Aspect-Oriented Security Hardening of Design Models

设计模型面向方面的安全强化

• 批准号: 183938-2012
• 负责人: Debbabi, Mourad
• 金额: $ 2.48万
• 依托单位: Concordia University
• 依托单位国家: 加拿大
• 项目类别: Discovery Grants Program - Individual
• 财政年份: 2015
• 资助国家: 加拿大
• 起止时间: 2015-01-01 至 2016-12-31
• 项目状态: 已结题
• 来源: https://www.nserc-crsng.gc.ca/ase-oro/Details-Detailles_eng.asp?id=569671
• 关键词: Aspect; Oriented; Security; Hardening; Design

Software security becomes increasingly important. Nevertheless, it is very often considered as an afterthought phase of the development life cycle. However, given the complexity and pervasiveness of modern software systems, addressing security later in the development process leads to huge cost in retrofitting security into the software and further can introduce additional vulnerabilities. Therefore, security must be considered early during the engineering process. To this end, a promising approach is to adopt the emerging Model Driven Architecture (MDA) paradigm and the prominent modeling languages, such as the Unified Modeling Language (UML) and the Systems Modeling Language (SysML), in order to address security throughout the development life cycle. Furthermore, security is a crosscutting concern that pervades the entire software. The manual addition of security features into design models, especially for large scale software, often leads to scattered security features tangled in the main functionality. Additionally, adding security manually is tedious and generally may lead to other security flaws. A promising approach is to consider Aspect-Oriented Modeling (AOM) as a mechanism for security specification and injection at the software design phase. In recent years, AOM has become the focus of many research initiatives. However, the majority of these proposals are presented from a practical perspective. In addition, very few proposals leveraged AOM to address security. As such, our proposal aims to elaborate a practical and a formal framework for the security hardening of design models. In particular, the targeted objectives are the following: (1) Design an algebra of pointcut/advice primitives to specify security concerns on design models, (2) devise an AOM security profile that leverages the aforementioned algebra, (3) elaborate semantic definitions for matching and weaving for the profile constructs, (4) derive, from the semantic definitions, matching and weaving algorithms that will be used to design and implement an environment for the specification and injection of security aspects within design models, (5) conduct real-life case studies to validate the importance, relevance and practicality of the proposed framework.

软件安全变得越来越重要。然而，它经常被认为是开发生命周期的一个事后考虑阶段。然而，考虑到现代软件系统的复杂性和普遍性，在开发过程的后期处理安全性会导致在将安全性改造到软件中时花费巨大的成本，并且进一步可能引入额外的漏洞。因此，在工程过程中必须尽早考虑安全性。为此，一个有希望的方法是采用新兴的模型驱动体系结构（MDA）范例和突出的建模语言，例如统一建模语言（UML）和系统建模语言（SysML），以便在整个开发生命周期中解决安全性问题。此外，安全性是贯穿整个软件的横切关注点。手工将安全特性添加到设计模型中，特别是对于大型软件，往往会导致分散的安全特性纠缠在主要功能中。此外，手动添加安全性是乏味的，通常可能导致其他安全性缺陷。一种很有前途的方法是将面向方面的建模（AOM）视为软件设计阶段的安全规范和注入机制。近年来，AOM已成为许多研究的焦点。然而，这些建议大多是从实际的角度提出的。此外，很少有提案利用AOM来解决安全性问题。因此，我们的建议旨在为设计模型的安全加固精心设计一个实用的和正式的框架。具体而言，目标如下：(1)设计切入点/通知原语的代数，以指定设计模型上的安全关注点；(2)设计利用上述代数的AOM安全概要文件；(3)为概要文件构造的匹配和编织精心设计语义定义；(4)从语义定义中派生匹配和编织算法，这些算法将用于设计和实现设计模型中安全方面的规范和注入的环境。(5)进行现实案例研究，以验证所提出框架的重要性、相关性和实用性。