Extending AOP Principles for the Description of Network Security Patterns

David Llewellyn-Jones, Qi Shi, Madjid MerabtiCyberpatterns 2012, Abingdon, Oxfordshire, UK, 10th July 2012

PROTECTResearch Centre for Critical Infrastructure Computer Technology and ProtectionSchool of Computing and Mathematical SciencesLiverpool John Moores University, Byrom Street, Liverpool L3 3AF, UKEmail: D.Llewellyn-Jones@ljmu.ac.ukWeb: http://www.ljmu.ac.uk/cmp/

Overview

• Aspect Oriented Programming• Security concerns• Specifying network security point-cuts

– Requirements– Examples– Language

• Application Example• Conclusion

• Ensuring Trustworthiness and Security in Service Composition

• http://www.aniketos.eu/

• The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant no 257930 (Aniketos)

• Monitoring; trust and security analysis; recomposition and adaptation

Aspect Oriented Programming

• Programming or development paradigm• Object Oriented Programming

– Encapsulates related data and functionality all in one place

– Hierarchical classes• Inheritance• Generalisation• Class attribute

– Hard to capture cross-cutting concerns

Cross-Cutting Concerns

Aspect Oriented Programming

• Orthogonal to Object Oriented Programming

• Cross-Cutting Concerns– Similar functionality– Multiple places throughout

• Example– Data logging

Security Concerns

• Security– Classic cross-cutting concern– Apply in many places throughout code– Requires consistent approach

• Examples– Authorisation– Access control– Data tagging

AOP Glossary

• Aspect– The feature to be added

• Join-Point– Potential

• Point-Cut– Actual

• Advice– Code to be injected

• Aspect weaving– The process of adding advice to code

Join-Points

• Join-points– Method calls– Initialisation– Get/set

• Application– Before– After– Around

• Dictates power of AOP technique

Join-Point Example

<pointcut_definition id="c1"><time>after</time><joinpoint_type>

<constructorcall><constructor_signature>

<qualified_class_name><namespace><type_name>*</type_name></namespace><class><identifier_name>FormCipher</identifier_name></class>

</qualified_class_name></constructor_signature>

</constructorcall></joinpoint_type>

</pointcut_definition>

<advice_definition idAdvice="DandelionAspectAddClient" idTypeOfInjection="StaticInjection">

<assembly>Gryffindor.Aspect.Dandelion.dll</assembly><type>Gryffindor.Aspect.Dandelion.DandelionAspect</type><behaviour>AddEncrypter</behaviour><priority>1</priority><pointcut_definitionRef idRef="c1"/>

</advice_definition>

Reflection

• Aspects can be inserted at compile time– Static aspect weaving

• Introspection– Allow analysis of code at runtime

• Intercession– Allow code to be altered at runtime– Insert new code, redefine language

• Allows aspects inserted at runtime– Dynamic aspect weaving

Network Security

• Ideal, in theory– Apply aspects to services at runtime– Improve security based on dynamic

composition and policy• Problematic, in practice

– Point-cuts apply to single codebase– Applied universally– Distributed systems need different but

related techniques in different places

Encryption Aspects

• Often need to apply to multiple systems– Different related aspects– Not naturally covered by existing join-point

definition languages• Need language to define this

Encrypt Decrypt

Communication

Communication

Join-Point Language Requirements

1. Capture sequences of more than two systems

2. Match multiple sets of networked systems

3. Be determinate

4. Based on code and relationship between systems

5. Aspect code related to join-point and existing code

Secure Data Forwarding

H H

L L

H HL

End-to-End Security

A AB BB B

A AB BB B

Separation of Duty

A

B

B

A

B

B

Patterns

• We aim to define a language for defining patterns

• Combine with existing in-code join-point definitions

• Allow complex relationships between networked systems to be defined

• Both global and distributed application

Multiple Join-Point Definition

• Notation

services

property descriptions

aspects

states

sets of properties

sets of property, action pairs

Patterns

• Single template

• Pattern of templates

(𝑎 , 𝑥𝐼 , 𝑥𝑂 , 𝑥𝐼 , 𝑥𝑂 )∈𝐴×2𝑃×𝐴×2𝑃× 𝐴×2𝑃×2𝑃=𝑇

𝑓 :𝑃×𝑆⟶2𝑇 ×𝑆

Secure Data Forwarding

H HL

End-to-End Security

A AB BB B

where and

Separation of Duty

A

B

B

where

• Client-Server chat application– Cleartext communication

• Encryption/Decryption service• Aspects re-route data flow

– Different aspects for client and server

Miguel García, David Llewellyn-Jones, Francisco Ortin, Madjid Merabti, "Applying dynamic separation of aspects to distributed systems security: a case study", IET Software, Volume 6, Issue 3, pp. 165-282, June 2012.

AOP Applied to Security

Com

mun

icat

ion

AOP Applied to Security

Com

mun

icat

ion

Communication

Communication

Discussion

• Why choose this method?– Flexibility– Aim for all computable sets of networks– Distributed or centralised

• Practical application– Definition and aspects still to be combined

• Challenges– Difficult to define– Aspects are specialised, not generalised

Future Work

• Practical– Restatement in XML format– Integrate with join-point definition language– Reason and apply to real code

• Theoretical– Measure expressivity of the language– Formalise currently unspecified aspects– Define security patterns

Conclusion

• Security is a cross-cutting concern• Existing AOP point-cuts are not designed for

networked systems• A way of relating aspects to distributed

systems is needed for security• Propose initial method for defining point-cut

patterns