance solution. Technical Report AFRL-IF-RS-TR-2003-254, Cigital Labs, 2003.Google Scholar
- 17.Pawel Slowikowski and Krzysztof Zielinski. Comparison study of aspect-oriented and container managed security. In Proceedings of the ECCOP workshop on Analysis of Aspect-Oriented Software, 2003.Google Scholar
- 18.D. Wheeler. Secure Programming for Linux and Unix HOWTO —Creating Secure Software v3.010. 2003. http://www.dwheeler.com/secure-programs/ (accessed 2007/04/19).