Using Aspect-Oriented Software Using Aspect-Oriented Software Development to build a Scenario Development to build a Scenario Based Access Control Reference Based Access Control Reference MonitorMonitor

Captain Jason FurlongCaptain Jason FurlongDepartment of Electrical & Department of Electrical & Computer EngineeringComputer EngineeringRoyal Military College of CanadaRoyal Military College of Canada

OutlineOutline

Overview of ThesisOverview of Thesis BackgroundBackground Reference Monitor DesignReference Monitor Design ValidationValidation Discussion & Future WorkDiscussion & Future Work

Overview of ThesisOverview of Thesis

MotivationMotivationGoalsGoalsResultsResults

The Problem…The Problem…

Security is one of many concerns that Security is one of many concerns that influence the development of an influence the development of an Enterprise Information SystemEnterprise Information System– Access Control is a security sub-concernAccess Control is a security sub-concern

Access Control cannot be easily Access Control cannot be easily localized.localized.

The implementation of the Security The implementation of the Security concern must be precise and consistentconcern must be precise and consistent– Implementation of a Access Control PolicyImplementation of a Access Control Policy

GoalsGoals

Use Aspect-Oriented Software Use Aspect-Oriented Software Development (AOSD) to separate Development (AOSD) to separate the Access Control sub-concern in the Access Control sub-concern in an enterprise applicationan enterprise application

Create a reusable framework to Create a reusable framework to build a reference monitor build a reference monitor

Implement a Scenario Based Implement a Scenario Based Access Control model (SBAC)Access Control model (SBAC)

ResultsResults

Primary functionality and Access Primary functionality and Access Control were separatedControl were separated

Reusable reference monitor Reusable reference monitor framework createdframework created

SBAC model implementedSBAC model implemented Two J2EE validation exercisesTwo J2EE validation exercises Polydecompositional ArchitecturePolydecompositional Architecture

Background Background InformationInformation

Aspect Oriented Software Design Aspect Oriented Software Design (AOSD)(AOSD)Reference MonitorReference MonitorScenario Based Access Control Scenario Based Access Control (SBAC)(SBAC)

What is AOSD?What is AOSD?

Aspect-Oriented software Development Aspect-Oriented software Development (AOSD) aims at addressing (AOSD) aims at addressing crosscutting concerns by providing crosscutting concerns by providing means for their systematic means for their systematic identificationidentification, , separationseparation, , representationrepresentation and and compositioncomposition..

-Awais Rashid-Awais Rashid

Cross-cutting ConcernsCross-cutting Concerns

Source: AspectJ Website and Gregor Kiczales

Some Benefits of AOSDSome Benefits of AOSD

Better separation of concernsBetter separation of concerns More adaptable and easier to More adaptable and easier to

reuse reuse Simpler System evolution:Simpler System evolution: Programmer specialization Programmer specialization

through application transparencythrough application transparency

Source: Elrad and Coady

Reference MonitorReference Monitor

Security AbstractionSecurity Abstraction Originally conceived as a part of a Originally conceived as a part of a

security kernel and implemented security kernel and implemented with a combination of hardware with a combination of hardware and software.and software.

Reference Reference MonitorMonitor

SubjectsReference

Monitor(policy)

Objects

Audit File

AccessControl

DatabaseSource: Morrie Gasser, Source: Morrie Gasser, Building a Secure Building a Secure Computer System, 1988Computer System, 1988

Reference MonitorReference Monitor

An ideal Reference Monitor satisfies these 3 An ideal Reference Monitor satisfies these 3 Requirements:Requirements:– Completeness:Completeness: It must be impossible to It must be impossible to

bypassbypass– Isolation:Isolation: It must be tamperproof It must be tamperproof– Verifiability:Verifiability: It must be shown to be It must be shown to be

properly implementedproperly implemented

Scenario Based Access Scenario Based Access Control (SBAC)Control (SBAC) Set of scripted scenariosSet of scripted scenarios Mimics the workflow of an Mimics the workflow of an

enterprise environmententerprise environment Based on the observability of Based on the observability of

Objects and their ability to pass Objects and their ability to pass messages to each othermessages to each other

SBAC (continued)SBAC (continued)

Permissions rise and fall Permissions rise and fall according the flow of the scenarioaccording the flow of the scenario

In following a Scenario, the model In following a Scenario, the model is deterministic and can satisfy a is deterministic and can satisfy a Safety Analysis Safety Analysis

The AOSD Reference The AOSD Reference Monitor DesignMonitor Design

Client

Web

Business Logic

Database

J2EEApplication

PermissionTable

Permissions

Scenarios

Aspect

Reference Monitor

Reference Monitor Reference Monitor DesignDesign

permissionList

:Hashtable

modeled as

class

Scenario

which creates

object

SBACPermission

stored in

aspect

ReferenceMonitor

object

PermissionTable

object

Drafter

object

Cheque

Join Point

object

SBACPermission

which creates

used to find a corresponding permission in

SBAC Formal Model SBAC Reference Monitor

calls

Intercepted by

drafter : DrafterClass

cheque : Cheque

setAmount()

Scenario Ordering: <SEQ>PARAIN: drafter:DrafterClass cheque:Cheque

workflowspecification

Method MatrixMethod Matrix

Needed a rigorous methodology Needed a rigorous methodology for determining allocation of for determining allocation of pointcutspointcuts

First validation example had 8 First validation example had 8 cooperating classes = 56 cooperating classes = 56 caller/receiver relationshipscaller/receiver relationships

Defined both dynamic and static Defined both dynamic and static relationships between relationships between participating objectsparticipating objects

ValidationValidation

Cheque Passing applicationCheque Passing applicationCertificate Authority Certificate Authority applicationapplication

The Implementation The Implementation EnvironmentEnvironment Two Examples operating on a Two Examples operating on a

J2EE application server.J2EE application server. Can run on Win32 or *NIX.Can run on Win32 or *NIX. HTML user interface using HTML user interface using

Jakarta-Struts, an MVC Jakarta-Struts, an MVC framework.framework.

The Two The Two ImplementationsImplementations Cheque example: a set of Cheque example: a set of

cooperating objects working cooperating objects working within an EJBwithin an EJB11..– Built for concurrency of actionsBuilt for concurrency of actions– Multiple actors in the scenarioMultiple actors in the scenario

1. EJB: Enterprise Java Bean

Cheque Cheque Passing Passing ExampleExample

payee : Customer

drafter : Employee

1: present bill

theCheque : Cheque

2: draft cheque

theCheque : Cheque

3: verify cheque

4: pass cheque

supervisor : Employee

Permissionsa. write name of payeeb. write amountc. write dated. write Customer #

Permissionsa. read nameb. read amountc. read dated. read Customer #

Permissionsa. read nameb. read amountc. read dated. read Customer #e. write Digital Signature

Permissionsa. read nameb. read amountc. read dated. read Customer #

Permissionsa. read nameb. read amountc. read dated. read Custoumer #

supervisor : Employee

5: attach Digital Signature

6: pass cheque

cashier : Employee

8: verify chequetheCheque : Cheque

9: give money

payee : Customer

Permissionsa. read nameb. read amountc. read dated. read Customer #

7: get Customer identitypayee :

Customer

Permissions

Permissions

Permissions

Permissions

Certificate Authority Certificate Authority ApplicationApplication Second example: a SOAP-based Second example: a SOAP-based

military HQ Certificate Authority military HQ Certificate Authority serverserver– Single ThreadedSingle Threaded– Closer to a real-world Web Services Closer to a real-world Web Services

applicationapplication– Only two actors in the scenario: user Only two actors in the scenario: user

and serverand server Developed from a real-world Developed from a real-world

problem provided by DRDC Ottawa.problem provided by DRDC Ottawa.

StrutsServlets and JSPs

HQManagerSession EJB

Firewall and IPSec device

File SystemStores signed certificates

Entity EJBs

Web BrowserHuman Interface

SAAJ Clients and ServersMachine Interface

SAAJHttp Servlet

DatabaseStores Certificates,

CRLs and client data

Change firewall settings or close connections

IPSec Device checks for certificate validity

HQManager sends out CRLs

Client

Web

EJB

Persistence

J2EE

Architecture

Discussion & Future Discussion & Future WorkWork

Some interesting things I Some interesting things I found along my journeyfound along my journey

Benefits of AOSD - Benefits of AOSD - revisitedrevisited Better separation of concernsBetter separation of concerns More adaptable and easier to More adaptable and easier to

reuse reuse Simpler System evolution:Simpler System evolution: Programmer specialization Programmer specialization

through application transparency through application transparency and obliviousnessand obliviousness

Reference Monitor Reference Monitor RequirementsRequirements CompletenessCompleteness: :

– Intercepts all calls to an object using Intercepts all calls to an object using AspectJ “wildcards”.AspectJ “wildcards”.

IsolationIsolation: : – Application by AspectJ would be Application by AspectJ would be

difficult to subvert by rogue code.difficult to subvert by rogue code. VerifiabilityVerifiability: :

– Uses SBAC, a provably safe Access Uses SBAC, a provably safe Access Control model.Control model.

J2EE

Application

Workflow Model

SBAC Model

SBACFramework

AspectPointcuts &

Advice

DependenciesDependencies

Polydecompositional Polydecompositional ArchitectureArchitecture AOSD permitted simultaneous decomposition AOSD permitted simultaneous decomposition

of two separate architectures:of two separate architectures:– Base FunctionalityBase Functionality– Access Control sub-concernAccess Control sub-concern

Combined at compile timeCombined at compile time

A polydecompositional architecture is a design concept that ensures concern isolation for independent design decomposition before a stage of coalescence to create a software component.

Application Application TransparencyTransparency Implementation allowed for Implementation allowed for

pluggable security at compile time.pluggable security at compile time.– 2 different build files2 different build files– Reference monitor framework could be Reference monitor framework could be

easily rebuilt to allow for run-time easily rebuilt to allow for run-time switching.switching.

Business logic was almost Business logic was almost completely oblivious of security completely oblivious of security concernconcern

AOSDAOSD

Limitations of AOSDLimitations of AOSD– AspectJ is a static implementationAspectJ is a static implementation– Slower run-time implementation; Slower run-time implementation;

typical AspectJ overhead is between typical AspectJ overhead is between 22% and 2900% 22% and 2900%

AspectJ was useful for AspectJ was useful for unobtrusive bug tracking and unobtrusive bug tracking and testing with JUnit.testing with JUnit.

SBACSBAC

Working dynamic SBAC reference monitor Working dynamic SBAC reference monitor that can satisfy a safety questionthat can satisfy a safety question

SBAC Doesn’t work for everything, like SBAC Doesn’t work for everything, like some J2EE features that require some J2EE features that require polymorphism.polymorphism.

Building the security model can take time Building the security model can take time depending on the workflow depending on the workflow representationrepresentation

Policy implementation can be fragile – if Policy implementation can be fragile – if workflow changes, then the scenarios workflow changes, then the scenarios have to be rewritten.have to be rewritten.

Method Matrix MethodologyMethod Matrix Methodology

Security Engineer

Programmer

Security Policy Functional Requirements

Workflow

SBACScenarios

Pointcut Definitions&

Compiler Errors

uses

creates

uses

uses

creates

supervisor : SupervisorClass

: S_ValidityDecision

registry : ChequeRegistry

getNextChequeData( )

Scenario Ordering: <SEQ>PARAIN: supervisor:SupervisorClass registry:ChequeRegistry DEFPARA:

<<scenario>> validityDecision

S_ValidityDecision(DrafterClass, SupervisorClass, ChequeRegistry, ComplexScenario)

getChequeData(int)

ClassesClasses ChequeCheque MailerMailer SuperviSupervisorsor

MachinMachinee

ChequeCheque MM MM

MailerMailer CMCM MM

MachinMachinee

MM MM

produces

produces

Is checkedagainst

pointcut callChequeRegistry():call(* ChequeRegistry.*(..)) &&

(within(DrafterClass)|| within(SupervisorClass)|| within(ChequeMailingMachine));pointcut callSupervisorClass():

call(* SupervisorClass.*(..)) && within(ChequeRegistry);pointcut callDrafterClass():

call(* DrafterClass.*(..)) && (within(ChequeRegistry)||

within(SupervisorClass));pointcut callChequeMailingMachine():

call(* ChequeMailingMachine.*(..)) && (within(SupervisorClass));

pointcut callChequeSignature():call(* ChequeSignature.*(..)) &&

within(SupervisorClass);pointcut callEnvelope():

call(* Envelope.*(..)) && within(ChequeMailingMachine);pointcut callStampRepository():

call(* StampRepository.*(..)) && within(ChequeMailingMachine);

MethodMatrix

Future WorkFuture Work

Use a dynamic AOSD technology such as Use a dynamic AOSD technology such as AspectWerkz or JBoss-AOPAspectWerkz or JBoss-AOP–Clean up some of the pointcuts–Clean up some of the pointcuts–Integrate with the J2EE server software–Integrate with the J2EE server software

Automate generation of scenarios from Automate generation of scenarios from Rational Rose (or other UML/MSC tool)Rational Rose (or other UML/MSC tool)

Refine the SBAC frameworkRefine the SBAC framework–Performance–Performance–Make the framework more opaque–Make the framework more opaque

Implementation in a COTS environment where Implementation in a COTS environment where components aren’t fully trustedcomponents aren’t fully trusted

SummarySummary

AOSD modularizes cross-cutting AOSD modularizes cross-cutting concernsconcerns

Created Reference monitor using Created Reference monitor using AspectJ that was completely AspectJ that was completely modularmodular

Dynamic Implementation of SBAC Dynamic Implementation of SBAC using AOSD and AspectJusing AOSD and AspectJ

QuestionsQuestions

??

AOSD TechnologiesAOSD Technologies

5 Implementations:5 Implementations:– Multidimensional Separation of Multidimensional Separation of

ConcernsConcerns– Traversal SpecificationsTraversal Specifications– Composition FiltersComposition Filters– Class IntroductionClass Introduction– Join Point InterceptionJoin Point Interception

AspectJ

Join Point InterceptionJoin Point Interception

A family of languages based on a A family of languages based on a GPLGPL– AspectJ, AspectWerkz, JBoss-AOP AspectJ, AspectWerkz, JBoss-AOP

(Java)(Java)– AspectC++ (C++)AspectC++ (C++)– Pythius (Python)Pythius (Python)– Others based on: Squeak/Smalltalk, Others based on: Squeak/Smalltalk,

XML, C#/.net, Perl, Ruby, UML…XML, C#/.net, Perl, Ruby, UML…

Join PointsJoin Points

Foo Bar

public void setx(int a) {..}

Bar.setx(5)

Join Point

PointcutsPointcuts

Named collections of Join Points that have Named collections of Join Points that have something in commonsomething in common

AspectJ has its own language for AspectJ has its own language for describing pointcutsdescribing pointcuts

Can also describe events in the context of Can also describe events in the context of other pointcutsother pointcuts

Example:Example:– All the calls to the String classAll the calls to the String class– All the calls to a particular All the calls to a particular

module/package/library that return a Foobar module/package/library that return a Foobar ObjectObject

AdviceAdvice

This is the base-language code This is the base-language code that has been attached to a that has been attached to a particular pointcut or set of particular pointcut or set of pointcutspointcuts

3 types:3 types:– BeforeBefore– AfterAfter– AroundAround

Class Introduction in Class Introduction in AspectJAspectJ

Given:Given:public class Cheque{public class Cheque{

private int value;}private int value;}

……and in another module…and in another module…public aspect ModifiedCheque{public aspect ModifiedCheque{

public int Cheque.getValue()public int Cheque.getValue(){{

return value;}return value;}}}

AspectsAspects

Modular entity that consisting of Modular entity that consisting of pointcuts and advice.pointcuts and advice.

This is a module in and of itself This is a module in and of itself that can have its own attributes that can have its own attributes and proprietary methods.and proprietary methods.

There are also abstract Aspects There are also abstract Aspects which can be inherited from.which can be inherited from.

Sample AspectSample Aspectimport business.cheque;

public aspect chequeLogger{

pointcut callChequeSetters(Cheque cheque):

call(public * Cheque.set*(..))&& target(cheque);

before(): callAllSetters(Cheque cheque){

System.out.println(“Calling set method on cheque” + cheque.toString());}

}//end testAspect

pointcut

advice

wildcards

Class IntroductionClass Introduction

Allows the addition of methods, Allows the addition of methods, attributes and interfaces to an attributes and interfaces to an existing class without subclassing existing class without subclassing or editing existing codeor editing existing code

Violates traditional encapsulation Violates traditional encapsulation methodsmethods

Compiler Warnings & Compiler Warnings & ErrorsErrors

AspectJ pointcuts can be used to generate AspectJ pointcuts can be used to generate compiler errors and warningscompiler errors and warnings

Example:Example:– only ChequeRegistry can access a Cheque Objectonly ChequeRegistry can access a Cheque Object

pointcutpointcut chequeCalls(): chequeCalls():callcall((publicpublic * Cheque.*(..))&& * Cheque.*(..))&&

!!withinwithin(ChequeRegistry); (ChequeRegistry);

declare error: chequeCalls():declare error: chequeCalls():““Security Error: This is a static method access Security Error: This is a static method access violation";violation";

AOSD AOSD (continued)(continued)

Use of Interface IntroductionUse of Interface Introduction– Used pointcuts and method introduction to Used pointcuts and method introduction to

obtain context of some user interface obtain context of some user interface method calls.method calls.

//serverStatus scenariopublic void HQManager.SserverStatus(){}public abstract void HQLocal.SserverStatus();pointcut SserverStatus(HQServerStatusForm form):execution(public HashMap HQServerStatusForm.getStatus())&&

this(form);

before(HQServerStatusForm form): SserverStatus(form){form.hqLocal.SserverStatus();

}

Join point limitationsJoin point limitations

public void setX(int x);public void setX(int x);

Produces the same join point (and Produces the same join point (and permission) as:permission) as:

public void setX(Integer x);public void setX(Integer x);

This reduces the obliviousness of This reduces the obliviousness of the security implementation.the security implementation.

Security Policy Security Policy ImplementationImplementation

Resultant policy is a Resultant policy is a set of Message set of Message Sequence ChartsSequence Charts

I used both high-I used both high-level and low-level level and low-level MSCsMSCs

supervisor : SupervisorClass

: S_ValidityDecision

registry : ChequeRegistry

getNextChequeData( )

Scenario Ordering: <SEQ>PARAIN: supervisor:SupervisorClass registry:ChequeRegistry DEFPARA:

<<scenario>> validityDecision

S_ValidityDecision(DrafterClass, SupervisorClass, ChequeRegistry, ComplexScenario)

getChequeData(int)

NewTask<<OR>>

CreateCheque<<SEQ>>

CompareInfo<<SEQ>>

MailCheque<<SEQ>>

RejectCheque<<SEQ>>

ReturnCheque<<SEQ>>

ValidateCheque<<SEQ>>

EnvironmentInit<<SEQ>>

ValidityDecision<<OR>>

PrintCheques<<SEQ>>

EditCheque<<SEQ>>

DrafterTasks<<OR>>

PrintDecision<<OR>>

EnvelopeOutput<<AND>>

GetStamp<<SEQ>>

GetAddress<<SEQ>>

PrintChequeData

<<SEQ>>

Method MatrixMethod MatrixFirst Example – Cheque ScenarioFirst Example – Cheque Scenario

Caller\Receiver DrafterClass SupervisorClass Cheque

Cheque Mailing Machine

ChequeRegistry ChequeSignature

Envelope

StampRepository

DrafterClass         M      

SupervisorClass M     M M CM    

Cheque                

ChequeMailingMachine         M   CM M

ChequeRegistry M M  MC       M  

ChequeSignature                

Envelope                

StampRepository                

M = Method pointcut

C = Constructor pointcut

Bold text indicates actor class

Method Matrix (continued)Method Matrix (continued)DrafterClass Permitted

SupervisorClass Permitted

ChequeMailingMachine Permitted  

createCheque(ChequeData) any

getNextChequeData() any

processCheques() any  

nextEditCheque() any

attachSignature(int) any addCheque(int) SupervisorClass

removeNextEdit()

SupervisorClass

rejectClaim() any    

editCheque(int)SupervisorClass

editChequeToEdit(int) any    

 

editUpdate(ChequeData) any    

 addCheque(int)

ChequeRegistry      

getTasks()   getTasks()   getTasks()

 

getNextInvoice()  

getChequeMailer()   getStamper()

addInvoice(OcrDocument)      

SendChequeToPostOffce()

getInvoiceList()       getRegistry()

getSupervisor()        

isChequesToEdit()        

setChequesToEdit(boolean)        

         

public privileged aspect A_ChequeScenarioMonitor {Scenario upperScenario;PermissionTable permissionTable;DrafterClass drafter;SupervisorClass supervisor;ChequeMailingMachine mailer;ChequeRegistry registry;PrimitiveScenario scenario;

/** * This ReferenceMonitor has been designed for the ChequeContainerClass environment. If this is * to be used again in another system then the class that provides the seeds for the scenarios would * have to be changed. * @precondition The container class is of type ChequeContainerClass */public A_ChequeScenarioMonitor(){}

/** * This pointcut is used to determine the top-level scenario transition */pointcut startScenario(): execution(public void ChequeBeanLogic.ejbCreate());//these are the combined (Inner and Agent)class pointcutspointcut callChequeRegistry():call(* ChequeRegistry.*(..)) && (within(DrafterClass)||within(SupervisorClass)||within(ChequeMailingMachine));pointcut callSupervisorClass():call(* SupervisorClass.*(..)) && within(ChequeRegistry);pointcut callDrafterClass():call(* DrafterClass.*(..)) && (within(ChequeRegistry)||within(SupervisorClass));pointcut callChequeMailingMachine():call(* ChequeMailingMachine.*(..)) && (within(SupervisorClass));pointcut callChequeSignature():call(* ChequeSignature.*(..)) && within(SupervisorClass);pointcut callEnvelope():call(* Envelope.*(..))&&within(ChequeMailingMachine);pointcut callStampRepository():call(* StampRepository.*(..))&&within(ChequeMailingMachine);

pointcut scenarioCallPC(): // group all the call Pointcuts togethercallDrafterClass() || callSupervisorClass() || callChequeRegistry()||callChequeMailingMachine()||callChequeSignature()||callEnvelope()||callStampRepository();

// Constructor Pointcutspointcut constructorCalls():call(public ChequeSignature.new(business.SupervisorClass)) && within(SupervisorClass)||call(public Envelope.new()) && within(ChequeMailingMachine);

//Agent class pointcutspointcut agentDrafterClass():execution( public int DrafterClass.createCheque(ChequeData)) ||execution( public ChequeData DrafterClass.nextEditCheque());pointcut agentSupervisorClass():execution(public ChequeData SupervisorClass.getNextChequeData())||execution(public void SupervisorClass.attachSignature(int))||execution(public void SupervisorClass.rejectClaim())||execution(public void editChequeToEdit(int))||execution(public void editUpdate(ChequeData));pointcut agentChequeMailingMachine():execution(public StringBuffer ChequeMailingMachine.processCheques())||execution(private StringBuffer ChequeMailingMachine.printCheque(ChequeData, Envelope))||execution( private void ChequeMailingMachine.getStamp(ChequeData, Envelope))||execution( private void ChequeMailingMachine.getAddress(ChequeData, Envelope));

pointcut scenarioAgentPC():agentDrafterClass() || agentSupervisorClass()||agentChequeMailingMachine()||constructorCalls();

/** *This advice is a supplemental to the constructor to this aspect. It identifies * the ChequeBeanLogic instance and gets the 3 classes that are needed to * seed the first scenario: * The Drafter * The Supervisor * The Cheque Mailing Machine */ after() :startScenario(){JoinPoint jpoint = thisJoinPoint;drafter = ((ChequeBeanLogic)jpoint.getTarget()).getDrafter();supervisor = ((ChequeBeanLogic)jpoint.getTarget()).getSupervisor();mailer = ((ChequeBeanLogic)jpoint.getTarget()).getMailer();registry = ((ChequeBeanLogic)jpoint.getTarget()).getChequeRegistry();

//create a new permissionTable and seed it up with the first scenario.upperScenario = new S_NewTask(drafter, supervisor, registry, null);permissionTable= new PermissionTable(upperScenario);}//end around startScenario and secondary constructor/scenario seeder

before(): scenarioCallPC() || scenarioAgentPC() {scenario =permissionTable.permit(thisJoinPoint);if (scenario == null) {StringBuffer errorMsg = new StringBuffer("permissiondenied");errorMsg.append(thisJoinPoint.toString());System.out.println("error: " + errorMsg);throw new RuntimeException(errorMsg.toString());}}//end before scenario calls()//set the recently created object to a reference in the scenario that was used.

after() returning(Object object) : constructorCalls() {if (scenario != null) {

scenario.setNewObject(object);} }

//Compiler Errorspointcut constructorError():call(public business.*.new(..)) && !constructorCalls() && //discard the constructors that are part of scenarios, they're already covered//these are the exceptions to the rule!within(ejb.*)&& //ejb needs to create seeder classes!(call( public Cheque.new(..)) && within(ChequeRegistry)) && // only ChequeRegistry can make new Cheque objects!(call(public ChequeData.new(..)))&& //anybody can create a ChequeData object!(call(public ChequeSignature.new(..)) && within(Cheque)); // Cheque needs to create a signature

declare error : constructorError():"Security Violation, constructor not permitted";}//end aspect A_ChequeScenarioMonitor

Code Generated fromthe Method Matrix

Reference Monitor Aspect Reference Monitor Aspect CodeCodeSecond Example – Military Certificate Authority ServerSecond Example – Military Certificate Authority Serverpublic privileged aspect AHQManagerMonitor {

pointcut initializationCalls():execution(public void HQForm.new());

pointcut otherCalls():execution(public SessionContext HQManager.getCtx())||//this is needed by the scenariosexecution(public * HQManager.requestCertificate(..))||//container manages the security to this method as it is

used by SAAJexecution(public * HQManager.permit(..));//eliminate recursion...

pointcut managerintercept(HQManager manager):execution(public * HQManager.*(..)) && this(manager)&&

!cflow(initializationCalls())&&!otherCalls();

before(HQManager manager): managerintercept(manager){Scenario scenario = manager.permit(thisJoinPoint);//check for validityif (scenario == null) {//if null, then permission denied – throw exception

StringBuffer errorMsg = new StringBuffer("permissiondenied");errorMsg.append(thisJoinPoint.toString());System.out.println("error: " + errorMsg);throw new RuntimeException(errorMsg.toString());}}

J2EEJ2EE

Not the easiest Not the easiest technology/specification to work with.technology/specification to work with.

Multiple stubs and interfaces made it Multiple stubs and interfaces made it difficult to implement SBAC and weave difficult to implement SBAC and weave the reference monitor code.the reference monitor code.

I was able to use some of the native I was able to use some of the native security features which saved some security features which saved some time and efforttime and effort

Takes a bit of time to set up a J2EE Takes a bit of time to set up a J2EE application server and databaseapplication server and database

ScenarioSEQ

getPermission()toString()getNextPermission()ScenarioSEQ()

(from scenario)

ConstructorPrimitive

getPermission()ConstructorPrimitive()checkScenarioObject()

(from prim itive)MethodPrimitive

MethodPrimitive()getPermission()checkScenarioObject()

(from prim itive)

ScenarioOR

permissionRef : ArrayList

getPermission()getNextPermission()ScenarioOR()orSelected()

(from scenario)

S_CreateCheque

numChildren : int = 5

toString()initializeScenario()S_CreateCheque()

(from creating)

S_NewTask

toString()initializeScenario()S_NewTask()

(from chequeScenario)

Orthogonal Design Orthogonal Design RequirementsRequirements

Superimposition of Multiple Superimposition of Multiple Abstraction ModelsAbstraction Models

Multidimensional Multidimensional DecompositionDecomposition

Tyranny of Tyranny of DecompositionDecomposition “…“…the tyranny of the dominant the tyranny of the dominant

decomposition is the single most decomposition is the single most significant cause of the failure, to significant cause of the failure, to date, to achieve many of the date, to achieve many of the expected benefits of separation of expected benefits of separation of concerns.”concerns.”

Ossher and TarrOssher and Tarr

-HyperJ User Manual, 2001-HyperJ User Manual, 2001

Principle of Principle of ObliviousnessObliviousness

The Principle of Obliviousness allows The Principle of Obliviousness allows programmers to make quantified programmers to make quantified programmatic assertions over programmatic assertions over programs written by programmer programs written by programmer oblivious to such assertions.oblivious to such assertions.

Filman & FriedmanFilman & Friedman

““AOP is Quantification and AOP is Quantification and Obliviousness”Obliviousness”

Cross-cutting ConcernsCross-cutting Concerns

A concern that cuts across the A concern that cuts across the modularity of a software system.modularity of a software system.

Symptoms include Symptoms include – ScatteringScattering: Code related to a single : Code related to a single

concern is spread across several concern is spread across several modulesmodules

– TanglingTangling: Code unrelated to the : Code unrelated to the primary concern of a module is mixed in.primary concern of a module is mixed in.

– Interface Pollution: Interface Pollution: The interface The interface requirements of several clients are requirements of several clients are combined into a single interface for a combined into a single interface for a module.module.

Some Benefits of AOSDSome Benefits of AOSD

Better separation of concernsBetter separation of concerns– Increased ComprehensibilityIncreased Comprehensibility– Source code reductionSource code reduction– Decomposition of modules previously considered Decomposition of modules previously considered

monolithicmonolithic More adaptable and easier to reuse More adaptable and easier to reuse Simpler System evolution:Simpler System evolution:

– The increased modularity of AOSD systems mean The increased modularity of AOSD systems mean that fewer modules are affected when another that fewer modules are affected when another module is altered.module is altered.

Programmer specialization through Programmer specialization through application transparencyapplication transparency– Some concerns, such as security, can be better Some concerns, such as security, can be better

implementedimplemented

Source: Elrad and Coady

SBAC uses ObjectsSBAC uses ObjectsSuper Secure Software Inc.15 Enterprise BlvdToronto, ON

Make payable to:

Date:

Amount:

Memo: Signed

Cheque Number

Signature (Digital)

PayeeDate

Amount

Permission TablePermission Table

Hashtable that contains a collection of Hashtable that contains a collection of permissionspermissions

Each permission hash value based on:Each permission hash value based on:– Caller Object instance hashCaller Object instance hash– Receiver object instance hashReceiver object instance hash– Method nameMethod name– Parameter typesParameter types

Match permission hash to equivalent Match permission hash to equivalent join point hashjoin point hash