- Author:
- Munawar Hafiz,
- Adviser:
- Ralph Johnson
Security experts generally believe that, “security cannot be added on, it must be designed from the beginning.”
This dissertation shows that retrofitting security does not need to be a massive reengineering effort, nor does it need to be ad hoc. Security solutions can be added through systematic, general purpose security-oriented program transformations. We describe a catalog of security-oriented program transformations; so far the catalog contains thirty seven transformations. These security-oriented program transformations improve the traditional approaches of security engineering and keep software secure in the face of new security threats. Security-oriented program transformations are not silver bullets; using them requires skill and knowledge of the program being transformed. They are instead power tools that make it easier to add security to existing systems replacing the point solution of a typical patch with a more systematic removal of a vulnerability. When appropriate tools are built and the program transformations are easy enough to apply, then they will allow a software developer to add ‘security on demand’.
Cited By
- Hafiz M, Overbey J, Behrang F and Hall J OpenRefactory/C Proceedings of the 2013 ACM workshop on Workshop on refactoring tools, (1-4)
- Coker Z and Hafiz M Program transformations to fix C integers Proceedings of the 2013 International Conference on Software Engineering, (792-801)
- Hafiz M and Overbey J OpenRefactory/C Proceedings of the 3rd annual conference on Systems, programming, and applications: software for humanity, (27-28)
- Hafiz M An 'explicit type enforcement' program transformation tool for preventing integer vulnerabiliites Proceedings of the ACM international conference companion on Object oriented programming systems languages and applications companion, (21-22)
Recommendations
Security oriented program transformations (or how to add security on demand)
OOPSLA Companion '08: Companion to the 23rd ACM SIGPLAN conference on Object-oriented programming systems languages and applicationsSecurity requirements change. Many systems fail to cope with the changing requirements because it is hard to redesign. I show that security can be added by applying program transformations. This improves traditional security engineering approaches and ...
Internet of Things security
The Internet of things (IoT) has recently become an important research topic because it integrates various sensors and objects to communicate directly with one another without human intervention. The requirements for the large-scale deployment of the IoT ...