[aosd-discuss] Dataflow Pointcut

[Hridesh Rajan]

Dear Dima,

Yes, that could theoretically be done. They could also manually edited
all such calls to check for the desired attack, without using any
pointcut-advice languages. The question really is, does data flow
pointcut enables a succinct, elegant, declarative representation of
such idioms? In my humble opinion, it does and thus cross-site
scripting attack serves as a good use case for such pointcuts.

Furthermore, such declarative representation also communicates much
more information about the intent of the programmer to the primary
consumer of source code, the compiler, which can then perform
optimizations that would not have been possible on the idioms
themselves.

-- 
Hridesh Rajan
Assistant Professor of Computer Science
Iowa State University
Voice: +1-515-294-6168
http://www.cs.iastate.edu/~hridesh
http://www.cs.iastate.edu/~design

What makes me excited:
Ptolemy [Quantified, Typed Events]: http://www.cs.iastate.edu/~ptolemy
Nu [AO Intermediate Languages]: http://www.cs.iastate.edu/~nu
Eos [Unified AO Languages]: http://www.cs.iastate.edu/~eos


On Feb 18, 2008 11:53 AM,  <dm_alhad at alcor.concordia.ca> wrote:
> Hi ,
> I want to ask about the importance of the dataflow pointcut. It was
> defined as a way to detect cross-site scripting attack in web
> applications.
> In the paper
> "Dataflow Pointcut in Aspect-Oriented Programming", they can detect such
> attack using this pointcut.
> My question is why they don't search for just the call for the method
> getParameter using the call pointcut and filter the input for malicious
> code without the use of the dataflow pointcut.
> Thanks
> Dima
>
>
> _______________________________________________
> discuss mailing list    -    discuss at aosd.net
>
> To unsubscribe and change options, go to:
> http://aosd.net/mailman/listinfo/discuss_aosd.net
>
> Check out the AOSD.net Wiki: http://aosd.net/wiki
>