FlowR: Aspect oriented programming for information flow control in ruby

MODULARITY 2014 - Proceedings of the 13th International Conference on Modularity (Formerly AOSD)

Volumn , Issue , 2014, Pages 37-48

  Pasquier, Thomas F J M ^a   Bacon, Jean ^a   Shand, Brian ^b  

^a UNIVERSITY OF CAMBRIDGE   (United Kingdom)

^b PUBLIC HEALTH ENGLAND   (United Kingdom)

Author keywords

Aspect Oriented Programming; Information Flow Control; Security

Indexed keywords

FLOW CONTROL; OBJECT ORIENTED PROGRAMMING; PLATFORM AS A SERVICE (PAAS); RUBY;

ASPECT-ORIENTED PROGRAMMING (AOP); CLOUD INFRASTRUCTURES; IMPLEMENTATION LANGUAGES; INFORMATION FLOW CONTROL; OBJECT-ORIENTED PROGRAM; OPEN-SOURCE LIBRARIES; SECURITY; SECURITY CONSTRAINT;

ASPECT ORIENTED PROGRAMMING;

EID: 84900037333     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2577080.2577090     Document Type: Conference Paper

References (59)

1. S. Akai, S. Chiba, and M. Nishizawa. Region pointcut for AspectJ. In Proceedings, 8th workshop on Aspects, components, and patterns for infrastructure software, ACP4IS '09, pages 43-48. ACM, 2009.
2. T. Austin and C. Flanagan. Efficient purely-dynamic information flow analysis. In Programming Languages and Analysis for Security (PLAS), Dublin, Ireland, 2009. ACM.
3. J. Bacon, D. Eyers, T. F. Pasquier, J. Singh, I. Papagiannis, and P. Pietzuch. Information Flow Control for secure cloud computing. submitted to: IEEE Transactions on Network and Service Manage-ment, Special Issue on Management of Cloud Services, 2014.
4. D. Bell. The Bell-LaPadula model. Journal of computer security, 4 (2):3, 1996.
5. K. Benitez and B. Malin. Evaluating re-identification risks with respect to the HIPAA privacy rule. Journal of the American Medical Informatics Association, 17(2):169-177, 2010.
6. K. J. Biba. Integrity considerations for secure computer systems. Technical report, DTIC Document, 1977.
7. W. Cheng, D. R. Ports, D. Schultz, V. Popic, A. Blankstein, J. Cowling, D. Curtis, L. Shrira, and B. Liskov. Abstractions for usable information flow control in Aeolus. In Proceedings, USENIX Annual Technical Conference (Usenix ATC '12), 2012.
8. D. Denning. Secure Information Flow in Computer Systems, 1975. Dissertations Publishing 1975.
9. D. E. Denning. A lattice model of secure information flow. Commun. ACM, 19(5):236-243, May 1976.
10. D. E. Denning and P. J. Denning. Certification of programs for secure information flow. Commun. ACM, 20(7):504-513, July 1977.
11. B. DeWin, B. DeVanhaute, and B. DeDecker. Security Through Aspect-Oriented Programming. In Advances in Network and Distributed Systems Security, Volume 78 of IFIP, pages 125-138. Springer US, 2002.
12. C. Disenfeld and S. Katz. A closer look at aspect interference and cooperation. In Proceedings of the 11th annual international conference on Aspect-oriented Software Development, AOSD'12, pages 107-118, New York, NY, USA, 2012. ACM.
13. P. Efstathopoulos, M. Krohn, S. VanDeBogart, C. Frey, D. Ziegler, E. Kohler, D. Mazières, F. Kaashoek, and R. Morris. Labels and event processes in the Asbestos operating system. In Proceedings, 20th ACM Symposium on Operating Systems Principles, SOSP '05, pages 17-30. ACM, 2005.
14. E. Figueiredo, N. Cacho, C. Sant'Anna, M. Monteiro, U. Kulesza, A. Garcia, S. Soares, F. Ferrari, S. Khan, F. Filho, and F. Dantas. Evolving software product lines with Aspects. In Software Engineering, 2008. ICSE '08. ACM/IEEE 30th International Conference on, pages 261-270, 2008.
15. M. Gyung, S. McCamant, P. Poosankam, and D. Song. DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2011. Internet Society.
16. B. Harbulot and J. R. Gurd. A join point for loops in AspectJ. In Proceedings, 5th international conference on Aspect-oriented software development, AOSD '06, pages 63-74. ACM, 2006.
17. P. Hosek, M. Migliavacca, I. Papagiannis, D. Eyers, D. Evans, B. Shand, J. Bacon, and P. Pietzuch. SafeWeb: A middleware for securing Ruby-based web applications. In Middleware, pages 491-512, 2011.
18. S. Jajodia and B. Kogan. Integrating an object-oriented data model with multilevel security. In Proceedings, IEEE Symposium on Security and Privacy, pages 76-85, 1990.
19. S. Jajodia, B. Kogan, and R. Sandhu. A multilevel-secure object-oriented data model. Abrams et al. [AJP95], 1995.
20. V. Kashyap, B. Wiedermann, and B. Hardekopf. Timing- and termination-sensitive secure information flow: exploring a new aproach. In Symposium on Security and Privacy, Berkeley, CA, 2011. IEEE.
21. C. Kastner, S. Apel, and D. Batory. A case study implementing features using AspectJ. In Software Product Line Conference, 2007. SPLC 2007. 11th International, pages 223-232, 2007.
22. G. Kiczales, J. Lamping, A. Mendhekar, C. Maeda, C. Lopes, J.-M. Loingtier, and J. Irwin. Aspect-Oriented Programming. Springer, 1997.
23. G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm, and W. G. Griswold. An overview of AspectJ. In J. L. Knudsen, editor, ECOOP 2001 âǍŤ Object-Oriented Programming, Volume 2072 of Lecture Notes in Computer Science, pages 327-354. Springer, 2001.
24. M. Krohn, A. Yip, M. Brodsky, N. Cliffer, M. F. Kaashoek, E. Kohler, and R. Morris. Information Flow Control for standard OS abstractions. SIGOPS Oper. Syst. Rev., 41(6):321-334, Oct 2007.
25. L. C. Lam and Tcker Chiueh. A general dynamic information flow tracking framework for security applications. In Computer Security Applications Conference, 2006. ACSAC '06. 22nd Annual, pages 463-472, 2006.
26. B. W. Lampson. A note on the confinement problem. Commun. ACM, 16(10):613-615, Oct. 1973.
27. S. B. Lipner. A comment on the confinement problem. SIGOPS Oper. Syst. Rev., 9(5):192-196, Nov. 1975.
28. M. Lippert and C. Lopes. A study on exception detection and handling using Aspect-Oriented Programming. In Software Engineering, 2000. Proceedings of the 2000 International Conference on, pages 418-427, 2000.
29. F. Marchand de Kerchove, J. Noyé, and M. Südholt. Aspectizing javascript security. In Proceedings of the 3rd Workshop on Modularity in Systems Software, MISS'13, pages 7-12, New York, NY, USA, 2013. ACM.
30. H. Masuhara and K. Kawauchi. Dataflow pointcut in Aspect-Oriented Programming. In Proceedings, First Asian Symposium on Programming Languages and Systems, APLAS, pages 105-121. Springer, 2003.
31. M. Migliavacca, I. Papagiannis, D. M. Eyers, B. Shand, J. Bacon, and P. Pietzuch. DEFCon: High-performance event processing with information security. USENIX Annual Technical Conference, June 2010.
32. A. Mourad, M.-A. Laverdière, and M. Debbabi. An aspect-oriented approach for the systematic security hardening of code. Computers & Security, 27(3):101-114, 2008.
33. A. C. Myers. JFlow: practical mostly-static information flow control. In Proceedings, 26th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL '99, pages 228-241. ACM, 1999.
34. K. Padayachee, J. Eloff, and J. Bishop. Aspect-oriented information flow control, unpublished.
35. T. Pasquier, B. Shand, and J. Bacon. Information Flow Control for a Medical Web Portal. In e-Society 2013. IADIS, March 2013.
36. R. Pawlak, L. Duchien, and L. Seinturier. Compar: Ensuring safe around advice composition. In Formal Methods for Open Object-Based Distributed Systems, pages 163-178. Springer, 2005.
37. R. Ramachandran, D. J. Pearce, and I. Welch. AspectJ for multilevel security. ACP4IS '06, 20:13-17, March 2006.
38. D. E. Robling Denning. Cryptography and data security. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 1982.
39. A. Russo, K. Claessen, and J. Hughes. A library for lightweight information-flow security in Haskell. SIGPLAN Notices, 44(2):13-24, Sept. 2008.
40. A. Sabelfeld and A. Myers. Language-based information-flow security. IEEE Journal on Selected Areas in Communications (JSAC), 21 (1):5-19, 2003.
41. A. Sabelfeld and A. Russo. From dynamic to static and back: Riding the roller coaster of information-flow control research. In Andrei Er-shov International Conference on Perspectives of System Informatics, Akademgorodok, Novosibirsk, Russia, 2009.
42. J. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proc. IEEE, 63(9):1278-1308, 1975.
43. V. Shah and F. Hill. An aspect-oriented security framework. In DARPA Information Survivability Conference and Exposition, 2003. Proceedings, Volume 2, pages 143-145 Vol. 2, 2003.
44. O. Spinczyk, A. Gal, and W. Schröder-Preikschat. AspectC++: an aspect-oriented extension to the C++ programming language. In Proceedings, 40th International Conference on Technology of Object-Oriented Languages and Systems (TOOLS Pacific 2002), Volume 10 of CRPIT '02, pages 53-60. Australian Computer Society, Inc., 2002.
45. F. Steimann. The paradoxical success of aspect-oriented programming. SIGPLAN Not., 41(10):481-497, Oct. 2006.
46. G. E. Suh, J. W. Lee, D. Zhang, and S. Devadas. Secure program execution via dynamic information flow tracking. SIGOPS Oper. Syst. Rev., 38(5):85-96, Oct. 2004.
47. R. Toledo and E. Tanter. Secure and modular access control with Aspects. In Proceedings of the 12th annual international conference on Aspect-oriented software development, AOSD'13, pages 157-170, New York, NY, USA, 2013. ACM.
48. T. Tourwé, J. Brichau, and K. Gybels. On the existence of the AOSD-evolution paradox. SPLAT: Software engineering Properties of Languages for Aspect Technologies, 2003.
49. N. Vachharajani, M. Bridges, J. Chang, R. Rangan, G. Ottoni, J. Blome, G. Reis, M. Vachharajani, and D. August. Rifle: An architectural framework for user-centric information-flow security. In Microarchitecture, 2004. MICRO-37 2004. 37th International Symposium on, pages 243-254, 2004.
50. J. Viega and J. Vuas. Can Aspect-Oriented Programming lead to more reliable software? Software, IEEE, 17(6):19-21, 2000.
51. J. Viega, J. Bloch, and P. Chandra. Applying Aspect-Oriented Programming to security. Cutter IT Journal, 14(2):31-39, 2001.
52. P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna. Cross site scripting prevention with dynamic data tainting and static analysis. In Network and Distributed System Security Symposium (NDSS), San Diego, CA, 2007. Internet Society.
53. D. Volpano and G. Smith. Eliminating covert flows with minimum typings. In Computer Security Foundations Workshop, 1997. Proceedings., 10th, pages 156-168, jun 1997.
54. D. Wampler. Aquarium: AOP in Ruby. In Proceedings, Aspect Oriented Software Development (AOSD), Volume 4, 2008.
55. H. Washizaki, A. Kubo, T. Mizumachi, K. Eguchi, Y. Fukazawa, N. Yoshioka, H. Kanuka, T. Kodaka, N. Sugimoto, Y. Nagai, and R. Yamamoto. AOJS: An Aspect-Oriented Javascript programming framework for web development. In Proceedings, 8th workshop on Aspects, Components, and Patterns for Infrastructure Software, ACP4IS, pages 31-36. ACM, 2009.
56. A. Yip, X. Wang, N. Zeldovich, and M. F. Kaashoek. Improving application security with data flow assertions. In Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principles, SOSP'09, pages 291-304, New York, NY, USA, 2009. ACM.
57. A. Zambrano, A. Alvarez, J. Fabry, and S. Gordillo. Aspect Coordination for Web Applications in Java/AspectJ and Ruby/Aquarium. Proceedings, 28th International Conference of Chilean Computer Society, Nov. 2009.
58. S. Zdancewic. Challenges for information-flow security. In Proceedings of the 1st International Workshop on Programming Language Interference and Dependence (PLIDâǍŹ04), 2004.
59. N. Zeldovich, S. Boyd-Wickizer, and D. Mazieres. Securing distributed systems with information flow control. In Networked Systems Design and Implementation (NSDI), pages 293-308. Usenix, April 2008.