Aspect SecurityAspect Security-RaviShekhar GopalanRaviShekhar Gopalan

-Prof. LieberherrProf. Lieberherr

Software Security (CSG379)Software Security (CSG379)

Topics CoveredTopics Covered

TopicsTopics

Short Security OverviewShort Security Overview Motivation for this projectMotivation for this project What is this project?What is this project? ImplementationImplementation Future WorkFuture Work ReferencesReferences

Security OverviewSecurity Overview

Security in Software EngineeringSecurity in Software Engineering

A non-functional requirementA non-functional requirementApplied as a patch at the end of SDLCApplied as a patch at the end of SDLCNot a design-considerationNot a design-considerationPreference for non-invasive techniquesPreference for non-invasive techniquesNot a prime focus during developmentNot a prime focus during developmentLeads to a disconnection between Leads to a disconnection between development and “security” cycledevelopment and “security” cycle

Types of SecurityTypes of SecurityDomain Level SecurityDomain Level Security Is dependent on an applicationIs dependent on an application Similar to Business Rules Similar to Business Rules Security policies, ACLs – Non-invasiveSecurity policies, ACLs – Non-invasive Store them as rules in config filesStore them as rules in config files E.g. xml files in J2EEE.g. xml files in J2EEProvided by languageProvided by language Not the focus anywhereNot the focus anywhere

This project is about improvements to the This project is about improvements to the security features provided by the languagesecurity features provided by the language

Security provided by the languageSecurity provided by the language

Language should provide features for securityLanguage should provide features for securitySimilar to “public”, “private” there should be Similar to “public”, “private” there should be some “const” keyword similar to C++some “const” keyword similar to C++Every method should declare its behaviorEvery method should declare its behaviorFor e.g. we might have a new set of keywordsFor e.g. we might have a new set of keywords ImmutableImmutable InspectorInspector MutatorMutator

MotivationMotivation

Enter AOP!Enter AOP!

Security loopholes may not be intentionalSecurity loopholes may not be intentionalBug fixes may introduce security bugs Bug fixes may introduce security bugs More so with AOP (compartmentalization)More so with AOP (compartmentalization)Right time to correct in AOP whatever was Right time to correct in AOP whatever was not done in OOPnot done in OOPSince AOP still in infancy, security focus Since AOP still in infancy, security focus can be imbibed can be imbibed

Aspect SecurityAspect Security

Aspects are powerful. Aspects are powerful. Need a controlled & safe way of aspect Need a controlled & safe way of aspect

oriented developmentoriented developmentNeed a stronger safety net than normal Need a stronger safety net than normal

languages languages

Simple Demo !!Simple Demo !!

What is this project?What is this project?

Ideally, ….Ideally, …. Ideally, language should provide features Ideally, language should provide features

for securityfor securityEvery method should declare its behaviorEvery method should declare its behavior If not, metadata will have to be used.If not, metadata will have to be used.

Requirements??Requirements??At the least, compiler shouldAt the least, compiler should

Warn if it can determine whether a possible Warn if it can determine whether a possible security breach existssecurity breach exists

There exists possible loop-holes which can be There exists possible loop-holes which can be exploited in futureexploited in future

Guard against these by putting dynamic Guard against these by putting dynamic checks in placechecks in place

This is a bit ambitious, but not too much.This is a bit ambitious, but not too much.

What is a Secure Aspect?What is a Secure Aspect? A secure aspect is an aspect which is A secure aspect is an aspect which is

securesecure For object-oriented programs, an aspect For object-oriented programs, an aspect

should notshould not interfere with the OO part of the systeminterfere with the OO part of the systemmodify behavior of the object which it is trying modify behavior of the object which it is trying

to influence.to influence.modify data of the object which it is trying to modify data of the object which it is trying to

influence.influence.

What should a secure aspect do?What should a secure aspect do?

A secure aspect shouldA secure aspect shouldAdd behavior at a join pointAdd behavior at a join pointAdd checks for certain conditionsAdd checks for certain conditionsBasically be an inspectorBasically be an inspector

What a secure aspect should not What a secure aspect should not do?do?

A secure aspect should not A secure aspect should not Modify an object’s behavior at any join pointModify an object’s behavior at any join pointModify an object’s data at any join pointModify an object’s data at any join pointShould not change an object’s hierarchy if the Should not change an object’s hierarchy if the

object is not open to change (……)object is not open to change (……)

ImplementationImplementation

How to do it?

In order to determine the security aspects statically, step in at compile time influence the compiler with our security rules

Security Rules can be hard-coded or in some XML file

Rules in an XML file require development of a separate language syntax and its validation

Aspect Bench Compiler

abc compiler from Oxford University Chosen because it is open-source Open and easy to extendGives extension-writers the AST in

objects which are easier to manipulate

abc Architecture

abc Modification Point

Proposed Change

Compiler Front End

Aspect Checker

Static Weaving

Proof of Concept

Aspect Checker checks aspects before weaving

For this PoC, I am checking whether an aspect calls a setter method of the main class

Aspect Checker

Main BankAccount::initialize()

Set Account Id to 0

Aspect

Design of Aspect Checker

GlobalAspectChecker

BankAccountChecker BankChecker

AspectInfo

abc Compiler

AccountChecker

IndividualCheckers

Demo of Aspect CheckerDemo of Aspect Checker

Future WorkFuture Work

Future Work

Handle inter-type declarations Handle weaving of aspect-checking code Finalize design of AspectChecker

ReferencesReferences

ReferencesReferences

Building the abc AspectJ compiler with Polyglot and Soot – abc Technical Report No. abc-2004-2

abc : An extensible AspectJ compiler– abc Technical Report No. abc-2004-1

The abc scanner and parser, including an LALR(1) grammar for AspectJ

Thank You!!Thank You!!