AOP Technology And Its Applications In Software Security

With the rapid development of software industry and the gradual spread of Internet, more and more attention has been made on software security problem. To analysis and design good approach is very instructive to improve the security of software production.Code attack and protection are two aspects on software security problem. Due to the characteristics of themselves, some source codes such as Java bytecode are difficult to resist reverse engineering attack; on the other hand, study on code attack is also important to accelerate the development of software security technology in the reverse point of view.Because of the complexity and openness of modern software, it has become more and more difficult to implement the security related requirement. In fact, a majority of existed security holes are not caused by lacking the knowledge and experience of security domain, but caused by adopting traditional development procedure. Therefore, finding one good method to implement security requirement is also very important.Using the principles and techniques of aspect-oriented programming (AOP), this dissertation explores and analyzes in-depth three important issues in software security area. They are code attack, code protection and secure software engineering respectively. And the following research achievements have been got.1. A practical attack approach for obfuscated code is proposed. Code obfuscation which makes the decompiled code is hard to be understood is one of widely used technologies to protect existing applications. However, using the powerful mechanisms provided by AspectJ, our attack could be executed on the byte code level for example Java applications without acquiring its source code from decompilation, which means that our attack makes all efforts to protect the application through code obfuscation is not useful any more. And as experiment shown, this novel attack approach is very straightforward and simple to be implemented. At the same time, several suggestions are also proposed to resist this new attack.2. Two problems are discovered while protecting J2EE applications using encryption technology, namely, the compilation failure problem and the server detection problem. Compiling one class refers to another encrypted class will be broken down, this phenomenon is called compilation failure problem; what server detection problem is can be described as following: one ore more exceptions will be thrown when server check the byte code format before it load that byte code file.3. This dissertation proposes one approach to solve both the compilation failure problem and the server detection problem after these two problems are given. They are both due to the format invalidation of byte code file caused by encryption, which could be solved by our solution through constructing valid bytecode ciphertext file.4. An aspect-oriented security framework model is proposed. Taking access control mechanism as example, we discover one approach to separate of business logic and security logic. After this separation, through three specified generations, namely, generation of security domain model, generation of deployment and generation of security mechanism, one framework model is derived finally to solve all the requirements of security domain.5. A new best practice scheme of software engineering is proposed when using the security framework mentioned above. We also discuss the responsibilities that security expert and developer should take according to this best practice. In this way, security domain requirement can be implemented by security experts, while business logic requirement can be implemented by common developers. And the two parts of implementations will be bind through AOP related technology finally. Thus applying this best practice in real software project development is helpful to control the more and more complexity in software development and to reduce its risks and costs.