Sanitizingwaitingforreboot

AspectJAssessmentfromaSecurityPerspectiveDimaAlhadidi,NadiaBelblidia,MouradDebbabiConcordiaInstituteforInformationSystemsEngineeringConcordiaUniversity,Montreal,Quebec,CanadaEmail:dmalhad@cs.
concordia.
caEmail:nabel@ciise.
concordia.
caEmail:debbabi@ciise.
concordia.
caAbstract—1AspectJisausefulandexpressiveaspectorientedprogrammingextensiontotheJavaprogramminglanguage.
ThispaperaddressestheevaluationofAspectJfromasecurityper-spective.
Moreaccurately,wepresentanassessmentofAspectJprimitivesinordertocopewithsecurityhardeningofJavaapplications.
Moreover,weproposenewconstructsandshowtheirrelevanceandimportanceinhardeningthesecurityofJavaprograms.
I.
MOTIVATIONSANDBACKGROUNDComputersecurityisascienceconcernedwiththecontrolofrisksrelatedtocomputeruse.
Theacceleratingtrendsofin-terconnectedness,extensibility,andcomplexityareincreasingthethreatofsucharisk[1].
ApplicationsecurityhardeningbecomesapriorityandoneofthefastestgrowingeldsinITmarkettoday.
Themaingoalofapplicationsecurityhardeningistoreinforcetheapplicationsecurityandthereforetominimizethelikelihoodofviolatingsecurityproperties.
Alegitimatequestionthatonecouldaskis:"Whatisthemostappropriatecomputationstyleorprogrammingparadigmforsecurityhardening"Anaturalansweristoresorttoanaspectorientedlanguage.
Thisanswerisjustiedbythefactthataspectorientedlanguageshavebeencreatedtodealwiththeseparationofconcerns.
Thisisexactlywhatasecurityengineerneedswhenhardeninganapplication.
Hewouldliketoinjectandstrengthensecuritywithoutdigginginthelogicoftheapplication/middleware.
Aspectorientedprogramming(AOP)[2]hasbeenproposedasawaytoimprovemodularityofsoftwaresystemsbyallowingencapsulationofcrosscuttingconcerns.
Crosscuttingconcernsgenerallyrefertononfunctionalpropertiesofasoftwaresuchassecurity,synchronization,logging,etc.
Whenprogrammed,thesecrosscuttingconcernsresultintangledandscatteredcode.
Inthispaper,weaddressthesecurityhardeningofJavaapplications.
ThemostprominentAOPextensiontoJavaisdenitelyAspectJ[3].
ThebeautifultechnicaldesignisbehindthesuccessandthewideuseofAspectJintheAOPcommunity.
AspectJcomeswithnewconceptsandconstructssuchas:joinpoints,pointcuts,andadvices.
Ajoinpointis1ThisresearchisfundedbyNSERC(NaturalSciencesandEngineeringResearchCouncilofCanada)DND(DepartmentofNationalDefence)grantincollaborationwithBellCanadaandDRDC(DefenceResearchandDevelopmentCanada)atValcartier.
apointinthecontrolowgraphofanapplicationsuchasmethodcall,objectconstruction,oreldaccess.
Apointcutisaconceptthatclassiesjoinpointsinthesamewayatypeclassiesvalues.
Accordingly,AspectJdenesvariouspointcutconstructorstodesignatevariousjoinpoints.
Anadviceisacodefragmentexecutedwhenjoinpointssatisfyingitspointcutarereached.
Thisexecutioncanbedonebefore,after,oraroundaspecicjoinpoint.
Inthispaper,wepresentanassessmentofAspectJfromasecurityhardeningperspective.
Thisamountstoansweringthefollowingquestions:AreAspectJprimitivesexpressiveenoughtoformulateallthecommonsecurityhardeningpracticesIncasetheanswerisnegative,whatarethenewAOPlanguageconstructsthatneededtobeproposedTheremainderofthispaperisstructuredinthefollowingway.
TheappropriatenessofAspectJforsecurityhardeningisdiscussedinSectionII.
SectionIII,IV,andVaredevotedtothedescriptionofdataowpointcut,predicatedcontrolowpointcut,andlooppointcutrespectivelyandtheirusefulnessfromasecuritypointofview.
InSectionVI,wesuggestanewwildcardforpatternmatching.
SectionVIIdiscussestheneedforusingmodierpatternsuchaspublicintypepatternsyntax.
SectionVIIIpresentstheneedforapointcuttopickoutjoinpointsassociatedwithsettingandgettinglocalvariablesinsidelocalmethods.
SectionIXdiscussestheneedforsynchronizedblockpointcut.
SectionXintroducesthemostrelevantrelatedworks.
Finally,afewremarksandadiscussionoffutureresearchareultimatelysketchedasaconclusioninSectionXI.
II.
ASPECTJANDSECURITYThissectionassessesAspectJfromasecuritystandpoint.
AspectJisageneralaspectorientedlanguagethathasnotbeenengineeredwithsecurityinmind.
Inspiteofthis,thecurrentconstructsinAspectJareofagreatuseinsecurityhardening.
Becauseofthespacelimitation,wecannotexhibitpracticalexamplesthatcorroboratetheusefulnessofAspectJconstructs.
AspectJoffersthreekindsofadvicestodescribewhereaspectsaretobeapplied:Before,after,oraround.
Allofthemareimportantfromasecurityhardeningpointofview:Abefore-advicecanbeusedtoinjectsomesecuritycodeasauthenticationbeforeacriticaloperation.
Anafter-adviceismeanttoinjectsomesecuritycodeaftersomelocationsintheprogram.
Forinstance,onecanaddsomeintegritycheckingcode.
Anaround-advicecanbeusedtochangeanon-securemethodbyamoresecureoneatparticularpointsintheprogram.
AspectJhasacomprehensiveandexpressivepointcutspeci-cationlanguagethatallowstospecifyparticularpointsinthecontrolowoftheprogramwhereadvicesaretobeapplied.
Allofthemareimportantfromasecuritystandpoint.
TableIshowstheusefulnessoftheAspectJpointcutsaccordingtothesecuritytarget.
AlthoughAspectJsupportsthoseefcientandusefulpointcutdesignatorsforsecurityhardening,theyarenotenoughtoexpressallthesecurityhardeningpractices.
Indeed,weidentiedthefollowingpossibleextensionstoAspectJ:Dataowpointcut.
Predictedcontrolowpointcut.
Looppointcut.
Wildcardforpatternmatching.
Modiersintypepatternsyntax.
Pointcutsforgettingandsettinglocalvariables.
Synchronizedblockjoinpoints.
Thesesuggestedextensionswillbediscussedindetailsinthefollowingsections.
III.
DATAFLOWPOINTCUTMasuharaandKawauchi[6]havedenedadataowpoint-cutforsecuritypurposesbutthispointcuthasnotbeenimplementedyet.
Thepointcutidentiesjoinpointsbasedontheoriginsofvalues.
Cross-sitescripting(XSS)probleminweb-applicationsisanexamplepresentedbythemtoclarifytheneedforsuchapointcut.
AwebsitemightbevulnerabletoXSSattacksifitreectsinputbacktotheusersuchassearchenginesandshoppingsites.
Cross-sitescripting(XSS)isdescribedinFigure1.
Theydeneadowpointcuttosolvethisproblem.
Thepointcutinterceptsanyjointpointthatprintsanunauthorizedstringtoaclient.
Unauthorizedstringisastringthatiscreatedfromoneoftheclient'sinputparameters.
Sanitizingisusedtoreplacecharactersthatcomefromuntrustedprincipals,andreplacethemwithquotedcharacters.
Throughthispointcut,owofdatacanbetracedandactionscanbedoneaccordingly.
Hereisanotherexamplethatclariestheneedforsuchapointcutinspiredfrom[7].
Ifaprogramopensacondentialle,readsdatafromthisle,andthensendsdataoverthenet,thiswillbeconsidereddangerousfromasecuritypointofview.
Adata-owanalysisusingdowpointcutcantellwhetherthedatasentoverthenetactuallydependsontheinformationreadfromthecondentialle.
Nowarningisneededifthedatasentdonotdependonthedataextractedfromthecondentialle.
TableIIclariesourexample.
IV.
PREDICTEDCONTROLFLOWPOINTCUTKiczales[4]hasproposedthepredictedcontrolowpoint-cutpcflowbutthispointcuthasnotbeenimplementedyet.
Apointcutpcflow(p)matchesatajoinpointiftheremayFig.
1.
Cross-siteScriptingAttackexistapathtoanotherjoinpointwherepmatches.
Kiczaleshasdiscussedthisnewpointcutwithhisknowndrawingexample.
InhisexamplewhichappearsinTableIII,hehasusedpredictedcontrolowpointcuttoselectpointsintheexecutionthatmodifyvariablespreviouslyreadwithinthecontrolowofthemethodFigureElement+.
draw().
Wecangetbenetfromthisexampleusingthesameideabutinadifferentsituationtohardensecurityofapplications.
In[5],authorsspokeaboutdetectingintruderswithvisualdataanalysis.
Basedonthisidea,wecandrawsomechartsforsecurityimportantparameterssuchasleactivity(opening,reading,andwritingles),registryactivity(creating,reading,andwritingregistrykeys),ornetworktrafc.
Thesechartscanbeanalyzedtodiscoverifsomethingwronghappens.
ItispossibletousethesameconceptinKiczales'sexamplecombinedwiththeideaofdetectingintruderswithvisualdataanalysisasfollows.
Anychangesinsecuritychartsbysettingspecicparametersinawayoranotherwillnotonlybereectedinthedisplaybutalsosomenecessarystepsmustbetakeninresponsetosuchchangestoprotectthesystemandapplication.
SoKiczales'sexamplecanberewrittentoserveourpurposesasinTableIV.
V.
LOOPPOINTCUTHarbulotandGurdpresentin[8]aloopjoinpointmodelwhichdemonstratestheneedforamorecomplexjoinpointinAspectJ.
TheirapproachtorecognizeloopsisbasedonSecurityHardeningTargetPointcutMethodcall/executionoraconstructorcall/execution.
call,executionFieldread/write.
get,setSettingsecurityenvironmentduringtheinitializationinitialization,staticinitialization,ofaclassoranobject.
preinitializationExecutioncontext.
args,this,targetExecutingsecurityhardeningcodedependsonaparticularcondition.
ifWithinaparticularclassormethod.
within,withincodeInthecontrolowofotherparticularpoints.
cflow,pcflowLogexceptionsrelatedtosecurity.
handlerTABLEIASPECTJPOINTCUTSANDSECURITYOpenFile//ActionsotherthanOpenFile,ReadFile,orSend.
ReadFile//ActionsotherthanOpenFile,ReadFile,orSend.
//Before-Adviceusingadataowpointcuttotestifthe//datathatwillbesentdependsontheinformationread//fromthele.
SendTABLEIISECURITYDFLOWPOINTCUTpointcut*displayState():pcflow(execution(voidFigureElement+.
draw()))&&get(*FigureElement+.
*);afterset(update();}TABLEIIIKICZALES'SDRAWINGEXAMPLEpointcut*displayState():pcflow(execution(voidSecurityElement+.
draw()))&&get(*SecurityElement+.
*);afterset(update();//Takeanactionaccordingtothetypeofthechange}TABLEIVSECURITYVERSIONOFKICZALES'SEXAMPLEacontrol-owanalysisatthebytecodelevel.
TheyrestrictedtheirstudytoloopsiteratingoveranIteratororarangeofintegers.
Thisresearchlackstheanalysisofinniteloopsandloopsthatcontainbooleanconditions.
Throughpointcutsthatpickoutsuchloops,anexcessivesecurityproblemscanbesolvedeasily.
Aninniteloopisasetofinstructionsthatexecutedrepeatedly.
Thisisconsideredadesiredbehaviorinsomesituationsasindatabaseservers.
Databaseserversloopforeverwaitingforarequesttoprocessit.
Ontheotherhand,inniteloopisconsideredabugwhichismadebyprogrammersunintentionally.
Maliciouscodeisasetofinstructionsthatmakeyoursystemdosomethingthatanattackerwantstodo.
Malicious-codewritersexploitinniteloopstodotheirne-fariousjobsbylaunchingdenial-of-serviceattacks.
Denial-of-serviceattacksconsumesystemresourcesuntiltheapplicationortheentiresystembecomesunusable.
Haltingwebbrowserisanexampleofadenial-of-serviceattackbyrunningacodethatopensadialogwindowinnitenumberoftimes.
Thisattackrequirestherebootoftheworkstation.
Asanotherexample,thecodebelowcanlockthestatuslineatthebottomoftheHotJavabrowser,preventingitfromloadinganymorepages.
Strings="net.
www.
html.
MeteredStream";Objecto=Class.
forName(s);synchronized(o){while(true)Thread.
sleep(10000);}ThereisnogeneralmethodstospecifywhetheracodewilleverhaltorrunforeverbutAspectJmustincludemechanismstopredicttheexistenceofsuchinniteloopsandthennotiestheuserifshewantstocontinuewiththisworkornot.
Asasuggestion,itispossibletoaddapointcutthatisassociatedwiththeloopbody.
Throughanafter-advicewithsuchapointcut,wecanincrementacountereverytimethisbodyisexecuted.
Ifthecountervaluebecomesmorethanathresholdspeciedaccordingtothetypeoftheapplication,analertispoppedupgivingtheusertheoptiontoaborttheexecution.
Urgentneedstopointcutsthatarerelatedtoloopsmustpushtheresearchinthisarea.
VI.
PATTERNMATCHINGWILDCARDThereisaneedforanewwildcardinAspectJtoperformpatternmatching.
AlthoughpatternmatchingcanbedonebyplainAspectJ,itishoweverbettertodoitinadeclarativemannertosimplifythecode.
Weillustratethispointwithanexamplerelatedtosecurity.
Virusesalwaysinjectthemselvesinsideexecutablelesbyopeningandwritingtosuchles.
So,itisessentialtocontrolopeningandwritinglesthathavean"exe"extension.
Forexample,letuswriteapointcutthatpicksoutallconstructorcalljoinpointsoftheformFileWriter(x,y)wheretheparameterxisastringwhosevalueendswiththeword"exe".
UsingplainAspectJ,thepointcutwillhavethefollowingform:pointcutp:call(FileWriter.
new(String,String))&&args(x,*)&&if(isExtension(x));WhereisExtensionisabooleanmethodwithoneargumentdenedinsidetheaspecttotestifitsargumentvalueendswiththeword"exe".
AlthoughwewereabletowritethepointcutusingplainAspectJ,thishasbeendonewithaheavysyntaxandextramethodslikeisExtension.
WesuggestanotherwaythatusesthesamenotationsusedinSQLsuchaslikekeywordand"%"charactertoeasetheburdenontheuserandsimplifythecode.
Thepreviouspointcutdenitioncanberewrittenaccordingtooursuggestionas:pointcutp:call(FileWriter.
new(Stringlike"%exe%",String);Obviously,usingsuchwildcardsstatesdirectlytheprogram-mer'sintentwithouttheneedtoencodetheessentialidea.
Besides,itmakestheprogramclearandcrisp.
VII.
TYPEPATTERNMODIFIERSAspectJuses(asdescribedinAspectJquickreferenceontheeclipsesite[9])fourkindsofpatternsinthepointcutsyntax:Methodpattern,constructorpattern,eldpattern,andtypepattern.
Patternsareusedinsideprimitivepointcutdesignatorstomatchsignaturesandconsequentlytodeterminetherequiredjoinpoints.
Thesyntaxofallpatternscontainsthemodierskeywordexceptthetypepatternsyntax.
Thissectiondiscussestheneedforsuchakeywordinthetypepatternsyntaxtoenrichthematchingprocess.
AJavaclassdeclarationmayincludethefollowingmodierpatterns:public,abstract,ornal.
Apublicclassisaclassthatcanbeaccessedfromotherpackages.
Anabstractclassisaclassthathasatleastoneabstractmethodthatisnotimplemented.
Aclassthatisdeclaredasnalmaynotbeextendedbysubclasses.
Anyclass,method,object,orvariablethatisnotprivateisapotentialentrypointforanattack.
Hence,usingmodiersinthetypepatternsyntaxshouldbeveryusefulfromasecuritypointofview.
TheexampleinTableVdescribesacasewherethepublicmethodf()insidethepublicclassSensitivedeliverssensitiveinformation.
Inthiscase,itisessentialtoaddasecuritymechanismthatauthenticatestheclientsofsuchpublicclassesthatareexposedbytheapplicationtotheoutsideworld.
Hence,wewouldliketobeabletouseapublicmodierpatternintypepatternsyntaxtopickoutpublicclassesonly.
Thistechniquecanbealsousedtodetectnon-nalclassesthataredangeroussincetheycanoftenbeextendedinunseenways.
VIII.
LOCALVARIABLESSETANDGETAspectJallowstopickoutjoinpointswhereattributesarereferencedorassignedthroughgetandsetdesignatorsbutitdoesnotprovidesimilarpointcutstolocalvariablesdenedinsidemethods.
AspectJdoesnotallowlocalvariablesofamethodtobeexposedtotheadvicecode.
AtechniquethatdoessuchathingwillbehelpfulandincreasestheefciencyofAspectJespeciallyfromasecuritypointofview.
Forexample,securitydebuggersmayneedtotrackthevaluesoflocalvariablesinsidemethods.
Withsuchnewpointcuts,itwillbeeasytowriteadvicesbeforeoraftertheuseofthesevariablestoexposetheirvalues.
Condentialdatacanbeprotectedusingthesekindsofpointcutsbypreventingthemfrombeingusedimproperly.
Theproblemofprotectingsecretorcondentialinformationincomputersystemsisawellknownproblem.
Theproposedsolutionstosolvethisproblemaretoencryptdatasentontheinternetandtouseanaccesscontroltechniquestoprotectles.
However,thesesolutionsarenotenoughtopreventthepropagationofinformation.
Apromisingapproachforprotectingprivacyandintegrityofsensitivedataistostaticallycheckinformationowwithinprogramsthatmanipulatethatdata.
Thisapproachisdiscussedin[10].
Insteadofdoingstaticanalysis,wewilluseAOPtoperformcodeinstrumentationbyinsertingchecksbeforeoraftergettingorsettingeldsorlocalvariables.
ThefollowingexampleinTableVIclariestheidea.
Wecanseethatthesensitiveinformationstoredinthepri-vateeldsensitiveInfohasbeenexposedbytransferringitsvaluetothelocalvariablelocalstrdenedinsidethemethodf().
ThenthevalueoflocalstrisstoredinsidethepubliceldpublicInfowhichmadetheinformation1:importjava.
io.
*;2:publicclassSensitive{3:privateStringsensitiveInfo;4:publicvoidf(){5://.
.
.
.
6:System.
out.
println(sensitiveInfo);7://.
.
.
.
8:}9:}TABLEVTYPEPATTERNMODIFIERS1:importjava.
io.
*;2:classTest{3:privateStringsensitiveInfo;4:publicStringpublicInfo;5:privatevoidf(){6:Stringlocalstr;7:sensitiveInfo=/*SomeCalculation*/8:localstr=sensitiveinfo;9://.
.
.
.
10://.
.
.
11:publicInfo=localstr;12:}13:}TABLEVILOCALVARIABLESGETANDSETaccessiblefromoutsidetheclass.
Usingpointcutsthattrackeldsaswellaslocalvariablescanhelpustondsuchacaseandpreventit.
IX.
SYNCHRONIZEDBLOCKJOINPOINTThesynchronizedblockhasnotbeentreatedyetinAspectJorinanyotherAOPframework.
Therearenojoinpointsassociatedwithsuchablockuntilnow.
Thecurrentimple-mentationofAspectJallowspickingoutcallstosynchronizedmethodsbutdoesnotallowpickingoutsynchronizedblocks.
Theimportanceofthejoinpointsforsynchronizedcodehasbeenalreadydiscussedforthreadmanagement.
Borner[11]haspresentedanarticleontheseissuesandhasdiscussedtheusefulnessofcapturingsynchronizedblockssuchascalculat-ingthetimeacquiredbyalock.
IthasalsobeenpointedoutthatpointcutsforcapturingsynchronizedblockshavenotbeenprototypedyetinAspectJbecauseoftheweaving.
Accordingtothediscussion,theweavingisdonestaticallyinAspectJsoitwillbeverydifcultandpossiblyimpossibletohandlethesepointcutsatcompile-time.
Inthispaper,wedon'tcareabouttheimplementationbutwedocareabouttheimportanceofsuchpointcutsforsecurityissues.
Thenextexamplewilldiscussthisimportance.
Supposewehaveasynchronizedblockthatlaunchesadenial-of-serviceattackbycontainingacodethateatstheCPUcycleslikethecodethatimplementsAckermanfunctionin[12].
Ackermanfunctionisafunctionoftwoparameterswhosevaluegrowsveryfast.
Itisessentialtohaveajointpointatthebeginningofthesynchronizedblock.
Throughthisjoinpoint,wecanwriteabefore-advicethatlimitstheCPUusageorlimitthenumberofinstructionsthatcanrun.
Thislimitationwillfailtheattack.
LetustakeanotherexamplethatisshowninTableVII.
Weneedtoinsertadvicesbeforesynchronizedblocksbecausethesamethreadcanacquirethelocktwice.
Inthiscase,wesaythatthecodeisreentrant.
Thisbehaviorcancauseadenial-of-serviceattack.
Toclarifymore,ifthethreadwhoownsthelockmanipulateswithles,thiswillblockusersfromaccessinglestowhichtheyhaveaccessto.
Abefore-advicecanuseJavaassertionstocheckthatyouhavenotgotalockbeforeenteringasynchronizedblock.
X.
RELATEDWORKThemostrelevantrelatedworksarethosethatdiscusstheuseofAOPtoenforcesecurity.
However,researcheffortsthatareconsumedinthissubjectdonotequalizetheimportanceofit.
AmongtheattemptsistheDarpa-FundedprojectofCigitalLabs[13],[14],[15]thatappliesAOPtoenforcesecurityinsoftwaresystems.
ThemainoutcomeofthisprojectisasecuritydedicatedaspectextensionofCcalledCSAW[13]andaweavingtool.
CSAWaddressessmall-sizedproblemsasbufferoverowanddatalogging.
DeWinetal[16],[17],[18],[19],[20],[21]exploredtheuseofAOPtointegratesecurityaspectswithinapplicationsandappliedAspectJtoenforceaccesscontrol.
Huang,Wang,andZhanghaveim-plementedareusableandgenericaspectlibraryJSAL[22]thatprovidessecurityfunctions.
ThisaspectlibraryisbasedonAspectJandcommonJavasecuritypackages.
Inordertoenrichtheexpressivenessofpointcutstoenforcesecurityissues,MasuharaandKawauchi[6]presentanewpointcutpublicclassA{.
.
.
publicvoidf(){//Before-Advice:assert!
Thread.
holdsLock(this);synchronized(this){.
.
.
/*accessfiles*/.
.
.
}}}TABLEVIISYNCHRONIZEDBLOCKcalleddataowpointcut.
Itexpresseseasilysomesecurityconcernsthataresensitivetoowofinformationinaprogramexecution.
Bodkin[23]reportsasurveyincommonsecuritycrosscuttingconcernsforwebapplicationswritteninJava.
HeanalyzestherelevantjoinpointsthatcanbeusedinAOPsystemstoexpresssuchcrosscuttingconcerns.
HecitedtheneedforthepredicatedcontrolowandthedataowpointcutsinAspectJ-likelanguages.
Thiscontributionisveryclosetowhatwehavedone.
However,noneofthesepreviousworksexaminedanddis-cussedthecompletenessofAspectJfromasecurityperspectiveinacomprehensiveandextensivewayaswedid.
OurworkevaluatestheeffectivenessofAspectJsupportforsecurityhardeninginJavaapplicationsandexposesareas(especiallyinpointcutdenitions)forfurtherinvestigation.
XI.
CONCLUSIONANDFUTUREWORKThispaperdiscussestheneedsinAspectJtoenforcesecurityissuessuccessfully.
Wehaveshownthatsecurityaspectsmustgetbenetfromnewconceptsrelatedtopointcutdenitionsinordertoexpresssomesecurityhardeningpractices.
Hence,adescriptionofdataowpointcutandpredicatedcontrolowpointcutandtheirusefulnessfromasecuritypointofviewarepresented.
Besides,theimportanceoflooppointcuttopreventmaliciousattacksisexposed.
Anewwildcardforpatternmatchingissuggested.
Inaddition,wehavediscussedtheneedforusingmodierpatternlikepublickeywordintypepatternsyntax.
Theneedforapointcuttopickoutjoinpointsassociatedwithsettingandgettinglocalvariablesinsidelocalmethodsisalsodiscussedaswellasnewjoinpointsforsynchronizedblocks.
Inthefuture,weplantogiveimplementationsolutionstoalltheabovesuggestionsandcomeupwithacomprehensiveAOPsecuritylanguage.
REFERENCES[1]G.
McGrawandG.
Morrisett.
AttackingMaliciousCode:AReporttotheInfosecResearchCouncil.
IEEESoftware,17(5):33–41,2000.
[2]G.
Kiczales,J.
Lamping,A.
Menhdhekar,C.
Maeda,C.
Lopes,J.
M.
Loingtier,andJ.
Irwin.
Aspect-orientedprogramming.
InMehmetAksitandSatoshiMatsuoka,editors,ProceedingsEuropeanConferenceonObject-OrientedProgramming,volume1241,pages220–242.
Springer-Verlag,Berlin,Heidelberg,andNewYork,1997.
[3]G.
Kiczales,E.
Hilsdale,JimHugunin,MikKersten,JeffreyPalm,andWilliamGriswold.
AnOverviewofAspectJ.
Budapest,2001.
SpringerVerlag.
[4]G.
Kiczales.
TheFunhasJustBegun,KeynotetalkatAOSD2003.
http://www.
cs.
ubc.
ca/gregor/,2003.
[5]S.
TTeoh,T.
J.
Jankun-Kelly,K.
LMa,andF.
S.
Wu.
Visualdataanalysisfordetectingawsandintrudersincomputernetworksystems.
IEEEComputerGraphicsandApplications,specialissueonVisualAnalytics,2004.
[6]H.
MasuharaandK.
Kawauchi.
DataowPointcutinAspect-OrientedProgramming.
InAPLAS,pages105–121,2003.
[7]J.
Bergeron,M.
Debbabi,J.
Desharnais,M.
M.
Erhioui,Y.
Lavoie,andN.
Tawbi.
StaticDetectionofMaliciousCodeinExecutablePrograms.
InSymposiumonRequirementsEngineeringforInformationSecurity(SREIS'01),Indianapolis,Indiana,USA,2001.
SpringerVerlag.
[8]B.
HarbulotandJ.
R.
Gurd.
AJoinPointforLoopsinAspectJ.
InProceedingsofthe4thworkshoponFoundationsofAspect-OrientedLanguages(FOAL2005),March2005.
[9]AspectJQuickReference.
http://www.
eclipse.
org/aspectj/doc/released/quickA4.
pdf.
[10]A.
C.
Myers.
JFlow:PracticalMostly-StaticInformationFlowControl.
InSymposiumonPrinciplesofProgrammingLanguages,pages228–241,1999.
[11]J.
Borner.
SemanticsforaSynchronizedBlockJoinPoint.
http://jonasboner.
com/2005/07/18/semantics-for-a-synchronized-block-join-point/,July2005.
[12]G.
McGrawandE.
Felten.
SecuringJavaGettingDowntoBusinesswithMobileCode.
JohnWiley&Sons,1999.
[13]CigitalLabs.
AnAspect-OrientedSecurityAssuranceSolution.
Tech-nicalReportAFRL-IF-RS-TR-2003-254,CigitalLabs,Dulles,Virginia,USA,2003.
[14]V.
ShahandF.
Hill.
UsingAspect-OrientedProgrammingforAddressingSecurityConcerns.
InISSRE2002,pages115–119,2002.
[15]J.
Viega,J.
T.
Bloch,andC.
Pravir.
ApplyingAspect-OrientedProgram-mingtoSecurity.
CutterITJournal,14(2):31–39,2001.
[16]B.
DeWin.
AOSDisanEnablerforGoodEnoughSecurity.
http://citeseer.
ist.
psu.
edu/728786.
html,2003.
[17]B.
DeWin,F.
Piessens,W.
Joosen,andT.
Verhanneman.
OntheImportanceoftheSeparation-of-ConcernsPrincipleinSecureSoftwareEngineering.
WorkshopontheApplicationofEngineeringPrinciplestoSystemSecurityDesign,Boston,MA,USA,November6–8,2002,AppliedComputerSecurityAssociates(ACSA),2002.
[18]B.
DeWin,B.
Vanhaute,andB.
DeDecker.
HowAspect-OrientedPro-grammingCanHelptoBuildSecureSoftware.
Informatica,26(2):141–149,2002.
[19]B.
VanhauteandB.
DeWin.
AOP,SecurityandGenericity.
1stBelgianAOSDWorkshop,VrijeUniversiteitBrussels,Belgium,November8,2001,2001.
[20]B.
Vanhaute,B.
DeWin,andBartB.
DeDecker.
BuildingFrameworksinAspectJ.
WorkshoponAdvancedSeparationofConcerns,ECOOP2001.
[21]B.
DeWin,B.
Vanhaute,andB.
DeDecker.
SecurityThroughAspect-OrientedProgramming.
InB.
DeDecker,F.
Piessens,J.
Smits,andVanHerreweghen,editors,AdvancesinNetworkandDistributedSystemsSecurity,pages125–138,2001.
[22]M.
Huang,C.
Wang,andL.
Zhang.
TowardaReusableandGenericSecurityAspectLibrary.
InAOSDTechnologyforApplication-levelSecurity,March2004.
[23]R.
Bodkin.
EnterpriseSecurityAspects.
InAOSD2004Workshop,Lancaster,UK,2004.