Modularization of security software engineering in distributed systems. (Modularisation de la sécurité informatique dans les systèmes distribués)

Addressing security in the software development lifecycle still is an open issue today, especially in distributed software. Addressing security concerns requires a specific know-how, which means that security experts must collaborate with application programmers to develop secure software. Object-oriented and component-based development is commonly used to support collaborative development and to improve scalability and maintenance in software engineering. Unfortunately, those programming styles do not lend well to support collaborative development activities in this context, as security is a cross-cutting problem that breaks object or component modules. We investigated in this thesis several modularization techniques that address these issues. We first introduce the use of aspect-oriented programming in order to support secure programming in a more automated fashion and to minimize the number of vulnerabilities in applications introduced at the development phase. Our approach especially focuses on the injection of security checks to protect from vulnerabilities like input manipulation. We then discuss how to automate the enforcement of security policies programmatically and modularly. We first focus on access control policies in web services, whose enforcement is achieved through the instrumentation of the orchestration mechanism. We then address the enforcement of privacy protection policies through the expert-assisted weaving of privacy filters into software. We finally propose a new type of aspect-oriented pointcut capturing the information flow in distributed software to unify the implementation of our different security modularization techniques.

[1]  Christopher Krügel,et al.  Precise alias analysis for static detection of web application vulnerabilities , 2006, PLAS '06.

[2]  Bart De Win,et al.  Engineering application-level security through aspect-oriented software development , 2004 .

[3]  Alessandro Orso,et al.  Using positive tainting and syntax-aware evaluation to counter SQL injection attacks , 2006, SIGSOFT '06/FSE-14.

[4]  Tal Cohen,et al.  Applying aspect-oriented software development to middleware frameworks , 2007 .

[5]  Bruno De Fraine,et al.  StrongAspectJ: flexible and safe pointcut/advice bindings , 2008, AOSD.

[6]  Joachim Posegga,et al.  Secure Code Generation for Web Applications , 2010, ESSoS.

[7]  Anderson Santana de Oliveira,et al.  Automating Privacy Enforcement in Cloud Platforms , 2012, DPM/SETOP.

[8]  Ulrich Lang,et al.  OpenPMF SCaaS: Authorization as a Service for Cloud & SOA Applications , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[9]  Matthew MacDonald,et al.  Web Services Architecture , 2004 .

[10]  Mira Mezini,et al.  Aspects and class-based security: a survey of interactions between advice weaving and the Java 2 security model , 2008, VMIL '08.

[11]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[12]  Robert J. Stroud,et al.  Security and Aspects : A Metaobject Protocol Viewpoint , 2002 .

[13]  Steffen Göbel,et al.  Adopting Aspect-Oriented Software Development in Business Application Engineering , 2008 .

[14]  Eric Wohlstadter,et al.  A framework for flexible evolution in distributed heterogeneous systems , 2002, IWPSE '02.

[15]  Premkumar T. Devanbu,et al.  JDBC checker: a static analysis tool for SQL/JDBC applications , 2004, Proceedings. 26th International Conference on Software Engineering.

[16]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[17]  Latanya Sweeney,et al.  k-Anonymity: A Model for Protecting Privacy , 2002, Int. J. Uncertain. Fuzziness Knowl. Based Syst..

[18]  O. G. Selfridge,et al.  Pandemonium: a paradigm for learning , 1988 .

[19]  Anh Nguyen-Tuong,et al.  Automatically Hardening Web Applications Using Precise Tainting , 2005, SEC.

[20]  Josh Dehlinger,et al.  SSVChecker: unifying static security vulnerability detection tools in an Eclipse plug-in , 2006, eclipse '06.

[21]  NEAL HARRIS BREACH : REVIVING THE CRIME ATTACK , 2013 .

[22]  Richard Sharp,et al.  Abstracting application-level web security , 2002, WWW.

[23]  Premkumar T. Devanbu,et al.  DADO: enhancing middleware to support crosscutting features in distributed, heterogeneous systems , 2003, 25th International Conference on Software Engineering, 2003. Proceedings..

[24]  Marco Guarnieri Security vulnerabilities detection and protection using eclipse , 2011 .

[25]  Ralph E. Johnson,et al.  Systematically Eradicating Data Injection Attacks Using Security-Oriented Program Transformations , 2009, ESSoS.

[26]  Nadia Belblidia An aspect oriented approach for security hardening : semantic foundations , 2008 .

[27]  Siani Pearson,et al.  A client-based privacy manager for cloud computing , 2009, COMSWARE '09.

[28]  Ayman I. Kayssi,et al.  Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[29]  Barbara Liskov,et al.  Data Abstraction and Hierarchy , 1987 .

[30]  Lufeng Zhang,et al.  Toward a Reusable and Generic Security Aspect Library , 2004 .

[31]  Marc Langheinrich,et al.  A Privacy Awareness System for Ubiquitous Computing Environments , 2002, UbiComp.

[32]  Luis Daniel Benavides Navarro,et al.  Explicitly distributed AOP using AWED , 2006, AOSD '06.

[33]  Jianwen Su,et al.  Tools for design of composite Web services , 2004, ACM SIGMOD Conference.

[34]  Zhendong Su,et al.  Sound and precise analysis of web applications for injection vulnerabilities , 2007, PLDI '07.

[35]  Daniel G. Bobrow,et al.  Book review: The Art of the MetaObject Protocol By Gregor Kiczales, Jim des Rivieres, Daniel G. and Bobrow(MIT Press, 1991) , 1991, SGAR.

[36]  Steven A. Demurjian,et al.  A formal enforcement framework for role-based access control using aspect-oriented programming , 2005, MoDELS'05.

[37]  Alexandre Melo Braga,et al.  A Meta-Object Protocol for Secure Composition of Security Mechanisms , 2000 .

[38]  Robert A. Martin,et al.  Vulnerability Type Distributions in CVE , 2007 .

[39]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[40]  Mira Mezini,et al.  Aspect-Oriented Workflow Languages , 2006, OTM Conferences.

[41]  Mikael Lindvall,et al.  Why Developers Insert Security Vulnerabilities into Their Code , 2009, 2009 Second International Conferences on Advances in Computer-Human Interactions.

[42]  Elisa Bertino,et al.  Purpose based access control of complex data for privacy protection , 2005, SACMAT '05.

[43]  Zhendong Su,et al.  Static detection of cross-site scripting vulnerabilities , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[44]  Anderson Santana de Oliveira,et al.  Enabling Message Security for RESTful Services , 2012, 2012 IEEE 19th International Conference on Web Services.

[45]  Nora Cuppens-Boulahia,et al.  Privacy Administration in Distributed Service Infrastructure , 2010, SecureComm.

[46]  Werner Nutt,et al.  Rewriting aggregate queries using views , 1999, PODS.

[47]  Muhammad Sabir Idrees,et al.  Evolving Security Requirements in Multi-layered Service-Oriented-Architectures , 2011, DPM/SETOP.

[48]  Pattarasinee Bhattarakosol,et al.  Automatic detection and correction of programming faults for software applications , 2005, J. Syst. Softw..

[49]  Gary McGraw,et al.  ITS4: a static vulnerability scanner for C and C++ code , 2000, Proceedings 16th Annual Computer Security Applications Conference (ACSAC'00).

[50]  Denis Caromel,et al.  Reflections on MOPs, Components, and Java Security , 2001, ECOOP.

[51]  Andreas Schaad,et al.  SOAP-based Secure Conversation and Collaboration , 2007, IEEE International Conference on Web Services (ICWS 2007).

[52]  John R. Gurd,et al.  A join point for loops in AspectJ , 2006, AOSD '06.

[53]  Christopher Krügel,et al.  Pixy: a static analysis tool for detecting Web application vulnerabilities , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[54]  Josh Dehlinger,et al.  Architecting Secure Software Systems Using an Aspect-Oriented Approach: : A Survey of Current Research , 2006 .

[55]  Jean-Marc Menaud,et al.  Software security patches -- Audit, deployment and hot update , 2005 .

[56]  Gregor Kiczales,et al.  Aspect-Oriented Programming The Fun Has Just Begun , 2002 .

[57]  Martin Johns,et al.  SMask: preventing injection attacks in web applications by approximating automatic data/code separation , 2007, SAC '07.

[58]  Da-Wei Wang,et al.  An Aspect-Oriented Approach to Privacy-Aware Access Control , 2007, 2007 International Conference on Machine Learning and Cybernetics.

[59]  Russ Housley,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2002, RFC.

[60]  Krzysztof Zielinski,et al.  Comparison Study of Aspect-oriented and Container Managed Security , 2003 .

[61]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[62]  Giovanni Vigna,et al.  Static Enforcement of Web Application Integrity Through Strong Typing , 2009, USENIX Security Symposium.

[63]  Benjamin Livshits,et al.  Context-sensitive program analysis as database queries , 2005, PODS.

[64]  S. Sudarshan,et al.  Extending query rewriting techniques for fine-grained access control , 2004, SIGMOD '04.

[65]  Mohammad Khalid Pandit,et al.  Applying Aspect Oriented Programming on Security , 2015 .

[66]  Jan H. P. Eloff,et al.  An Aspect-Oriented Approach to Enhancing Multilevel Security with Usage Control: An Experience Report , 2007, IMECS.

[67]  Muhammad Sabir Idrees,et al.  HiPoLDS: A Security Policy Language for Distributed Systems , 2012, WISTP.

[68]  Jing Xie,et al.  ASIDE: IDE support for web application security , 2011, ACSAC '11.

[69]  Andrew Charlesworth,et al.  Accountability as a Way Forward for Privacy Protection in the Cloud , 2009, CloudCom.

[70]  Gregory Neven,et al.  Matching Privacy Policies and Preferences: Access Control, Obligations, Authorisations, and Downstream Usage , 2011, Privacy and Identity Management for Life.

[71]  Ramakrishnan Srikant,et al.  Implementing P3P using database technology , 2003, Proceedings 19th International Conference on Data Engineering (Cat. No.03CH37405).

[72]  Sandy Murphy,et al.  Security Multiparts for MIME: Multipart/Signed and Multipart/Encrypted , 1995, RFC.

[73]  Joseph Gil,et al.  AspectJ2EE = AOP + J2EE: Towards an aspect based, programmable and extensible middleware framework , 2004 .

[74]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[75]  Mattia Monga,et al.  Using Program Slicing to Analyze Aspect-Oriented Composition , 2004 .

[76]  Jean Jacques Moreau,et al.  SOAP Version 1. 2 Part 1: Messaging Framework , 2003 .

[77]  Lorrie Faith Cranor,et al.  P3P: Making Privacy Policies More Useful , 2003, IEEE Secur. Priv..

[78]  Cesare Pautasso,et al.  Restful web services vs. "big"' web services: making the right architectural decision , 2008, WWW.

[79]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[80]  Zhendong Su,et al.  An Analysis Framework for Security in Web Applications , 2004 .

[81]  David J. DeWitt,et al.  Limiting Disclosure in Hippocratic Databases , 2004, VLDB.

[82]  Colin J. Fidge,et al.  Intrusion detection in distributed systems, an approach based on taint marking , 2013, 2013 IEEE International Conference on Communications (ICC).

[83]  William K. Robertson,et al.  Preventing Input Validation Vulnerabilities in Web Applications through Automated Type Analysis , 2012, 2012 IEEE 36th Annual Computer Software and Applications Conference.

[84]  Youki Kadobayashi,et al.  A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability , 2004, 18th International Conference on Advanced Information Networking and Applications, 2004. AINA 2004..

[85]  Yin Liu,et al.  Static Information Flow Analysis with Handling of Implicit Flows and a Study on Effects of Implicit Flows vs Explicit Flows , 2010, 2010 14th European Conference on Software Maintenance and Reengineering.

[86]  Marco Casassa Mont,et al.  A Systemic Approach to Automate Privacy Policy Enforcement in Enterprises , 2006, Privacy Enhancing Technologies.

[87]  Flemming Nielson,et al.  Combining Static Analysis and Runtime Checking in Security Aspects for Distributed Tuple Spaces , 2011, COORDINATION.

[88]  Christopher Krügel,et al.  Noxes: a client-side solution for mitigating cross-site scripting attacks , 2006, SAC '06.

[89]  Christopher Krügel,et al.  Saner: Composing Static and Dynamic Analysis to Validate Sanitization in Web Applications , 2008, 2008 IEEE Symposium on Security and Privacy (sp 2008).

[90]  Anderson Santana de Oliveira,et al.  Reference Monitors for Security and Interoperability in OAuth 2.0 , 2013, DPM/SETOP.

[91]  Rémi Douence,et al.  Static analysis of aspect interaction and composition in component models , 2011, GPCE '11.

[92]  Slim Trabelsi,et al.  Sticky policies for data control in the cloud , 2012, 2012 Tenth Annual International Conference on Privacy, Security and Trust.

[93]  Christian Koppen,et al.  PCDiff : Attacking the Fragile Pointcut Problem , 2004 .

[94]  Anderson Santana de Oliveira,et al.  Enforcing Input Validation through Aspect Oriented Programming , 2013, DPM/SETOP.

[95]  Laurence Duchien,et al.  AProSec: an Aspect for Programming Secure Web Applications , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[96]  Guy L. Steele,et al.  Java(TM) Language Specification , 2005 .

[97]  David Zhang,et al.  Secure program execution via dynamic information flow tracking , 2004, ASPLOS XI.

[98]  Benjamin Livshits,et al.  Finding Security Vulnerabilities in Java Applications with Static Analysis , 2005, USENIX Security Symposium.

[99]  Gabriel Serme Towards assisted remediation of security vulnerabilities , 2012, SECURWARE 2012.

[100]  Nora Cuppens-Boulahia,et al.  PrivComp: a privacy-aware data service composition system , 2013, EDBT '13.

[101]  Aske Simon Christensen,et al.  Precise Analysis of String Expressions , 2003, SAS.

[102]  Michael Franz,et al.  Dynamic taint propagation for Java , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[103]  Michiaki Tatsubori,et al.  Optimizing Web services performance by differential deserialization , 2005, IEEE International Conference on Web Services (ICWS'05).

[104]  Engin Kirda,et al.  Quo Vadis? A Study of the Evolution of Input Validation Vulnerabilities in Web Applications , 2011, Financial Cryptography.

[105]  Michael Hicks,et al.  Defeating script injection attacks with browser-enforced embedded policies , 2007, WWW '07.

[106]  Azzam Mourad,et al.  An aspect-oriented framework for systematic security hardening of software , 2008 .

[107]  Muhammad Sabir Idrees,et al.  HiPoLDS: A Hierarchical Security Policy Language for Distributed Systems , 2013, Inf. Secur. Tech. Rep..

[108]  Cedric Ulmer,et al.  Enabling web object orientation with mobile devices , 2009, Mobility Conference.

[109]  Alec Wolman,et al.  Lockr: better privacy for social networks , 2009, CoNEXT '09.

[110]  Alexander Aiken,et al.  Static Detection of Security Vulnerabilities in Scripting Languages , 2006, USENIX Security Symposium.

[111]  James Walden,et al.  Eliminating SQL Injection and Cross Site Scripting Using Aspect Oriented Programming , 2013, ESSoS.

[112]  Roberto Chinnici,et al.  Web Services Description Language (WSDL) Version 2.0 Part 1: Core Language , 2007 .

[113]  Benjamin Morin,et al.  Policy-based intrusion detection in Web applications by monitoring Java information flows , 2008, 2008 Third International Conference on Risks and Security of Internet and Systems.

[114]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.