Enforcing security for desktop clients using authority aspects

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Enforcing security for desktop clients using authority aspects

Full text

Pdf (603 KB)

Source

Aspect-oriented software development archive
Proceedings of the 8th ACM international conference on Aspect-oriented software development table of contents

Charlottesville, Virginia, USA

SESSION: DSAL and applications table of contents

Pages 255-266

Year of Publication: 2009

ISBN:978-1-60558-442-3

Authors

Brett Cannon	University of British Columbia, Vancouver, BC, Canada
Eric Wohlstadter	University of British Columbia, Vancouver, BC, Canada

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering
SIGPLAN: ACM Special Interest Group on Programming Languages
ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 25, Downloads (12 Months): 146, Citation Count: 0

Additional Information:

abstract references index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/1509239.1509275 What is a DOI?

ABSTRACT

Desktop client applications interact with both local and remote resources. This is both a benefit in terms of the rich features desktop clients can provide, but also a security risk. Due to their high connectivity, desktop clients can leave a user's machine vulnerable to viruses, malicious plug-ins, and scripts. Aspect-Oriented Software Development can be used to address security concerns in software in a modular fashion. However, most existing research focuses on the protection of server-side resources. In this paper we introduce an aspect-oriented mechanism, Authority Aspects, to enforce the Principle of Least Privilege on desktop clients. This helps to ensure that legitimate resource access is allowed and illegitimate access is blocked. We present a case study applying our approach on two desktop applications: an RSS feed aggregator and a Web browser.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Anonymous. The Lobo Pro ject. http://www.lobobrowser.org/.
	2	Anonymous. Sans top-20 2007 security risks. http://www.sans.org/top20/, The SANS Institute, 2007.
	3	Anonymous. Java International FAQ. http://java.sun.com/javase/technologies/core/ basic/intl/faq.jsp, 09 2008.
	4	Anis Charfi , Mira Mezini, Using Aspects for Security Engineering of Web Service Compositions, Proceedings of the IEEE International Conference on Web Services, p.59-66, July 11-15, 2005 [doi>10.1109/ICWS.2005.126]
	5	R. Elz , R. Bush, Clarifications to the DNS Specification, RFC Editor, 1997
	6	S. Gao, Y. Deng, H. Yu, X. He, K. Beznosov, and K. Cooper. Applying Aspect-Orientation in Designing Security Systems: A Case Study. In The Sixteenth International Conference on Software Engineering and Knowledge Engineering, 2004.
	7	Charles B. Haley , Robin C. Laney , Bashar Nuseibeh, Deriving security requirements from crosscutting threat descriptions, Proceedings of the 3rd international conference on Aspect-oriented software development, p.112-121, March 22-24, 2004, Lancaster, UK [doi>10.1145/976270.976285]
	8	Chris Hawblitzel , Chi-Chao Chang , Grzegorz Czajkowski , Deyu Hu , Thorsten von Eicken, Implementing multiple protection domains in java, Proceedings of the annual conference on USENIX Annual Technical Conference, p.22-22, June 15-19, 1998, New Orleans, Louisiana
	9	M. Huang, C. Wang, and L. Zhang. Toward a Reusable and Generic Security Aspect Library. In AOSD Technology for Application-Level Security Workshop, 2004.
	10	A. H. Karp. POLA Today Keeps the Virus at Bay. Technical Report HPL-2003-191, HP Laboratories Palo Alto, 2003.
	11	Gregor Kiczales , Erik Hilsdale , Jim Hugunin , Mik Kersten , Jeffrey Palm , William G. Griswold, An Overview of AspectJ, Proceedings of the 15th European Conference on Object-Oriented Programming, p.327-353, June 18-22, 2001
	12	L. Koved, M. Pistoia, and A. Kershenbaum. Access 2002.
	13	Lap Chung Lam , Tzi-cker Chiueh, A General Dynamic Information Flow Tracking Framework for Security Applications, Proceedings of the 22nd Annual Computer Security Applications Conference, p.463-472, December 11-15, 2006 [doi>10.1109/ACSAC.2006.6]
	14	A. Mettler and D. Wagner. The Joe-E Language Specification (draft). University of California, June 2006.
	15	M. S. Miller and J. S. Shapiro. Paradigm Regained: Abstraction Mechanisms for Access Control. In Asian Computing Conference, 2003.
	16	Azzam Mourad , Marc-Andre Laverdiere , Mourad Debbabi, A High-level Aspect-oriented-based Framework for Software Security Hardening, Information Security Journal: A Global Perspective, v.17 n.2, p.56-74, March 2008 [doi>10.1080/19393550801911230]
	17	K. Padayachee and J. Elo. Innovations and Advanced Techniques in Computer and Information Sciences and Engineering, chapter An Aspect-Oriented Model to Monitor Misuse, pages 273--278. Springer Netherlands, 09 2007.
	18	B. Pasero. RSSOwl. http://www.rssowl.org/.
	19	Niels Provos , Markus Friedl , Peter Honeyman, Preventing privilege escalation, Proceedings of the 12th conference on USENIX Security Symposium, p.16-16, August 04-08, 2003, Washington, DC
	20	Andrew Prunicki , Tzilla Elrad, Aclamate: An AOSD Security Framework for Access Control, Proceedings of the 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, p.293-300, September 29-October 01, 2006 [doi>10.1109/DASC.2006.16]
	21	J. H. Saltzer and M. D. Schroeder. The Protection of Information in Computer Systems. In Communications of the ACM, volume 17, 7, 1974.
	22	M. Stiegler, A. H. Karp, K.-P. Yee, and M. S. Miller. Polaris: Virus Safe Computing for Windows XP. Technical Report HP:-2004-221, HP Laboratories Palo Alto, 2004.
	23	David Wagner, Object capabilities for security, Proceedings of the 2006 workshop on Programming languages and analysis for security, p.1-2, June 10-10, 2006, Ottawa, Ontario, Canada [doi>10.1145/1134744.1134745]
	24	Robert J. Walker , Kevin Viggers, Implementing protocols via declarative event patterns, Proceedings of the 12th ACM SIGSOFT twelfth international symposium on Foundations of software engineering, October 31-November 06, 2004, Newport Beach, CA, USA
	25	B. D. Win, V. Shah, W. Joosen, and R. Bodkin. Report of the AOSD2004 workshop on AOSD technology for application-level security. Technical report, Department of Computer Science, K.U.Leuven, Leuven, Belgium, 2005.
	26	Bart De Win , Bart Vanhaute , Bart De Decker, Security Through Aspect-Oriented Programming, Proceedings of the IFIP TC11 WG11.4 First Annual Working Conference on Network Security: Advances in Network and Distributed Systems Security, p.125-138, November 26-27, 2001
	27	Ka-Ping Yee, User Interaction Design for Secure Systems, Proceedings of the 4th International Conference on Information and Communications Security, p.278-290, December 09-12, 2002
	28	Zhi Jian Zhu , Mohammad Zulkernine, Towards an Aspect-Oriented Intrusion Detection Framework, Proceedings of the 31st Annual International Computer Software and Applications Conference, p.637-638, July 24-27, 2007 [doi>10.1109/COMPSAC.2007.218]