Using Aspect Programming to Secure Web Applications

As the Internet users increase, the need to protect web servers from malicious users has become a priority in many organizations and companies. Writing crosscutting functions in complex software should take advantage of the modularity offered by new software development approaches. With AspectOriented Programming (AOP), separating concerns when designing an application fosters reuse, parameterization and maintenance. In this paper, we design a security aspect called AProSec for detecting SQL injection and Cross Scripting Site (XSS), that are common attacks in web servers. We experimented this aspect with AspectJ language and JBoss AOP. By this experimentation, we show the advantage of runtime platforms such as JBoss AOP for changing security policies at runtime. Finally, we describe related work on security and AOP.

[1]  Mohammad Zulkernine,et al.  Towards an Aspect-Oriented Intrusion Detection Framework , 2007, 31st Annual International Computer Software and Applications Conference (COMPSAC 2007).

[2]  Alessandro Orso,et al.  A Classification of SQL Injection Attacks and Countermeasures , 2006, ISSSE.

[3]  Gustav Boström Database Encryption as an Aspect , 2004 .

[4]  Alessandro Orso,et al.  AMNESIA: analysis and monitoring for NEutralizing SQL-injection attacks , 2005, ASE.

[5]  Angelos D. Keromytis,et al.  Countering code-injection attacks with instruction-set randomization , 2003, CCS '03.

[6]  Wouter Joosen,et al.  View connectors for the integration of domain specific access control , 2005 .

[7]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[8]  Hidehiko Masuhara,et al.  Dataflow Pointcut for Integrity Concerns , 2004 .

[9]  Tadeusz Pietraszek,et al.  Defending Against Injection Attacks Through Context-Sensitive String Evaluation , 2005, RAID.

[10]  Wouter Joosen,et al.  AOSD & Security: a practical assessment , 2003 .

[11]  Francisco Reverbel,et al.  The JBoss Extensible Server , 2003, Middleware.

[12]  Bruce W. Weide,et al.  Using parse tree validation to prevent SQL injection attacks , 2005, SEM '05.

[13]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[14]  R.A. McClure,et al.  SQL DOM: compile time checking of dynamic SQL statements , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[15]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[16]  Pete Thomas,et al.  Evolution of aspects for legacy system security concerns , 2004 .

[17]  Lufeng Zhang,et al.  Toward a Reusable and Generic Security Aspect Library , 2004 .

[18]  Cristina V. Lopes,et al.  Aspect-Oriented Programming , 1997, ECOOP.