Common weaving approach in mainstream languages for software security hardening

•Aspect-oriented approach based on GIMPLE for the systemization of application security hardening is presented.•Semantics and algorithms for matching and weaving in GIMPLE are formalized.•Correctness and completeness of GIMPLE weaving are explored from two different views.•Implementation strategies of the proposed approach together with case studies are introduced.

In this paper, we propose a novel aspect-oriented approach based on GIMPLE, a language-independent and a tree-based representation generated by the GNU Compiler Collection (GCC), for the systemization of application security hardening. The security solutions are woven into GIMPLE representations in a systematic way, eliminating the need for manual hardening that might generate a considerable number of errors. To achieve this goal, we present a formal specification for GIMPLE weaving and the implementation strategies of the proposed weaving semantics. Syntax for a common aspect-oriented language that is abstract and multi-language support together with syntax for a core set for GIMPLE constructs are presented to express the weaving semantics. GIMPLE weaving accompanied by a common aspect-oriented language (1) allows security experts providing security solutions using this common language, (2) lets developers focus on the main functionality of programs by relieving them from the burden of security issues, (3) unifies the matching and the weaving processes for mainstream languages, and (4) facilitates introducing new security features in AOP languages. We handle the correctness and the completeness of GIMPLE weaving in two different ways. In the first approach, we prove them according to the rules and algorithms provided in this paper. In the second approach, we accommodate Kniesel's discipline that ensures that security solutions specified by our approach are applied at all and only the required points in source code, taking into consideration weaving interactions and interferences. Finally, we explore the viability and the relevance of our propositions by applying the defined approach for systematic security hardening to develop case studies.