Article

How secure is AOP and what can we do about it?

Authors:

Bart De Win,

Frank Piessens,

Wouter JoosenAuthors Info & Claims

SESS '06: Proceedings of the 2006 international workshop on Software engineering for secure systems

Pages 27 - 34

https://doi.org/10.1145/1137627.1137633

Published: 20 May 2006 Publication History

Get Access

Abstract

From a software engineering perspective, using Aspect-Oriented Programming (AOP) to build secure software has clear advantages. Until recently, the security perspective of this approach has been given less attention, however. This paper analyses the security risks in using AOP to develop secure software and discusses one particular solution to some of the identified risks, an aspect permission system. This permission system is one part of an overall AOP-based development platform for secure software.

References

[1]

J. Aldrich. Open modules: Modular reasoning about advice. In A. P. Black, editor, ECOOP 2005 - Object-Oriented Programming, 19th European Conference, volume 3586 of Lecture Notes in Computer Science, pages 144--168, July 2005.

Digital Library

Google Scholar

[2]

B. De Win. Engineering application-level security through aspect-oriented software development. Phd, Department of Computer Science, K. U. Leuven, Leuven, Belgium, Mar. 2004.

Google Scholar

[3]

B. De Win, V. Shah, W. Joosen, and R. Bodkin. Report of the AOSD 2004 workshop on AOSD technology for application-level security (AOSDSEC). Report CW 387, Department of Computer Science, K. U. Leuven, Leuven, Belgium, June 2005.

Google Scholar

[4]

P. Devanbu and S. Stubblebine. Software Engineering for Security: a Roadmap. In The Future of Software Engineering (ICSE2000), pages 227--239, Limerick, Ireland, June 2000. ACM.

Digital Library

Google Scholar

[5]

S. Gudmundson and G. Kiczales. Addressing practical software development issues in aspectj with a pointcut interface. In ECOOP 2001 Workshop on Advanced Separation of Concerns, pages 1--6, 2001.

Google Scholar

[6]

D. Larochelle, K. Scheidt, and K. Sullivan. Join point encapsulation. In AOSD03 Workshop on Software Engineering Properties of Languages and Aspect Technologies (SPLAT03), pages 1--6, 2003.

Google Scholar

[7]

M. Mezini and K. Ostermann. Conquering aspects with caesar. In Proceedings of the 2nd International Conference on Aspect-Oriented Software Development (AOSD03), pages 90--99. ACM, March 2003.

Digital Library

Google Scholar

[8]

N. Ongkingco, P. Avgustinov, J. Tibble, L. Hendren, O. de Moor, and G. Sittampalam. Adding open modules to aspectj. Technical Report abc-2005-2, Aspectbench.org, September 30 2005.

Google Scholar

[9]

V. Shah and F. Hill. Using Aspect-Oriented Programming for Addressing Security Concerns. In International Symposium on Software Reliability Engineering (ISSRE), pages 115--119, Annapolis, MD, USA, October 2002.

Google Scholar

Cited By

View all

Horcas JPinto MFuentes LMallouli Wde Oca E(2015)Dynamic Deployment and Monitoring of Security PoliciesTrust, Privacy and Security in Digital Business10.1007/978-3-319-22906-5_14(180-192)Online publication date: 5-Aug-2015
https://doi.org/10.1007/978-3-319-22906-5_14
Marchand de Kerchove FNoyé JSüdholt MHaupt MBockisch CNicolay J(2013)Aspectizing JavaScript securityProceedings of the 3rd workshop on Modularity in systems software10.1145/2451613.2451616(7-12)Online publication date: 25-Mar-2013
https://dl.acm.org/doi/10.1145/2451613.2451616
Hussein SMeredith PRoşlu GMaffeis SRezk T(2012)Security-policy monitoring and enforcement with JavaMOPProceedings of the 7th Workshop on Programming Languages and Analysis for Security10.1145/2336717.2336720(1-11)Online publication date: 15-Jun-2012
https://dl.acm.org/doi/10.1145/2336717.2336720
Show More Cited By

Index Terms

How secure is AOP and what can we do about it?

Recommendations

Pluggable AOP: designing aspect mechanisms for third-party composition
Proceedings of the 20th annual ACM SIGPLAN conference on Object oriented programming systems languages and applications

Studies of Aspect-Oriented Programming (AOP) usually focus on a language in which a specific aspect extension is integrated with a base language. Languages specified in this manner have a fixed, non-extensible AOP functionality. This paper argues the ...
Pluggable AOP: designing aspect mechanisms for third-party composition
OOPSLA '05: Proceedings of the 20th annual ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications

Studies of Aspect-Oriented Programming (AOP) usually focus on a language in which a specific aspect extension is integrated with a base language. Languages specified in this manner have a fixed, non-extensible AOP functionality. This paper argues the ...
A permission system for secure AOP
AOSD '10: Proceedings of the 9th International Conference on Aspect-Oriented Software Development

The integration of third-party aspects into applications creates security challenges. Due to the intrusive impact of aspects, one cannot guarantee that the dynamic composition of aspects does not lead to misbehavior. The newly composed aspect typically ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

SESS '06: Proceedings of the 2006 international workshop on Software engineering for secure systems

May 2006

74 pages

ISBN:1595934111

DOI:10.1145/1137627

Conference Chairs:
Danilo Bruschi
Università degli Studi di Milano, Italy
,
Bart De Win
Katholieke Universiteit Leuven, Belgium
,
Mattia Monga
Università degli Studi di Milano, Italy

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 20 May 2006

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ICSE06

Sponsor:

ICSE06: International Conference on Software Engineering

May 20 - 21, 2006

Shanghai, China

Acceptance Rates

Overall Acceptance Rate 8 of 11 submissions, 73%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
557
Total Downloads

Downloads (Last 12 months)1
Downloads (Last 6 weeks)0

Reflects downloads up to 30 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Horcas JPinto MFuentes LMallouli Wde Oca E(2015)Dynamic Deployment and Monitoring of Security PoliciesTrust, Privacy and Security in Digital Business10.1007/978-3-319-22906-5_14(180-192)Online publication date: 5-Aug-2015
https://doi.org/10.1007/978-3-319-22906-5_14
Marchand de Kerchove FNoyé JSüdholt MHaupt MBockisch CNicolay J(2013)Aspectizing JavaScript securityProceedings of the 3rd workshop on Modularity in systems software10.1145/2451613.2451616(7-12)Online publication date: 25-Mar-2013
https://dl.acm.org/doi/10.1145/2451613.2451616
Hussein SMeredith PRoşlu GMaffeis SRezk T(2012)Security-policy monitoring and enforcement with JavaMOPProceedings of the 7th Workshop on Programming Languages and Analysis for Security10.1145/2336717.2336720(1-11)Online publication date: 15-Jun-2012
https://dl.acm.org/doi/10.1145/2336717.2336720
Safonov V(2011)Aspect-Oriented Programming and Aspect.NET as Security and Privacy Tool for Web and 3D Web ProgrammingSecurity in Virtual Worlds, 3D Webs, and Immersive Environments10.4018/978-1-61520-891-3.ch011(221-262)Online publication date: 2011
https://doi.org/10.4018/978-1-61520-891-3.ch011
De Borger WDe Win BLagaisse BJoosen WJezequel JSudholt M(2010)A permission system for secure AOPProceedings of the 9th International Conference on Aspect-Oriented Software Development10.1145/1739230.1739254(205-216)Online publication date: 15-Mar-2010
https://dl.acm.org/doi/10.1145/1739230.1739254
Kumar NSosale DKonuganti SRathi ASullivan KGray JMoreira ASchwanninger CBaillargeon RGrechanik M(2009)Enabling the adoption of aspects - testing aspectsProceedings of the 8th ACM international conference on Aspect-oriented software development10.1145/1509239.1509266(197-206)Online publication date: 2-Mar-2009
https://dl.acm.org/doi/10.1145/1509239.1509266
Hazaa MGhani AMamat AIbrahim H(2009)Aspect oriented approach to improvement role based access control systems2009 First Asian Himalayas International Conference on Internet10.1109/AHICI.2009.5340258(1-15)Online publication date: Nov-2009
https://doi.org/10.1109/AHICI.2009.5340258
Camilleri ACoulson GBlair L(2009)CIF: A Framework for Managing Integrity in Aspect-Oriented CompositionObjects, Components, Models and Patterns10.1007/978-3-642-02571-6_3(18-36)Online publication date: 2009
https://doi.org/10.1007/978-3-642-02571-6_3
Sewe ABockisch CMezini MRajan H(2008)Aspects and class-based securityProceedings of the 2nd Workshop on Virtual Machines and Intermediate Languages for emerging modularization mechanisms10.1145/1507504.1507507(1-7)Online publication date: 21-Oct-2008
https://dl.acm.org/doi/10.1145/1507504.1507507
Bruschi DDe Win BMonga MBruschi DDe Win BMonga M(2006)Introduction to software engineering for secure systemsProceedings of the 2006 international workshop on Software engineering for secure systems10.1145/1137627.1137628(1-2)Online publication date: 20-May-2006
https://dl.acm.org/doi/10.1145/1137627.1137628

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

Pluggable AOP: designing aspect mechanisms for third-party composition

Pluggable AOP: designing aspect mechanisms for third-party composition

A permission system for secure AOP