32
Aspect Security Aspect Security - RaviShekhar Gopalan RaviShekhar Gopalan - Prof. Lieberherr Prof. Lieberherr Software Security (CSG379) Software Security (CSG379)

Aspect Security

Tags:

Embed Size (px)

DESCRIPTION

Aspect Security. RaviShekhar Gopalan Prof. Lieberherr. Software Security (CSG379). Topics Covered. Topics. Short Security Overview Motivation for this project What is this project? Implementation Future Work References. Security Overview. Security in Software Engineering. - PowerPoint PPT Presentation

Citation preview

Page 1: Aspect Security

Aspect SecurityAspect Security-RaviShekhar GopalanRaviShekhar Gopalan

-Prof. LieberherrProf. Lieberherr

Software Security (CSG379)Software Security (CSG379)

Page 2: Aspect Security

Topics CoveredTopics Covered

Page 3: Aspect Security

TopicsTopics

Short Security OverviewShort Security Overview Motivation for this projectMotivation for this project What is this project?What is this project? ImplementationImplementation Future WorkFuture Work ReferencesReferences

Page 4: Aspect Security

Security OverviewSecurity Overview

Page 5: Aspect Security

Security in Software EngineeringSecurity in Software Engineering

A non-functional requirementA non-functional requirement

Applied as a patch at the end of SDLCApplied as a patch at the end of SDLC

Not a design-considerationNot a design-consideration

Preference for non-invasive techniquesPreference for non-invasive techniques

Not a prime focus during developmentNot a prime focus during development

Leads to a disconnection between Leads to a disconnection between development and “security” cycledevelopment and “security” cycle

Page 6: Aspect Security

Types of SecurityTypes of Security

Domain Level SecurityDomain Level Security Is dependent on an applicationIs dependent on an application Similar to Business Rules Similar to Business Rules

Security policies, ACLs – Non-invasiveSecurity policies, ACLs – Non-invasive Store them as rules in config filesStore them as rules in config files E.g. xml files in J2EEE.g. xml files in J2EE

Provided by languageProvided by language Not the focus anywhereNot the focus anywhere

This project is about improvements to the This project is about improvements to the security features provided by the languagesecurity features provided by the language

Page 7: Aspect Security

Security provided by the languageSecurity provided by the language

Language should provide features for securityLanguage should provide features for security

Similar to “public”, “private” there should be Similar to “public”, “private” there should be some “const” keyword similar to C++some “const” keyword similar to C++

Every method should declare its behaviorEvery method should declare its behavior

For e.g. we might have a new set of keywordsFor e.g. we might have a new set of keywords ImmutableImmutable InspectorInspector MutatorMutator

Page 8: Aspect Security

MotivationMotivation

Page 9: Aspect Security

Enter AOP!Enter AOP!

Security loopholes may not be intentionalSecurity loopholes may not be intentional

Bug fixes may introduce security bugs Bug fixes may introduce security bugs

More so with AOP (compartmentalization)More so with AOP (compartmentalization)

Right time to correct in AOP whatever was Right time to correct in AOP whatever was not done in OOPnot done in OOP

Since AOP still in infancy, security focus Since AOP still in infancy, security focus can be imbibed can be imbibed

Page 10: Aspect Security

Aspect SecurityAspect Security

Aspects are powerful. Aspects are powerful. Need a controlled & safe way of aspect Need a controlled & safe way of aspect

oriented developmentoriented developmentNeed a stronger safety net than normal Need a stronger safety net than normal

languages languages

Page 11: Aspect Security

Simple Demo !!Simple Demo !!

Page 12: Aspect Security

What is this project?What is this project?

Page 13: Aspect Security

Ideally, ….Ideally, ….

Ideally, language should provide features Ideally, language should provide features for securityfor security

Every method should declare its behaviorEvery method should declare its behavior If not, metadata will have to be used.If not, metadata will have to be used.

Page 14: Aspect Security

Requirements??Requirements??

At the least, compiler shouldAt the least, compiler shouldWarn if it can determine whether a possible Warn if it can determine whether a possible

security breach existssecurity breach existsThere exists possible loop-holes which can be There exists possible loop-holes which can be

exploited in futureexploited in futureGuard against these by putting dynamic Guard against these by putting dynamic

checks in placechecks in placeThis is a bit ambitious, but not too much.This is a bit ambitious, but not too much.

Page 15: Aspect Security

What is a Secure Aspect?What is a Secure Aspect?

A secure aspect is an aspect which is A secure aspect is an aspect which is securesecure

For object-oriented programs, an aspect For object-oriented programs, an aspect should notshould not interfere with the OO part of the systeminterfere with the OO part of the systemmodify behavior of the object which it is trying modify behavior of the object which it is trying

to influence.to influence.modify data of the object which it is trying to modify data of the object which it is trying to

influence.influence.

Page 16: Aspect Security

What should a secure aspect do?What should a secure aspect do?

A secure aspect shouldA secure aspect shouldAdd behavior at a join pointAdd behavior at a join pointAdd checks for certain conditionsAdd checks for certain conditionsBasically be an inspectorBasically be an inspector

Page 17: Aspect Security

What a secure aspect should not What a secure aspect should not do?do?

A secure aspect should not A secure aspect should not Modify an object’s behavior at any join pointModify an object’s behavior at any join pointModify an object’s data at any join pointModify an object’s data at any join pointShould not change an object’s hierarchy if the Should not change an object’s hierarchy if the

object is not open to change (……)object is not open to change (……)

Page 18: Aspect Security

ImplementationImplementation

Page 19: Aspect Security

How to do it?

In order to determine the security aspects statically, step in at compile time influence the compiler with our security rules

Security Rules can be hard-coded or in some XML file

Rules in an XML file require development of a separate language syntax and its validation

Page 20: Aspect Security

Aspect Bench Compiler

abc compiler from Oxford University Chosen because it is open-source Open and easy to extendGives extension-writers the AST in

objects which are easier to manipulate

Page 21: Aspect Security

abc Architecture

Page 22: Aspect Security

abc Modification Point

Page 23: Aspect Security

Proposed Change

Compiler Front End

Aspect Checker

Static Weaving

Page 24: Aspect Security

Proof of Concept

Aspect Checker checks aspects before weaving

For this PoC, I am checking whether an aspect calls a setter method of the main class

Page 25: Aspect Security

Aspect Checker

Main BankAccount::initialize()

Set Account Id to 0

Aspect

Page 26: Aspect Security

Design of Aspect Checker

GlobalAspectChecker

BankAccountChecker BankChecker

AspectInfo

abc Compiler

AccountChecker

IndividualCheckers

Page 27: Aspect Security

Demo of Aspect CheckerDemo of Aspect Checker

Page 28: Aspect Security

Future WorkFuture Work

Page 29: Aspect Security

Future Work

Handle inter-type declarations Handle weaving of aspect-checking code Finalize design of AspectChecker

Page 30: Aspect Security

ReferencesReferences

Page 31: Aspect Security

ReferencesReferences

Building the abc AspectJ compiler with Polyglot and Soot – abc Technical Report No. abc-2004-2

abc : An extensible AspectJ compiler– abc Technical Report No. abc-2004-1

The abc scanner and parser, including an LALR(1) grammar for AspectJ

Page 32: Aspect Security

Thank You!!Thank You!!


FUTURE INFORMATION SECURITY NEEDS AND ... Meeting... · Web viewAnother important aspect to consider in respect to information security for aeronautical data exchanges is Trusted

FUTURE INFORMATION SECURITY NEEDS AND ... Meeting... · Web viewAnother important aspect to consider in respect to information security for aeronautical data exchanges is Trusted

Documents
Les Assises 2015 - Why people are the most important aspect of IT security?

Les Assises 2015 - Why people are the most important aspect of IT security?

Education
AJDT: getting started with aspect-oriented programming … · AJDT: getting started with aspect-oriented ... !Aspect monitor ... 37 AJDT: aspect-oriented programming in Eclipse

AJDT: getting started with aspect-oriented programming … · AJDT: getting started with aspect-oriented ... !Aspect monitor ... 37 AJDT: aspect-oriented programming in Eclipse

Documents
How Effective are CSP Security Services for the Mass Market?€¦ · Telco Security Trends | . 2 This report looks at the security aspect of delivering network-based security services

How Effective are CSP Security Services for the Mass Market?€¦ · Telco Security Trends | . 2 This report looks at the security aspect of delivering network-based security services

Documents
Design Thinking in ICT security - Business Aspect · Delivering business value from a fresh approach. Difficulties for security Afterthought Fixing a problem, not designing a feature

Design Thinking in ICT security - Business Aspect · Delivering business value from a fresh approach. Difficulties for security Afterthought Fixing a problem, not designing a feature

Documents
SCOTT ASPECT TECHNOLOGIES ASPECT

SCOTT ASPECT TECHNOLOGIES ASPECT

Documents
ASPECT: Airborne Spectal Photometric Environmental ...ASPECT is a screening tool that uses multiple sensors to support emergency responses, home-land security missions, environmental

ASPECT: Airborne Spectal Photometric Environmental ...ASPECT is a screening tool that uses multiple sensors to support emergency responses, home-land security missions, environmental

Documents
WatchGuard Member Shares Their Success“The WatchGuard Firebox T80 operates as an MSP-focused security platform that simplifies every aspect of security to make enterprise-grade security

WatchGuard Member Shares Their Success“The WatchGuard Firebox T80 operates as an MSP-focused security platform that simplifies every aspect of security to make enterprise-grade security

Documents
Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()

Don’t Write Your Own Security Code – The Enterprise ... · Code – The Enterprise Security API Project Jeff Williams Aspect Security CEO ... getValidSafeHTML() getValidInput()

Documents
Neglecting the security aspect of patch management is just asking for trouble

Neglecting the security aspect of patch management is just asking for trouble

Technology
JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra

JavaSnoop how to hack anything in java arshan dabirsiaghi director of research aspect security @nahsra

Documents
Web Security Appliance Administration Labdocshare01.docshare.tips/files/30370/303705859.pdf · various aspect of the Cisco Ironport Web Security Appliance. Exercises will simulate

Web Security Appliance Administration Labdocshare01.docshare.tips/files/30370/303705859.pdf · various aspect of the Cisco Ironport Web Security Appliance. Exercises will simulate

Documents
INTERNATIONAL JOURNAL OF SECURITY › download › issuearchive › IJS › ... · The International Journal of Security is not limited to a specific aspect of Security Science but

INTERNATIONAL JOURNAL OF SECURITY › download › issuearchive › IJS › ... · The International Journal of Security is not limited to a specific aspect of Security Science but

Documents
Aspect-Oriented Software Development Aspect Mining - 2008 -

Aspect-Oriented Software Development Aspect Mining - 2008 -

Documents
Subversion: The Neglected Aspect of Computer Securityseclab.cs.ucdavis.edu/projects/history/papers/myer80.pdf · Title: Subversion: The Neglected Aspect of Computer Security Author:

Subversion: The Neglected Aspect of Computer Securityseclab.cs.ucdavis.edu/projects/history/papers/myer80.pdf · Title: Subversion: The Neglected Aspect of Computer Security Author:

Documents
Unraveling some of the Mysteries around DOM-based XSS · Open Web Application Security Project (OWASP) Aspect Security () Focused exclusively on Application Security Code Review

Unraveling some of the Mysteries around DOM-based XSS · Open Web Application Security Project (OWASP) Aspect Security () Focused exclusively on Application Security Code Review

Documents
Cyber Security Supply Chain Risk Management Guidance · Cyber security supply chain risk management (C-SCRM) is an important aspect of resilient and reliable Bulk Electric System

Cyber Security Supply Chain Risk Management Guidance · Cyber security supply chain risk management (C-SCRM) is an important aspect of resilient and reliable Bulk Electric System

Documents
From Aspect-oriented Requirements Models to Aspect-oriented Business Process Design … ·  · 2018-04-11From Aspect-oriented Requirements Models to Aspect-oriented Business Process

From Aspect-oriented Requirements Models to Aspect-oriented Business Process Design … ·  · 2018-04-11From Aspect-oriented Requirements Models to Aspect-oriented Business Process

Documents
Aspect Oriented Programming With C++ and Aspect C++

Aspect Oriented Programming With C++ and Aspect C++

Documents
Aspect-driven summarization Unit for Global Security and Crisis Management Unit for Global Security and Crisis Management Background and motivation We

Aspect-driven summarization Unit for Global Security and Crisis Management Unit for Global Security and Crisis Management Background and motivation We

Documents
OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security

OWASP Top-10 2013 Dave Wichers OWASP Top 10 Project Lead OWASP Board Member Cofounder, Aspect Security & Contrast Security

Documents
Academic Aspects Technology Aspect Application Aspect

Academic Aspects Technology Aspect Application Aspect

Documents
) Copyright © 2008 – Aspect Security – Establishing an Enterprise Security API to Reduce Application Security Costs Jeff Williams

) Copyright © 2008 – Aspect Security – Establishing an Enterprise Security API to Reduce Application Security Costs Jeff Williams

Documents
TECHNICAL TUTORIAL TUESDAY 07 FEBRUARY 2012 · security aspect should be considered. What are the guidelines for designing security features during IPv6 deployment? Perils of introducing

TECHNICAL TUTORIAL TUESDAY 07 FEBRUARY 2012 · security aspect should be considered. What are the guidelines for designing security features during IPv6 deployment? Perils of introducing

Documents
SAFETY AND SECURITY v5.0 · aspect of safety and security, termed personal security, refers to the safety and protection of passengers from each other. This aspect may be more critical

SAFETY AND SECURITY v5.0 · aspect of safety and security, termed personal security, refers to the safety and protection of passengers from each other. This aspect may be more critical

Documents
Dalim Basu + Nick Jones Human Aspect of Cyber Security

Dalim Basu + Nick Jones Human Aspect of Cyber Security

Business
Cloud Security - Business · PDF fileCloud Security Duncan Unwin, Business Aspect ... –Lack of consistency in governance standards ... risk of a cloud service

Cloud Security - Business · PDF fileCloud Security Duncan Unwin, Business Aspect ... –Lack of consistency in governance standards ... risk of a cloud service

Documents
Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

Aspect Security - RaviShekhar Gopalan - Prof. Lieberherr Software Security (CSG379)

Documents
CLASSIFICATION OF GOODS AND SERVICES - · PDF file7.5 Computerised communication network security and other security services ... is an important aspect of a trade mark application

CLASSIFICATION OF GOODS AND SERVICES - · PDF file7.5 Computerised communication network security and other security services ... is an important aspect of a trade mark application

Documents
reating an Agenda for Research On Transportation sEcurity · 2015-03-16 · 2 reating an Agenda for Research On Transportation sEcurity CARONTE experts review cyber security aspect

reating an Agenda for Research On Transportation sEcurity · 2015-03-16 · 2 reating an Agenda for Research On Transportation sEcurity CARONTE experts review cyber security aspect

Documents