secure systems research group - fau aspect oriented programming carlos oviedo secure systems...

Secure Systems Research Group - FAU

Aspect Oriented Programming

Carlos Oviedo

Secure Systems Research Group


Introduction

• Late 90’s PARC (Palo Alto Research Center)

• Object Oriented Programming & Meta-object modeling protocols

• Capture cross-cutting concerns• AspectJ Java• Under constant development


Cross-cutting concerns

• Not encapsulated by imperative object oriented programming languages (C, C#, Java, Pascal. Etc)

[Cac04]



• Sometimes requirements relating to a particular concern are spread among multiple requirement sources.

• Example: Logging• The consequence Code spread across

several modules



A specific concern spread along multiple classes



• Security is a concern that has impact on each design unit.

• Modifying the affected design units accordingly can be fault prone and a tedious task.

• Other examples:identity managementtransaction integrityauthenticationperformance


Aspects Outline

• Cross cutting concerns are not reusable (cannot be refined or inherited)

• AOP Modularizes cross cutting concerns

• Pointcut (dynamic)• Advice (dynamic)• Inter-type declarations (static)• Aspects (encapsulates constructions)


Aspects Outline

JOIN POINT:• A specific

execution point in the program flow

POINT CUT:• Selects certain

join points and values at those points


Point Cuts

• Call join point actions of an object receiving a call

pointcut move():

call(void FigureElement.setXY(int,int)) ||

call(void Point.setX(int)) ||

call(void Point.setY(int)) ||

call(void Line.setP1(Point))||

call(void Line.setP2(Point));


Advices

• To implement the cross cutting behaviors we use advices

before(): move() {

System.out.println("about to move");

}

after() returning: move() {

System.out.println("just successfully

moved");

}


Aspects

• Aspects are wrappers• Very similar to “object oriented” classes

aspect Logging

{

OutputStream logStream = System.err;

before(): move() {

logStream.println("about to move");

}

}


Aspects in security

• Example: Control access to a specific resource Account access by a bank officer


Aspects in security

public aspect AccountAuthorization{ OutputStream logStream = System.err; boolean grantAccess(string id){ if(id != “guest”)

return true else return false; } Pointcut change(): call(void Account.MakeWithDrawal());

before(): change(){ logStream.println("Change in progress..."); if(!grantAccess(context.id)) throw new UnauthorizedAccessException(); }}


Aspects in security

Pointcut change():

call(* MakeWithdrawal(..));


Aspects in security

abstract aspect SimpleAuthorization{ OutputStream logStream = System.err; public static boolean grantAccess(string id) { if(id != “guest”)

return true else return false; } abstract pointcut change(): call( * Make*(..));

before(): change() { logStream.println("Change in progress..."); if(!grantAccess(context.id)) throw new UnauthorizedAccessException(); }}


Aspects in security

• A specialization of the aspect:

public aspect TransactionAuthorization extends

SimpleAuthorization {

pointcut change(): within(Transaction) ||

within(SecureTransaction);

//...

}


Conclusions

• Aspects are capable abstract structures to capture cross cutting concerns such as security and can be applied to a system after it has been written.

• Security concerns can be maintained in one place• Another example : track who did what on a

system Non-repudiation• Currently this field is under constant expansion

and it is worth to exploring its potential due its ability to encapsulate concerns


AOP: Aspect Oriented Programming

Theserverside.com

secure systems research group - fau aspect oriented programming carlos oviedo secure systems...

Documents