Computer Security Laboratory by qtp78691


									Security Crosscutting
Concerns and AspectJ

      Dima Alhadidi (
      Nadia Belblidia (
     Mourad Debbabi (

 Concordia Institute for Information Systems Engineering
                   Concordia University
                 This research is funded by NSERC (Natural Sciences and
           Engineering Research Council of Canada) DND (Department of National
            Defence ) grant in collaboration with Bell Canada and DRDC (Defence
                      Research and Development Canada) at Valcartier.
•   Introduction

•   AOP Security Appropriateness

•   AspectJ and Security

       Dataflow Pointcut
       Predicted Control Flow Pointcut
       Loop Pointcut
       Pattern Matching Wildcard
       Type Pattern Modifiers
       Local Variables Set and Get
       Synchronized Block Joint Point

•   Conclusion

• Applicationsecurity hardening becomes a priority and
one of the fastest growing fields in IT market today.

• A legitimate question to ask is:
“ What is the most appropriate computation style or
paradigm for security hardening? ”
A natural answer is: Aspect Oriented Programming

• Another question:
“ What is the most appropriate AOP Model for Security
hardening? ”
The pointcut-Advice Model is the most appropriate.


In this paper, we present:

  • An AOP Security Appropriateness Analysis.

  • An Assessment of AspectJ (The most known AOP
    language based on the pointcut-advice model) from
    a security hardening perspective:

           Are AspectJ primitives expressive enough to formulate all the
           common security hardening practices?

            If the answer is negative, what are the new constructs that are
           needed to be proposed?

               AOP Security Appropriateness


                                Multiple separation
    Pointcut-Advice                                                        Adaptive
                                   of concerns
         Model                                                           programming

                                 HyperJ [Tarr, Ossher 2000]           Demeter C++ [Lieberherr
                                                                     team, Northeastern
AspectJ , AspectC, AspectC++.    INAPPROPRIATE                       University 1989-1996]
GOOD BUT …                       • Works at the method               INAPPROPRIATE
                                 • Can not operate within a          • The adaptive programming is
                                 method body.                        concerned with a loose coupling
                                                                     between structure and
                                 • Does not offer pulling apart of   behaviour.
                                 code within method bodies.
                                                                     • It is unable, for example, to
                                                                     change a method by a more
                                                                     secure one in an application.

                AspectJ and Security

•   The current constructs in AspectJ are of great use in security

•   Three kinds of advices : Before, after, or around advice.

•   AspectJ has a comprehensive and expressive pointcut
    specification language that allows to specify particular points
    in the control of the program: method call/execution,
    constructor call, field read/write…

•   These constructs are not enough to express all security
    hardening practices.

                    Dataflow Pointcut

•   Masuhara and Kawauchi defined a dataflow pointcut for
    security purposes to resolve the problem of XSS.

•   The following example is another one to clarify the
    importance of such a pointcut from a security perspective.

         //Actions other than OpenFile, ReadFile, or Send
         //Actions other than OpenFile, ReadFile, or Send
         //Before-Advice with a dataflow pointcut to test
         // if the data that will be sent depends of the information read
             from the file.

            Predicted Control Flow Pointcut

•   Kiczales proposed the predicted control flow pointcut pcflow but
    this pointcut has not been implemented yet.

•   A pointcut pcflow(p) matches at a join point if there may exist a
    path to another join point where p matches.

•   Example: draw some charts for security important parameters
    such as le activity, registry activity, or network trafc. These
    charts can be analyzed to discover if something wrong happens.

         pointcut* displayState( ):
         pcflow(execution(void SecurityElement+.draw( ))) &&
         get(* SecurityElement+.*);
         after set(<displayState( )>)( ): { Display.update( );
         // Take an action according to the type of the change
                     Loop Pointcut

•   Malicious-code writers exploit infinite loops to do their nefarious
    jobs by launching denial-of-service attacks.

•   Halting the web browser is an example of a denial-of-service
    attack by running a code that opens a dialog window infinite
    number of times.

•   AspectJ must include mechanisms to predict the existence of
    such infinite loops and then notifies the user if she wants to
    continue with this work or not.

           Pattern Matching Wildcard

•   Although Pattern matching can be done by plain AspectJ, it is
    better to do it in a declarative manner to simplify the code.

•   Viruses always inject themselves inside executable files by
    opening and writing to such files.

•   We suggest another way that uses the same notations used in
    SQL such as like keyword and “%” character to ease the burden
    on the user and simplify the code.

    pointcut p: call ( like “%exe%”,String);

                     Type Pattern Modifiers
•   The syntax of all pattern contains the ModifiersPat keyword
    except the type pattern syntax.

•   Need of modifiers also in the type patterns

         public class Sensitive
         private String sensitiveInfo;
           public void f( ){

•   Must authenticate users of such public classes          Using a
    public modifier pattern in type pattern syntax to pick out public
    classes only.

            Local Variables Set and Get

•   AspectJ allows to pick out joinpoints where attributes are
    referenced or assigned through get and set designators but it
    does not provide similar pointcuts to local variables defined
    inside methods.

•   Security debuggers may need to track the values of local
    variables inside methods.

•   AOP can be used to perform code instrumentation by inserting
    checks before or after getting or setting or local variables.

          Synchronized Block Joinpoint

•   The synchronized block has not been treated yet in AspectJ
    or in any other AOP framework.

•   The importance of joinpoints for synchronized code was
    discussed by Borner for thread management.

•   Example:

         Suppose a synchronized block launches a denial-of-
       service attack by containing code that eats the CPU
         It is essential to have a jointpoint at the beginning of
       the synchronized block to limit the CPU usage or limit
       the number of instructions that can run.

    Conclusion and Future Work

•   AspectJ must get benefit from new concepts
    related to pointcut definition in order to express
    some security hardening practices.

•   In the future, we plan to give implementation
    solutions to these proposed concepts.


To top