20120709 cyber patterns2012
TRANSCRIPT
Extending AOP Principles for the Description of Network Security Patterns
David Llewellyn-Jones, Qi Shi, Madjid MerabtiCyberpatterns 2012, Abingdon, Oxfordshire, UK, 10th July 2012
PROTECTResearch Centre for Critical Infrastructure Computer Technology and ProtectionSchool of Computing and Mathematical SciencesLiverpool John Moores University, Byrom Street, Liverpool L3 3AF, UKEmail: [email protected]: http://www.ljmu.ac.uk/cmp/
Overview
• Aspect Oriented Programming• Security concerns• Specifying network security point-cuts
– Requirements– Examples– Language
• Application Example• Conclusion
• Ensuring Trustworthiness and Security in Service Composition
• http://www.aniketos.eu/
• The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant no 257930 (Aniketos)
• Monitoring; trust and security analysis; recomposition and adaptation
Aspect Oriented Programming
• Programming or development paradigm• Object Oriented Programming
– Encapsulates related data and functionality all in one place
– Hierarchical classes• Inheritance• Generalisation• Class attribute
– Hard to capture cross-cutting concerns
Cross-Cutting Concerns
Aspect Oriented Programming
• Orthogonal to Object Oriented Programming
• Cross-Cutting Concerns– Similar functionality– Multiple places throughout
• Example– Data logging
Security Concerns
• Security– Classic cross-cutting concern– Apply in many places throughout code– Requires consistent approach
• Examples– Authorisation– Access control– Data tagging
AOP Glossary
• Aspect– The feature to be added
• Join-Point– Potential
• Point-Cut– Actual
• Advice– Code to be injected
• Aspect weaving– The process of adding advice to code
Join-Points
• Join-points– Method calls– Initialisation– Get/set
• Application– Before– After– Around
• Dictates power of AOP technique
Join-Point Example
<pointcut_definition id="c1"><time>after</time><joinpoint_type>
<constructorcall><constructor_signature>
<qualified_class_name><namespace><type_name>*</type_name></namespace><class><identifier_name>FormCipher</identifier_name></class>
</qualified_class_name></constructor_signature>
</constructorcall></joinpoint_type>
</pointcut_definition>
<advice_definition idAdvice="DandelionAspectAddClient" idTypeOfInjection="StaticInjection">
<assembly>Gryffindor.Aspect.Dandelion.dll</assembly><type>Gryffindor.Aspect.Dandelion.DandelionAspect</type><behaviour>AddEncrypter</behaviour><priority>1</priority><pointcut_definitionRef idRef="c1"/>
</advice_definition>
Reflection
• Aspects can be inserted at compile time– Static aspect weaving
• Introspection– Allow analysis of code at runtime
• Intercession– Allow code to be altered at runtime– Insert new code, redefine language
• Allows aspects inserted at runtime– Dynamic aspect weaving
Network Security
• Ideal, in theory– Apply aspects to services at runtime– Improve security based on dynamic
composition and policy• Problematic, in practice
– Point-cuts apply to single codebase– Applied universally– Distributed systems need different but
related techniques in different places
Encryption Aspects
• Often need to apply to multiple systems– Different related aspects– Not naturally covered by existing join-point
definition languages• Need language to define this
Encrypt Decrypt
Communication
Communication
Join-Point Language Requirements
1. Capture sequences of more than two systems
2. Match multiple sets of networked systems
3. Be determinate
4. Based on code and relationship between systems
5. Aspect code related to join-point and existing code
Secure Data Forwarding
H H
L L
H HL
End-to-End Security
A AB BB B
A AB BB B
Separation of Duty
A
B
B
A
B
B
Patterns
• We aim to define a language for defining patterns
• Combine with existing in-code join-point definitions
• Allow complex relationships between networked systems to be defined
• Both global and distributed application
Multiple Join-Point Definition
• Notation
services
property descriptions
aspects
states
sets of properties
sets of property, action pairs
Patterns
• Single template
• Pattern of templates
(𝑎 , 𝑥𝐼 , 𝑥𝑂 , 𝑥𝐼 , 𝑥𝑂 )∈𝐴×2𝑃×𝐴×2𝑃× 𝐴×2𝑃×2𝑃=𝑇
𝑓 :𝑃×𝑆⟶2𝑇 ×𝑆
Secure Data Forwarding
H HL
End-to-End Security
A AB BB B
where and
Separation of Duty
A
B
B
where
• Client-Server chat application– Cleartext communication
• Encryption/Decryption service• Aspects re-route data flow
– Different aspects for client and server
Miguel García, David Llewellyn-Jones, Francisco Ortin, Madjid Merabti, "Applying dynamic separation of aspects to distributed systems security: a case study", IET Software, Volume 6, Issue 3, pp. 165-282, June 2012.
AOP Applied to Security
Com
mun
icat
ion
AOP Applied to Security
Com
mun
icat
ion
Communication
Communication
Discussion
• Why choose this method?– Flexibility– Aim for all computable sets of networks– Distributed or centralised
• Practical application– Definition and aspects still to be combined
• Challenges– Difficult to define– Aspects are specialised, not generalised
Future Work
• Practical– Restatement in XML format– Integrate with join-point definition language– Reason and apply to real code
• Theoretical– Measure expressivity of the language– Formalise currently unspecified aspects– Define security patterns
Conclusion
• Security is a cross-cutting concern• Existing AOP point-cuts are not designed for
networked systems• A way of relating aspects to distributed
systems is needed for security• Propose initial method for defining point-cut
patterns