[aosd-discuss] Security Question

Wed May 9 03:40:04 EDT 2007

Hi,

some other pointers (as already communicated to Andrew as well) to papers that 
elaborate on the problems in this context and/or propose suggestions on how 
to address this:
- Bart De Win, Frank Piessens and Wouter Joosen, "How secure is AOP and what 
can we do about it?," in proceedings of the second workshop on Software 
Engineering for Secure Systems (SESS06), Shanghai, 2006.
- Daniel S. Dantas and David Walker, "Aspects, Information Hiding and 
Modularity," in ACM SIGPLAN Conference on Programming Language and Design 
(PLDI2004), 2004.
- Daniel S. Dantas and David Walker, "Harmless Advice," in ACM SIGPLAN-SIGACT 
Symposium on Principles of Programming languages (PoPL2006), January 2006. 

Other AOP language extensions/restrictions have been proposed that address 
(some of) these problems as well (incl. open modules, joinpoint 
encapsulation, and so forth). 

Kind regards,
Bart.

On Tuesday 08 May 2007 19:18, Gefei Zhang wrote:
> *Hi,
>
> Another tip would be, as I already answered Andrew in a private mail,
>
> *
>
> Kung Chen and Ju-Bing Chen, "On Instrumenting Obfuscated Java Bytecode
> with Aspects", Software Engineering for Secure Systems (SESS06), May
> 2006, Shanghai, PRC.
>
> http://portal.acm.org/citation.cfm?id=1137627.1137632&coll=&dl=ACM&type=ser
>ies&idx=1137627&part=Proceedings&WantType=Proceedings&title=International%20
>Conference%20on%20Software%20Engineering&CFID=15151515&CFTOKEN=6184618
>
> best,
> Gefei
>
> Donisthorpe C (AT) wrote:
> > Hi,
> >
> > I think this is a tough one.
> >
> > You need to come up with a mechanism for deliberately introducing
> > security flaws in the first place.
> >
> > One way of doing this might be to intentionally introduce crosscut
> > effects which have the desired 'hacking' effect as a part the design.
> > Other people might also be able look at the code and identify crosscut
> > weaknesses which could be exploited to modify the behaviour in an
> > application.
> >
> > I think a major problem with these scenarios would be trying to
> > unravel complex behaviours between existing system aspects with enough
> > clarity to understand how it might be possible to introduce a security
> > flaw into the design.  If you managed to find a way to introduce a
> > flaw then you'd probably be able to defend against it.
> >
> > However, if you think this is worth persuing then a good paper would
> > be "Deriving security requirements from crosscutting threat
> > descriptions" (Haley et al., 2004).
> >
> > //
> > /Regards/
> > //
> > /Charles/
> >
> >
> > ------------------------------------------------------------------------
> > *From:* discuss-bounces at aosd.net on behalf of Andrew Camilleri
> > *Sent:* Thu 03/05/2007 10:32
> > *To:* discuss at aosd.net
> > *Subject:* [aosd-discuss] Security Question
> >
> > Hi All,
> >
> >
> >
> > I am looking for papers that deal with how aspects can be
> >
> > used maliciously modify an application. Most of the papers that deal with
> >
> > security and aspects are concerned with how aspects can implement access
> >
> > control or security in general. I am interested on how a weaver can be
> > used to
> >
> > numb software maliciously or introduce security flaws. I would be glad
> > if you
> >
> > could send me references that deal with this issue. Thanks!
> >
> >
> >
> > regards,
> >
> >
> >
> > Andrew
> >
> >
> >
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > discuss mailing list    -    discuss at aosd.net
> >
> > To unsubscribe and change options, go to:
> > http://aosd.net/mailman/listinfo/discuss_aosd.net
> >
> > Check out the AOSD.net Wiki: http://aosd.net/wiki
>
> _______________________________________________
> discuss mailing list    -    discuss at aosd.net
>
> To unsubscribe and change options, go to:
> http://aosd.net/mailman/listinfo/discuss_aosd.net
>
> Check out the AOSD.net Wiki: http://aosd.net/wiki