research-article

Enforcing security for desktop clients using authority aspects

Authors:
Brett Cannon

University of British Columbia, Vancouver, BC, Canada

University of British Columbia, Vancouver, BC, Canada
View Profile

,
Eric Wohlstadter

University of British Columbia, Vancouver, BC, Canada

University of British Columbia, Vancouver, BC, Canada
View Profile

AOSD '09: Proceedings of the 8th ACM international conference on Aspect-oriented software developmentMarch 2009Pages 255–266https://doi.org/10.1145/1509239.1509275

Published:02 March 2009Publication History

AOSD '09: Proceedings of the 8th ACM international conference on Aspect-oriented software development

Pages 255–266

ABSTRACT

Desktop client applications interact with both local and remote resources. This is both a benefit in terms of the rich features desktop clients can provide, but also a security risk. Due to their high connectivity, desktop clients can leave a user's machine vulnerable to viruses, malicious plug-ins, and scripts. Aspect-Oriented Software Development can be used to address security concerns in software in a modular fashion. However, most existing research focuses on the protection of server-side resources. In this paper we introduce an aspect-oriented mechanism, Authority Aspects, to enforce the Principle of Least Privilege on desktop clients. This helps to ensure that legitimate resource access is allowed and illegitimate access is blocked. We present a case study applying our approach on two desktop applications: an RSS feed aggregator and a Web browser.

References

Anonymous. The Lobo Pro ject. http://www.lobobrowser.org/.Google Scholar
Anonymous. Sans top-20 2007 security risks. http://www.sans.org/top20/, The SANS Institute, 2007.Google Scholar
Anonymous. Java International FAQ. http://java.sun.com/javase/technologies/core/ basic/intl/faq.jsp, 09 2008.Google Scholar
A. Charfi and M. Mezini. Using aspects for security engineering of web service compositions. In Proceedings of the IEEE International Conference on Web Services, pages 59--66, Washington, DC, USA, 2005. IEEE Computer Society. Google ScholarDigital Library
R. Elz and R. Bush. Clarifications to the DNS Specification. http://www.ietf.org/rfc/rfc2181.txt, 07 1997. Google ScholarDigital Library
S. Gao, Y. Deng, H. Yu, X. He, K. Beznosov, and K. Cooper. Applying Aspect-Orientation in Designing Security Systems: A Case Study. In The Sixteenth International Conference on Software Engineering and Knowledge Engineering, 2004.Google Scholar
C. B. Haley, R. C. Laney, and B. Nuseibeh. Deriving security requirements from crosscutting threat descriptions. In Proceedings of the 3rd international conference on Aspect-oriented software development, pages 112--121, New York, NY, USA, 2004. ACM. Google ScholarDigital Library
C. Hawblitzel, C.-C. Chang, G. Czajkowski, D. Hu, and T. von Eicken. Implementing Multiple Protection Domains in Java. In Proceedings of the 1998 USENIX Annual Technical Conference, 1998. Google ScholarDigital Library
M. Huang, C. Wang, and L. Zhang. Toward a Reusable and Generic Security Aspect Library. In AOSD Technology for Application-Level Security Workshop, 2004.Google Scholar
A. H. Karp. POLA Today Keeps the Virus at Bay. Technical Report HPL-2003-191, HP Laboratories Palo Alto, 2003.Google Scholar
G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm, and W. G. Griswold. An Overview of AspectJ. In Proceedings of the 15th European Conference on Object-Oriented Programming, 2001. Google ScholarDigital Library
L. Koved, M. Pistoia, and A. Kershenbaum. Access 2002.Google Scholar
L. C. Lam and T. cker Chiueh. A general dynamic information flow tracking framework for security applications. In Proceedings of the 22nd Annual Computer Security Applications Conference, 2006. Google ScholarDigital Library
A. Mettler and D. Wagner. The Joe-E Language Specification (draft). University of California, June 2006.Google Scholar
M. S. Miller and J. S. Shapiro. Paradigm Regained: Abstraction Mechanisms for Access Control. In Asian Computing Conference, 2003.Google Scholar
A. Mourad, M.-A. Laverdiére, and M. Debbabi. A High-level Aspect-oriented-based Framework for Software Security Hardening. Information Security Journal: A Global Perspective, 17(2):56--74, 2008. Google ScholarDigital Library
K. Padayachee and J. Elo. Innovations and Advanced Techniques in Computer and Information Sciences and Engineering, chapter An Aspect-Oriented Model to Monitor Misuse, pages 273--278. Springer Netherlands, 09 2007.Google Scholar
B. Pasero. RSSOwl. http://www.rssowl.org/.Google Scholar
N. Provos, M. Friedl, and P. Honeyman. Preventing privilege escalation. In Proceedings of the 12th conference on USENIX Security Symposium, 2003. Google ScholarDigital Library
A. Prunicki and T. Elrad. Aclamate: An aosd security framework for access control. In Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, pages 293--300, Washington, DC, USA, 2006. IEEE Computer Society. Google ScholarDigital Library
J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Communications of the ACM, volume 17, 7, 1974.Google ScholarDigital Library
M. Stiegler, A. H. Karp, K.-P. Yee, and M. S. Miller. Polaris: Virus Safe Computing for Windows XP. Technical Report HP:-2004-221, HP Laboratories Palo Alto, 2004.Google Scholar
D. Wagner. Ob ject Capabilities for Security. Invited Talk, PLAS 2006, June 2006. Google ScholarDigital Library
R. J. Walker and K. Viggers. Implementing protocols via declarative event patterns. In SIGSOFT FSE, pages 159--169, 2004. Google ScholarDigital Library
B. D. Win, V. Shah, W. Joosen, and R. Bodkin. Report of the AOSD2004 workshop on AOSD technology for application-level security. Technical report, Department of Computer Science, K.U.Leuven, Leuven, Belgium, 2005.Google Scholar
B. D. Win, B. Vanhaute, and B. D. Decker. Security Through Aspect-Oriented Programming. In Network Security, 2001. Google ScholarDigital Library
K. Yee. User Interaction Design for Secure Systems. In International Conference on Information and Computer Security, 2002. Google ScholarDigital Library
Z. J. Zhu and M. Zulkernine. Towards an Aspect-Oriented Intrusion Detection Framework. In COMPSAC '07: Proceedings of the 31st Annual International Computer Software and Applications Conference -- Vol. 1, pages 637--638. IEEE Computer Society, 2007. Google ScholarDigital Library

Index Terms

Enforcing security for desktop clients using authority aspects

Recommendations

A function-based user authority delegation model

User authority delegation is granting or withdrawing access to computer-based information by entities that own and/or control that information. These entities must consider who should be granted access to specific information in the organization and ...
Read More
Composing aspects with aspects
AOSD '10: Proceedings of the 9th International Conference on Aspect-Oriented Software Development

Aspect-oriented programming languages modularize crosscutting concerns by separating the concerns from a base program in aspects. What they do not modularize well is the code needed to manage interactions between the aspects themselves. Therefore ...
Read More
Program refactoring using functional aspects
GPCE '08: Proceedings of the 7th international conference on Generative programming and component engineering

A functional aspect is an aspect that has the semantics of a transformation; it is a function that maps a program to an advised program. Functional aspects are composed by function composition. In this paper, we explore functional aspects in the context ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
AOSD '09: Proceedings of the 8th ACM international conference on Aspect-oriented software development
March 2009
278 pages
ISBN:9781605584423
DOI:10.1145/1509239
General Chair:
Kevin Sullivan
University of Virginia, USA
,
Organizing Chair:
Jeff Gray
Univ. of Alabama at Birmingham, USA
,
Program Chairs:
Ana Moreira
Universidade Nova de Lisboa, Portugal
,
Christa Schwanninger
Siemens AG, Germany
,
Robert Baillargeon
Panasonic Automotive Systems, USA
,
Mark Grechanik
Accenture, USA
Copyright © 2009 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 2 March 2009
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
authority aspect
authorizing context
Qualifiers
- research-article
Conference

Acceptance Rates
Overall Acceptance Rate41of139submissions,29%
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 8
  Total Citations
  View Citations
- 443
  Total Downloads
- Downloads (Last 12 months)2
- Downloads (Last 6 weeks)0
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Enforcing security for desktop clients using authority aspects

AOSD '09: Proceedings of the 8th ACM international conference on Aspect-oriented software development

ABSTRACT

References

Cited By

Index Terms

Recommendations

A function-based user authority delegation model

Composing aspects with aspects

Program refactoring using functional aspects