Control Flow Based Pointcuts for Security Hardening Concerns

  • Marc-André Laverdière
  • Azzam Mourad
  • Andrei Soeanu
  • Mourad Debbabi
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 238)


In this paper, we present two new control flow based point-cuts to Aspect-Oriented Programming (AOP) languages that are needed for systematic hardening of security concerns. They allow to identify particular join points in a program’s control flow graph (CFG). The first proposed primitive is the GAFlow, the closest guaranteed ancestor, which returns the closest ancestor join point to the pointcuts of interest that is on all their runtime paths. The second proposed primitive is the GDFlow, the closest guaranteed descendant, which returns the closest child join point that can be reached by all paths starting from the pointcuts of interest. We find these pointcuts to be necessary because they are needed to perform many security hardening practices and, to the best of our knowledge, none of the existing pointcuts can provide their functionalities. Moreover, we show the viability and correctness of our proposed pointcuts by elaborating and implementing their algorithms and presenting the results of a testing case study.


Critical Section Execution Path Control Flow Graph Security Hardening Library Initialization 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Hassan Ait-Kaci, Robert S. Boyer, Patrick Lincoln, and Roger Nasr. Efficient implementation of lattice operations. Programming Languages and Systems, 11(1):115–146, 1989.CrossRefGoogle Scholar
  2. 2.
    Matt Bishop. How Attackers Break Programs, and How to Write More Secure Programs, (accessed 2007/04/19).
  3. 3.
    Ron Bodkin. Enterprise security aspects, 2004. 702193.html (accessed 2007/04/19).
  4. 4.
    J. Bonér. Semantics for a synchronized block join point, 2005. semantics-for-a-synchronized-block-joint-point/ (accessed 2007/04/19).
  5. 5.
    B. De Win. Engineering Application Level Security through Aspect Oriented Software Development. PhD thesis, Katholieke Universiteit Leuven, 2004.Google Scholar
  6. 6.
    Ernesto Gomez. Cs624-notes on control flow graph. http://www.csci.csusb. edu/egomez/cs624/cfg.pdf.
  7. 7.
    B. harbulot and J.R. Gurd. A join point for loops in Aspect J. In Proceedings of the 4th workshop on Foundations of Aspect-Oriented Languages (FOAL 2005), March, 2005.Google Scholar
  8. 8.
    Michael Howard and David E. Leblanc. Writing Secure Code. Microsoft Press, Redmond, WA, USA, 2002.Google Scholar
  9. 9.
    M. Huang, C. Wang, and L. Zhang. Toward a reusable and generic security aspect library. In AOSD:AOSDSEC 04: AOSD Technology for Application level Security, March, 2004.Google Scholar
  10. 10.
    G. Kiczales. The fun has just begun, keynote talk at AOSD 2003, 2003. (accessed 2007/04/19).
  11. 11.
    H. Masuhara and K. Kawauchi. Dataflow pointcut in aspect-oriented programming. In Proceedings of The First Asian Symposium on Programming Languages and Systems (APLAS’03), pages 105–121, 2003.Google Scholar
  12. 12.
    A. Mourad, M-A. Laverdière, and M. Debbabi. Security hardening of open source software. In Proceedings of the 2006 International Conference on Privacy, Security and Trust (PST 2006). ACM, 2006.Google Scholar
  13. 13.
    A. Mourad, M-A. Laverdière, and M. Debbabi. Towards an aspect oriented approach for the security hardening of code. In To appear in the Proceedings of the 3rd IEEE International Symposium on Security in Networks and Distributed Systems. IEEE Press, 2007.Google Scholar
  14. 14.
    Andrew C. Myers. JFlow: Practical mostly-static information flow control. In Symposium on Principles of Programming Languages, pages 228–241, 1999.Google Scholar
  15. 15.
    R. Seacord. Secure Coding in C and C++. SEI Series. Addison-Wesley, 2005.Google Scholar
  16. 16.
    Viren Shah. An aspect-oriented security assurance solution. Technical Report AFRL-IF-RS-TR-2003-254, Cigital Labs, 2003.Google Scholar
  17. 17.
    Pawel Slowikowski and Krzysztof Zielinski. Comparison study of aspect-oriented and container managed security. In Proceedings of the ECCOP workshop on Analysis of Aspect-Oriented Software, 2003.Google Scholar
  18. 18.
    D. Wheeler. Secure Programming for Linux and Unix HOWTO —Creating Secure Software v3.010. 2003. (accessed 2007/04/19).

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Marc-André Laverdière
    • 1
  • Azzam Mourad
    • 1
  • Andrei Soeanu
    • 1
  • Mourad Debbabi
    • 1
  1. 1.Computer Security Laboratory, Concordia Institute for Information Systems EngineeringConcordia UniversityMontreal (QC)Canada

Personalised recommendations