Computer Security Laboratory by qtp78691

VIEWS: 10 PAGES: 14

									Security Crosscutting
Concerns and AspectJ

      Dima Alhadidi (dm_alhad@cs.concordia.ca)
      Nadia Belblidia (na_bel@ciise.concordia.ca)
     Mourad Debbabi (debbabi@ciise.concordia.ca)

 Concordia Institute for Information Systems Engineering
                   Concordia University
                 This research is funded by NSERC (Natural Sciences and
           Engineering Research Council of Canada) DND (Department of National
            Defence ) grant in collaboration with Bell Canada and DRDC (Defence
                      Research and Development Canada) at Valcartier.
                    Overview
•   Introduction

•   AOP Security Appropriateness

•   AspectJ and Security

       Dataflow Pointcut
       Predicted Control Flow Pointcut
       Loop Pointcut
       Pattern Matching Wildcard
       Type Pattern Modifiers
       Local Variables Set and Get
       Synchronized Block Joint Point

•   Conclusion




                                         2
                Introduction
• Applicationsecurity hardening becomes a priority and
one of the fastest growing fields in IT market today.

• A legitimate question to ask is:
“ What is the most appropriate computation style or
paradigm for security hardening? ”
A natural answer is: Aspect Oriented Programming
(AOP).

• Another question:
“ What is the most appropriate AOP Model for Security
hardening? ”
The pointcut-Advice Model is the most appropriate.

                                                     3
                     Introduction


In this paper, we present:

  • An AOP Security Appropriateness Analysis.

  • An Assessment of AspectJ (The most known AOP
    language based on the pointcut-advice model) from
    a security hardening perspective:

           Are AspectJ primitives expressive enough to formulate all the
           common security hardening practices?

            If the answer is negative, what are the new constructs that are
           needed to be proposed?




                                                                              4
               AOP Security Appropriateness

                                    Approach




                                Multiple separation
    Pointcut-Advice                                                        Adaptive
                                   of concerns
         Model                                                           programming

                                 HyperJ [Tarr, Ossher 2000]           Demeter C++ [Lieberherr
                                                                     team, Northeastern
AspectJ , AspectC, AspectC++.    INAPPROPRIATE                       University 1989-1996]
GOOD BUT …                       • Works at the method               INAPPROPRIATE
                                 granularity.
                                 • Can not operate within a          • The adaptive programming is
                                 method body.                        concerned with a loose coupling
                                                                     between structure and
                                 • Does not offer pulling apart of   behaviour.
                                 code within method bodies.
                                                                     • It is unable, for example, to
                                                                     change a method by a more
                                                                     secure one in an application.



                                                                                                       5
                AspectJ and Security


•   The current constructs in AspectJ are of great use in security
    hardening.

•   Three kinds of advices : Before, after, or around advice.

•   AspectJ has a comprehensive and expressive pointcut
    specification language that allows to specify particular points
    in the control of the program: method call/execution,
    constructor call, field read/write…

•   These constructs are not enough to express all security
    hardening practices.




                                                                      6
                    Dataflow Pointcut


•   Masuhara and Kawauchi defined a dataflow pointcut for
    security purposes to resolve the problem of XSS.

•   The following example is another one to clarify the
    importance of such a pointcut from a security perspective.

         OpenFile
         //Actions other than OpenFile, ReadFile, or Send
         ReadFile
         //Actions other than OpenFile, ReadFile, or Send
         //Before-Advice with a dataflow pointcut to test
         // if the data that will be sent depends of the information read
             from the file.




                                                                            7
            Predicted Control Flow Pointcut

•   Kiczales proposed the predicted control flow pointcut pcflow but
    this pointcut has not been implemented yet.

•   A pointcut pcflow(p) matches at a join point if there may exist a
    path to another join point where p matches.

•   Example: draw some charts for security important parameters
    such as le activity, registry activity, or network trafc. These
    charts can be analyzed to discover if something wrong happens.

         pointcut* displayState( ):
         pcflow(execution(void SecurityElement+.draw( ))) &&
         get(* SecurityElement+.*);
         after set(<displayState( )>)( ): { Display.update( );
         // Take an action according to the type of the change
         }
                                                                        8
                     Loop Pointcut


•   Malicious-code writers exploit infinite loops to do their nefarious
    jobs by launching denial-of-service attacks.

•   Halting the web browser is an example of a denial-of-service
    attack by running a code that opens a dialog window infinite
    number of times.

•   AspectJ must include mechanisms to predict the existence of
    such infinite loops and then notifies the user if she wants to
    continue with this work or not.




                                                                          9
           Pattern Matching Wildcard


•   Although Pattern matching can be done by plain AspectJ, it is
    better to do it in a declarative manner to simplify the code.

•   Viruses always inject themselves inside executable files by
    opening and writing to such files.

•   We suggest another way that uses the same notations used in
    SQL such as like keyword and “%” character to ease the burden
    on the user and simplify the code.

    pointcut p: call (FileWriter.new(String like “%exe%”,String);




                                                                    10
                     Type Pattern Modifiers
•   The syntax of all pattern contains the ModifiersPat keyword
    except the type pattern syntax.

•   Need of modifiers also in the type patterns



         import java.io.*;
         public class Sensitive
         {
         private String sensitiveInfo;
           public void f( ){
              //...
           System.out.println(sensitiveInfo);
           //…}}

•   Must authenticate users of such public classes          Using a
    public modifier pattern in type pattern syntax to pick out public
    classes only.



                                                                        11
            Local Variables Set and Get


•   AspectJ allows to pick out joinpoints where attributes are
    referenced or assigned through get and set designators but it
    does not provide similar pointcuts to local variables defined
    inside methods.

•   Security debuggers may need to track the values of local
    variables inside methods.

•   AOP can be used to perform code instrumentation by inserting
    checks before or after getting or setting or local variables.




                                                                    12
          Synchronized Block Joinpoint

•   The synchronized block has not been treated yet in AspectJ
    or in any other AOP framework.

•   The importance of joinpoints for synchronized code was
    discussed by Borner for thread management.

•   Example:

         Suppose a synchronized block launches a denial-of-
       service attack by containing code that eats the CPU
       cycles.
         It is essential to have a jointpoint at the beginning of
       the synchronized block to limit the CPU usage or limit
       the number of instructions that can run.




                                                                    13
    Conclusion and Future Work


•   AspectJ must get benefit from new concepts
    related to pointcut definition in order to express
    some security hardening practices.

•   In the future, we plan to give implementation
    solutions to these proposed concepts.




                                                         14

								
To top