WebLang: A Prototype Modelling Language for Web Applications : A Meta Attack Language based Domain Specific Language for web applications / WebLang: Ett Prototypmodelleringsspråk för Web Applikationer : Ett Meta Attack Language baserat Domän Specifikt Språk för Web Applikationer

af Rolén, Mille, Rahmani, Niloofar

January 2023

This project explores how a Meta Attack Language based Domain Specific Language for web applications can be used to threat model web applications in order to evaluate and improve web application security. Organizations and individuals are targeted by cyberattacks every day where malicious actors could gain access to sensitive information. These malicious actors are also developing new and innovative ways to exploit the many different components of web applications. Web applications are becoming more and more complex and the increasingly complex architecture gives malicious actors more components to target with exploits. In order to develop a secure web application, developers have to know the ins and outs of web application components and web application security. The Meta Attack Language, a framework for developing domain specific languages, was recently developed and has been used to create languages for domains such as Amazon Web Services and smart cars but no language previously existed for web applications. This project presents a prototype web application language delimited to the first vulnerability in the top ten list provided by Open Worldwide Application Security Project (OWASP), which is broken access control, and tests it against the OWASP juice shop, which is an insecure web application developed by OWASP to test new tools. Based on the results it is concluded that the prototype can be used to model web application vulnerabilities but more work needs to be done in order for the language to work on any given web application and vulnerability. / Detta projekt utforskar hur ett Meta Attack Language baserat Domän Specifikt Språk för webbapplikationer kan användas för att hotmodellera samt undersöka och förbättra webbapplikationssäkerhet. Organisationer och individer utsätts dagligen för cyberattacker där en hackare kan få tillgång till känslig information. Dessa hackare utverklar nya och innovativa sätt att utnyttja dem många olika komponenterna som finns i webbapplikationer. Webbapplikationer blir mer och mer komplexa och denna ökande komplexa arkitekturen leder till att det finns mer mål för en hackare att utnyttja. För att utveckla en säker webbapplikation måste utvecklare veta allt som finns om webbapplikations komponenter och webbapplikations säkerhet. Meta Attack Language är ett ramverk för att utveckla nya språk för domäner som till exempel Amazon Web Services och smarta fordon men innan detta existerade inget språk för webbapplikationer. Detta projekt presenterar en webbapplikations språk prototyp som är avgränsad till den första sårbarheten i top tio listan av Open Worldwide Application Security Project (OWASP) vilket är broken access control, och testar den mot OWASP juice shop, vilket är en sårbar webapplikation som utveckalts av OWASP för att testa nya verktyg. Baserat på resultaten dras slutsatsen att prototypen kan användas för att modellera webbapplikations sårbarheter men att det behövs mer arbete för att språket ska fungera på vilken webbapplikation och sårbarhet som helst.

Meta Attack Language

Domain Specific Language

OWASP

Attack Simulations

Cyber Attacks

Threat Modelling

OWASP Juice Shop

Broken Access Control

Meta Attack Language

Domän Specifikt Språk

OWASP

Attack Simuleringar

Cyber Attacker

Hotmodellering

OWASP Juice Shop

Broken Access Control

Computer and Information Sciences

Data- och informationsvetenskap

An Investigation of High School Teachers’ Epistemic Beliefs in an Urban District

Montgomery, Richard Thomas, II

January 2014

No description available.

Education

Education Philosophy

Education Policy

Educational Evaluation

Educational Leadership

Educational Psychology

Educational Theory

Epistemology

Pedagogy

Secondary Education

Teacher Education

Teaching

Malleability, obliviousness and aspects for broadcast service attachment

Harrison, William

January 2010

An important characteristic of Service-Oriented Architectures is that clients do not depend on the service implementation's internal assignment of methods to objects. It is perhaps the most important technical characteristic that differentiates them from more common object-oriented solutions. This characteristic makes clients and services malleable, allowing them to be rearranged at run-time as circumstances change. That improvement in malleability is impaired by requiring clients to direct service requests to particular services. Ideally, the clients are totally oblivious to the service structure, as they are to aspect structure in aspect-oriented software. Removing knowledge of a method implementation's location, whether in object or service, requires re-defining the boundary line between programming language and middleware, making clearer specification of dependence on protocols, and bringing the transaction-like concept of failure scopes into language semantics as well. This paper explores consequences and advantages of a transition from object-request brokering to service-request brokering, including the potential to improve our ability to write more parallel software.

service-oriented

aspect-oriented

programming language

middleware

concurrency

Data processing Computer science

Software Architectures (NEW)

Data abstraction (NEW)

Domain-specific architectures (NEW)

Information hiding (NEW)

Language Constructs and Features (E.2)

Abstract data types

Classes and objects (NEW)

Concurrent programming structures

Constraints (NEW)

Control structures

Coroutines

Data types and structures

Dynamic storage management

Frameworks (NEW)

Inheritance (NEW)

Input/output

Modules, packages

Patterns (NEW)

Polymorphism (NEW)

Procedures, functions, and subroutines

Recursion

Well-Formed and Scalable Invasive Software Composition / Wohlgeformte und Skalierbare Invasive Softwarekomposition

Karol, Sven

26 June 2015

Software components provide essential means to structure and organize software effectively. However, frequently, required component abstractions are not available in a programming language or system, or are not adequately combinable with each other. Invasive software composition (ISC) is a general approach to software composition that unifies component-like abstractions such as templates, aspects and macros. ISC is based on fragment composition, and composes programs and other software artifacts at the level of syntax trees. Therefore, a unifying fragment component model is related to the context-free grammar of a language to identify extension and variation points in syntax trees as well as valid component types. By doing so, fragment components can be composed by transformations at respective extension and variation points so that always valid composition results regarding the underlying context-free grammar are yielded. However, given a language’s context-free grammar, the composition result may still be incorrect. Context-sensitive constraints such as type constraints may be violated so that the program cannot be compiled and/or interpreted correctly. While a compiler can detect such errors after composition, it is difficult to relate them back to the original transformation step in the composition system, especially in the case of complex compositions with several hundreds of such steps. To tackle this problem, this thesis proposes well-formed ISC—an extension to ISC that uses reference attribute grammars (RAGs) to specify fragment component models and fragment contracts to guard compositions with context-sensitive constraints. Additionally, well-formed ISC provides composition strategies as a means to configure composition algorithms and handle interferences between composition steps. Developing ISC systems for complex languages such as programming languages is a complex undertaking. Composition-system developers need to supply or develop adequate language and parser specifications that can be processed by an ISC composition engine. Moreover, the specifications may need to be extended with rules for the intended composition abstractions. Current approaches to ISC require complete grammars to be able to compose fragments in the respective languages. Hence, the specifications need to be developed exhaustively before any component model can be supplied. To tackle this problem, this thesis introduces scalable ISC—a variant of ISC that uses island component models as a means to define component models for partially specified languages while still the whole language is supported. Additionally, a scalable workflow for agile composition-system development is proposed which supports a development of ISC systems in small increments using modular extensions. All theoretical concepts introduced in this thesis are implemented in the Skeletons and Application Templates framework SkAT. It supports “classic”, well-formed and scalable ISC by leveraging RAGs as its main specification and implementation language. Moreover, several composition systems based on SkAT are discussed, e.g., a well-formed composition system for Java and a C preprocessor-like macro language. In turn, those composition systems are used as composers in several example applications such as a library of parallel algorithmic skeletons.

Software

Komposition

invasiv

templates

Meta-Programmierung

Schnittstellen

Code-Generierung

generative Softwareentwicklung

Java

Syntaxbaum

Parser

Attributgrammariken

Referenzattributgrammatiken

CPP

C-Preprocessor

Aspektorientierte Programmierung

Wohlgeformtheit

abstrakter Syntaxgraph

macros

Expansion

Kompilierer

Programme

statische Semantik

BPMN

Programmiersprachen

domänenspezifische Sprachen

Sprachkomposition

C

C++

invasive software composition

component

aspects

weaving

correct weaving

well-formedness

attribute grammars

island grammars

SkAT

skeletons

generative programming

metaprogramming

metamodeling

Reuseware

C

C++

Java

JastAdd

JastAddJ

Compilers

RAG

preprocessor

macros

decomposition

code

syntax tree

graphs

templates

grammars

context-sensitive

context-free

COMPOST

EMFText

JastEMF

parsing expression grammars

domain-specific languages

BPMN

embedded languages

language composition

ddc:004

rvk:ST 233

Well-Formed and Scalable Invasive Software Composition

Karol, Sven

18 May 2015

Software components provide essential means to structure and organize software effectively. However, frequently, required component abstractions are not available in a programming language or system, or are not adequately combinable with each other. Invasive software composition (ISC) is a general approach to software composition that unifies component-like abstractions such as templates, aspects and macros. ISC is based on fragment composition, and composes programs and other software artifacts at the level of syntax trees. Therefore, a unifying fragment component model is related to the context-free grammar of a language to identify extension and variation points in syntax trees as well as valid component types. By doing so, fragment components can be composed by transformations at respective extension and variation points so that always valid composition results regarding the underlying context-free grammar are yielded. However, given a language’s context-free grammar, the composition result may still be incorrect. Context-sensitive constraints such as type constraints may be violated so that the program cannot be compiled and/or interpreted correctly. While a compiler can detect such errors after composition, it is difficult to relate them back to the original transformation step in the composition system, especially in the case of complex compositions with several hundreds of such steps. To tackle this problem, this thesis proposes well-formed ISC—an extension to ISC that uses reference attribute grammars (RAGs) to specify fragment component models and fragment contracts to guard compositions with context-sensitive constraints. Additionally, well-formed ISC provides composition strategies as a means to configure composition algorithms and handle interferences between composition steps. Developing ISC systems for complex languages such as programming languages is a complex undertaking. Composition-system developers need to supply or develop adequate language and parser specifications that can be processed by an ISC composition engine. Moreover, the specifications may need to be extended with rules for the intended composition abstractions. Current approaches to ISC require complete grammars to be able to compose fragments in the respective languages. Hence, the specifications need to be developed exhaustively before any component model can be supplied. To tackle this problem, this thesis introduces scalable ISC—a variant of ISC that uses island component models as a means to define component models for partially specified languages while still the whole language is supported. Additionally, a scalable workflow for agile composition-system development is proposed which supports a development of ISC systems in small increments using modular extensions. All theoretical concepts introduced in this thesis are implemented in the Skeletons and Application Templates framework SkAT. It supports “classic”, well-formed and scalable ISC by leveraging RAGs as its main specification and implementation language. Moreover, several composition systems based on SkAT are discussed, e.g., a well-formed composition system for Java and a C preprocessor-like macro language. In turn, those composition systems are used as composers in several example applications such as a library of parallel algorithmic skeletons.

info:eu-repo/classification/ddc/004

ddc:004