AN ASPECT ORIENTED MODEL DRIVEN DEVELOPMENT APPROACH TO SECURE WEB APPLICATIONS

Abstract

Computers enable us to perform enormously complex tasks in amazingly short times. The internet and web-based applications allow groups of users in different locations to harness this massive computing power collaboratively for the benefit of humanity. In this era of collaborative computing and networked and shared web applications, ensuring the safety and privacy of data stored in computers and transmitted over the internet has become critically important. newlineBoth the at-large attacks on computers and targeted attacks on specific computer networks have become so sophisticated that general-purpose IDS (Intrusion Detection System) mechanisms like signature-based antivirus packages have been rendered inadequate. The mutating and polymorphic varieties of viruses can defeat purpose-built IPS (Intrusion Protection System) mechanisms and with hackers developing the ability to launch zero-day attacks using easily available exploit frameworks, the time has come to confront the security problems by improving the immunity of the target software itself. newlineIt can be assumed that the Operating System (OS) and Network Protocol-level software is relatively secured. However, the same cannot be said about application software. If we split application software into end-user and web-based, it is easy to see that while security breaches in end-user applications can cause corruption of data on the computers where the applications are installed, security breaches in web-based applications have the potential of affecting large swathes of networked computers alarmingly quickly over the internet. Cross-site scripting, parameter tampering, buffer overflows, SQL injection are some common causes that result in authentication and authorization breaches in web-based applications. newlineThis Thesis concentrates on the problem of securing web-based applications (called web applications henceforth). It is proposed to treat security as an aspect that is to be incorporated at the design stage of development of the web application. newlineThis approach to secure web applications can be applied to existing applications also. These security concerns are to be integrated throughout the software and thus Aspect Oriented Modeling is a better way to do this. In this approach we designed the security model separately and then weaved to the base model. It is further proposed to use a model-driven development approach for this purpose. newlineModel driven engineering has become the prime focus of researchers in recent years. It eases the development effort by automatic conversion of models into platform specific application software. Hence we also define a UML profile to model the counter measures of mentioned attacks and thus make web applications self defendable. newlineIn order to solve the addressed problem we have carried out various experiments on vulnerable software. Software was exposed to all possible attack patterns and vulnerabilities were identified. To resist the attacks a security package has been developed and injected to candidate application using aspect oriented approach. Experiments were carried out after injecting the security aspect and found that the application is capable of self defense. newline newline newline newline