Aine Furlong - The role of CLIL and plurilingualism in teaching languages
Using Aspect-Oriented Software Development to build a Scenario Based Access Control Reference...
-
Upload
evelyn-porter -
Category
Documents
-
view
216 -
download
0
Transcript of Using Aspect-Oriented Software Development to build a Scenario Based Access Control Reference...
Using Aspect-Oriented Software Using Aspect-Oriented Software Development to build a Scenario Development to build a Scenario Based Access Control Reference Based Access Control Reference MonitorMonitor
Captain Jason FurlongCaptain Jason FurlongDepartment of Electrical & Department of Electrical & Computer EngineeringComputer EngineeringRoyal Military College of CanadaRoyal Military College of Canada
OutlineOutline
Overview of ThesisOverview of Thesis BackgroundBackground Reference Monitor DesignReference Monitor Design ValidationValidation Discussion & Future WorkDiscussion & Future Work
Overview of ThesisOverview of Thesis
MotivationMotivationGoalsGoalsResultsResults
The Problem…The Problem…
Security is one of many concerns that Security is one of many concerns that influence the development of an influence the development of an Enterprise Information SystemEnterprise Information System– Access Control is a security sub-concernAccess Control is a security sub-concern
Access Control cannot be easily Access Control cannot be easily localized.localized.
The implementation of the Security The implementation of the Security concern must be precise and consistentconcern must be precise and consistent– Implementation of a Access Control PolicyImplementation of a Access Control Policy
GoalsGoals
Use Aspect-Oriented Software Use Aspect-Oriented Software Development (AOSD) to separate Development (AOSD) to separate the Access Control sub-concern in the Access Control sub-concern in an enterprise applicationan enterprise application
Create a reusable framework to Create a reusable framework to build a reference monitor build a reference monitor
Implement a Scenario Based Implement a Scenario Based Access Control model (SBAC)Access Control model (SBAC)
ResultsResults
Primary functionality and Access Primary functionality and Access Control were separatedControl were separated
Reusable reference monitor Reusable reference monitor framework createdframework created
SBAC model implementedSBAC model implemented Two J2EE validation exercisesTwo J2EE validation exercises Polydecompositional ArchitecturePolydecompositional Architecture
Background Background InformationInformation
Aspect Oriented Software Design Aspect Oriented Software Design (AOSD)(AOSD)Reference MonitorReference MonitorScenario Based Access Control Scenario Based Access Control (SBAC)(SBAC)
What is AOSD?What is AOSD?
Aspect-Oriented software Development Aspect-Oriented software Development (AOSD) aims at addressing (AOSD) aims at addressing crosscutting concerns by providing crosscutting concerns by providing means for their systematic means for their systematic identificationidentification, , separationseparation, , representationrepresentation and and compositioncomposition..
-Awais Rashid-Awais Rashid
Cross-cutting ConcernsCross-cutting Concerns
Source: AspectJ Website and Gregor Kiczales
Some Benefits of AOSDSome Benefits of AOSD
Better separation of concernsBetter separation of concerns More adaptable and easier to More adaptable and easier to
reuse reuse Simpler System evolution:Simpler System evolution: Programmer specialization Programmer specialization
through application transparencythrough application transparency
Source: Elrad and Coady
Reference MonitorReference Monitor
Security AbstractionSecurity Abstraction Originally conceived as a part of a Originally conceived as a part of a
security kernel and implemented security kernel and implemented with a combination of hardware with a combination of hardware and software.and software.
Reference Reference MonitorMonitor
SubjectsReference
Monitor(policy)
Objects
Audit File
AccessControl
DatabaseSource: Morrie Gasser, Source: Morrie Gasser, Building a Secure Building a Secure Computer System, 1988Computer System, 1988
Reference MonitorReference Monitor
An ideal Reference Monitor satisfies these 3 An ideal Reference Monitor satisfies these 3 Requirements:Requirements:– Completeness:Completeness: It must be impossible to It must be impossible to
bypassbypass– Isolation:Isolation: It must be tamperproof It must be tamperproof– Verifiability:Verifiability: It must be shown to be It must be shown to be
properly implementedproperly implemented
Scenario Based Access Scenario Based Access Control (SBAC)Control (SBAC) Set of scripted scenariosSet of scripted scenarios Mimics the workflow of an Mimics the workflow of an
enterprise environmententerprise environment Based on the observability of Based on the observability of
Objects and their ability to pass Objects and their ability to pass messages to each othermessages to each other
SBAC (continued)SBAC (continued)
Permissions rise and fall Permissions rise and fall according the flow of the scenarioaccording the flow of the scenario
In following a Scenario, the model In following a Scenario, the model is deterministic and can satisfy a is deterministic and can satisfy a Safety Analysis Safety Analysis
The AOSD Reference The AOSD Reference Monitor DesignMonitor Design
Client
Web
Business Logic
Database
J2EEApplication
PermissionTable
Permissions
Scenarios
Aspect
Reference Monitor
Reference Monitor Reference Monitor DesignDesign
permissionList
:Hashtable
modeled as
class
Scenario
which creates
object
SBACPermission
stored in
aspect
ReferenceMonitor
object
PermissionTable
object
Drafter
object
Cheque
Join Point
object
SBACPermission
which creates
used to find a corresponding permission in
SBAC Formal Model SBAC Reference Monitor
calls
Intercepted by
drafter : DrafterClass
cheque : Cheque
setAmount()
Scenario Ordering: <SEQ>PARAIN: drafter:DrafterClass cheque:Cheque
workflowspecification
Method MatrixMethod Matrix
Needed a rigorous methodology Needed a rigorous methodology for determining allocation of for determining allocation of pointcutspointcuts
First validation example had 8 First validation example had 8 cooperating classes = 56 cooperating classes = 56 caller/receiver relationshipscaller/receiver relationships
Defined both dynamic and static Defined both dynamic and static relationships between relationships between participating objectsparticipating objects
ValidationValidation
Cheque Passing applicationCheque Passing applicationCertificate Authority Certificate Authority applicationapplication
The Implementation The Implementation EnvironmentEnvironment Two Examples operating on a Two Examples operating on a
J2EE application server.J2EE application server. Can run on Win32 or *NIX.Can run on Win32 or *NIX. HTML user interface using HTML user interface using
Jakarta-Struts, an MVC Jakarta-Struts, an MVC framework.framework.
The Two The Two ImplementationsImplementations Cheque example: a set of Cheque example: a set of
cooperating objects working cooperating objects working within an EJBwithin an EJB11..– Built for concurrency of actionsBuilt for concurrency of actions– Multiple actors in the scenarioMultiple actors in the scenario
1. EJB: Enterprise Java Bean
Cheque Cheque Passing Passing ExampleExample
payee : Customer
drafter : Employee
1: present bill
theCheque : Cheque
2: draft cheque
theCheque : Cheque
3: verify cheque
4: pass cheque
supervisor : Employee
Permissionsa. write name of payeeb. write amountc. write dated. write Customer #
Permissionsa. read nameb. read amountc. read dated. read Customer #
Permissionsa. read nameb. read amountc. read dated. read Customer #e. write Digital Signature
Permissionsa. read nameb. read amountc. read dated. read Customer #
Permissionsa. read nameb. read amountc. read dated. read Custoumer #
supervisor : Employee
5: attach Digital Signature
6: pass cheque
cashier : Employee
8: verify chequetheCheque : Cheque
9: give money
payee : Customer
Permissionsa. read nameb. read amountc. read dated. read Customer #
7: get Customer identitypayee :
Customer
Permissions
Permissions
Permissions
Permissions
Certificate Authority Certificate Authority ApplicationApplication Second example: a SOAP-based Second example: a SOAP-based
military HQ Certificate Authority military HQ Certificate Authority serverserver– Single ThreadedSingle Threaded– Closer to a real-world Web Services Closer to a real-world Web Services
applicationapplication– Only two actors in the scenario: user Only two actors in the scenario: user
and serverand server Developed from a real-world Developed from a real-world
problem provided by DRDC Ottawa.problem provided by DRDC Ottawa.
StrutsServlets and JSPs
HQManagerSession EJB
Firewall and IPSec device
File SystemStores signed certificates
Entity EJBs
Web BrowserHuman Interface
SAAJ Clients and ServersMachine Interface
SAAJHttp Servlet
DatabaseStores Certificates,
CRLs and client data
Change firewall settings or close connections
IPSec Device checks for certificate validity
HQManager sends out CRLs
Client
Web
EJB
Persistence
J2EE
Architecture
Discussion & Future Discussion & Future WorkWork
Some interesting things I Some interesting things I found along my journeyfound along my journey
Benefits of AOSD - Benefits of AOSD - revisitedrevisited Better separation of concernsBetter separation of concerns More adaptable and easier to More adaptable and easier to
reuse reuse Simpler System evolution:Simpler System evolution: Programmer specialization Programmer specialization
through application transparency through application transparency and obliviousnessand obliviousness
Reference Monitor Reference Monitor RequirementsRequirements CompletenessCompleteness: :
– Intercepts all calls to an object using Intercepts all calls to an object using AspectJ “wildcards”.AspectJ “wildcards”.
IsolationIsolation: : – Application by AspectJ would be Application by AspectJ would be
difficult to subvert by rogue code.difficult to subvert by rogue code. VerifiabilityVerifiability: :
– Uses SBAC, a provably safe Access Uses SBAC, a provably safe Access Control model.Control model.
J2EE
Application
Workflow Model
SBAC Model
SBACFramework
AspectPointcuts &
Advice
DependenciesDependencies
Polydecompositional Polydecompositional ArchitectureArchitecture AOSD permitted simultaneous decomposition AOSD permitted simultaneous decomposition
of two separate architectures:of two separate architectures:– Base FunctionalityBase Functionality– Access Control sub-concernAccess Control sub-concern
Combined at compile timeCombined at compile time
A polydecompositional architecture is a design concept that ensures concern isolation for independent design decomposition before a stage of coalescence to create a software component.
Application Application TransparencyTransparency Implementation allowed for Implementation allowed for
pluggable security at compile time.pluggable security at compile time.– 2 different build files2 different build files– Reference monitor framework could be Reference monitor framework could be
easily rebuilt to allow for run-time easily rebuilt to allow for run-time switching.switching.
Business logic was almost Business logic was almost completely oblivious of security completely oblivious of security concernconcern
AOSDAOSD
Limitations of AOSDLimitations of AOSD– AspectJ is a static implementationAspectJ is a static implementation– Slower run-time implementation; Slower run-time implementation;
typical AspectJ overhead is between typical AspectJ overhead is between 22% and 2900% 22% and 2900%
AspectJ was useful for AspectJ was useful for unobtrusive bug tracking and unobtrusive bug tracking and testing with JUnit.testing with JUnit.
SBACSBAC
Working dynamic SBAC reference monitor Working dynamic SBAC reference monitor that can satisfy a safety questionthat can satisfy a safety question
SBAC Doesn’t work for everything, like SBAC Doesn’t work for everything, like some J2EE features that require some J2EE features that require polymorphism.polymorphism.
Building the security model can take time Building the security model can take time depending on the workflow depending on the workflow representationrepresentation
Policy implementation can be fragile – if Policy implementation can be fragile – if workflow changes, then the scenarios workflow changes, then the scenarios have to be rewritten.have to be rewritten.
Method Matrix MethodologyMethod Matrix Methodology
Security Engineer
Programmer
Security Policy Functional Requirements
Workflow
SBACScenarios
Pointcut Definitions&
Compiler Errors
uses
creates
uses
uses
creates
supervisor : SupervisorClass
: S_ValidityDecision
registry : ChequeRegistry
getNextChequeData( )
Scenario Ordering: <SEQ>PARAIN: supervisor:SupervisorClass registry:ChequeRegistry DEFPARA:
<<scenario>> validityDecision
S_ValidityDecision(DrafterClass, SupervisorClass, ChequeRegistry, ComplexScenario)
getChequeData(int)
ClassesClasses ChequeCheque MailerMailer SuperviSupervisorsor
MachinMachinee
ChequeCheque MM MM
MailerMailer CMCM MM
MachinMachinee
MM MM
produces
produces
Is checkedagainst
pointcut callChequeRegistry():call(* ChequeRegistry.*(..)) &&
(within(DrafterClass)|| within(SupervisorClass)|| within(ChequeMailingMachine));pointcut callSupervisorClass():
call(* SupervisorClass.*(..)) && within(ChequeRegistry);pointcut callDrafterClass():
call(* DrafterClass.*(..)) && (within(ChequeRegistry)||
within(SupervisorClass));pointcut callChequeMailingMachine():
call(* ChequeMailingMachine.*(..)) && (within(SupervisorClass));
pointcut callChequeSignature():call(* ChequeSignature.*(..)) &&
within(SupervisorClass);pointcut callEnvelope():
call(* Envelope.*(..)) && within(ChequeMailingMachine);pointcut callStampRepository():
call(* StampRepository.*(..)) && within(ChequeMailingMachine);
MethodMatrix
Future WorkFuture Work
Use a dynamic AOSD technology such as Use a dynamic AOSD technology such as AspectWerkz or JBoss-AOPAspectWerkz or JBoss-AOP–Clean up some of the pointcuts–Clean up some of the pointcuts–Integrate with the J2EE server software–Integrate with the J2EE server software
Automate generation of scenarios from Automate generation of scenarios from Rational Rose (or other UML/MSC tool)Rational Rose (or other UML/MSC tool)
Refine the SBAC frameworkRefine the SBAC framework–Performance–Performance–Make the framework more opaque–Make the framework more opaque
Implementation in a COTS environment where Implementation in a COTS environment where components aren’t fully trustedcomponents aren’t fully trusted
SummarySummary
AOSD modularizes cross-cutting AOSD modularizes cross-cutting concernsconcerns
Created Reference monitor using Created Reference monitor using AspectJ that was completely AspectJ that was completely modularmodular
Dynamic Implementation of SBAC Dynamic Implementation of SBAC using AOSD and AspectJusing AOSD and AspectJ
QuestionsQuestions
??
AOSD TechnologiesAOSD Technologies
5 Implementations:5 Implementations:– Multidimensional Separation of Multidimensional Separation of
ConcernsConcerns– Traversal SpecificationsTraversal Specifications– Composition FiltersComposition Filters– Class IntroductionClass Introduction– Join Point InterceptionJoin Point Interception
AspectJ
Join Point InterceptionJoin Point Interception
A family of languages based on a A family of languages based on a GPLGPL– AspectJ, AspectWerkz, JBoss-AOP AspectJ, AspectWerkz, JBoss-AOP
(Java)(Java)– AspectC++ (C++)AspectC++ (C++)– Pythius (Python)Pythius (Python)– Others based on: Squeak/Smalltalk, Others based on: Squeak/Smalltalk,
XML, C#/.net, Perl, Ruby, UML…XML, C#/.net, Perl, Ruby, UML…
Join PointsJoin Points
Foo Bar
public void setx(int a) {..}
Bar.setx(5)
Join Point
PointcutsPointcuts
Named collections of Join Points that have Named collections of Join Points that have something in commonsomething in common
AspectJ has its own language for AspectJ has its own language for describing pointcutsdescribing pointcuts
Can also describe events in the context of Can also describe events in the context of other pointcutsother pointcuts
Example:Example:– All the calls to the String classAll the calls to the String class– All the calls to a particular All the calls to a particular
module/package/library that return a Foobar module/package/library that return a Foobar ObjectObject
AdviceAdvice
This is the base-language code This is the base-language code that has been attached to a that has been attached to a particular pointcut or set of particular pointcut or set of pointcutspointcuts
3 types:3 types:– BeforeBefore– AfterAfter– AroundAround
Class Introduction in Class Introduction in AspectJAspectJ
Given:Given:public class Cheque{public class Cheque{
private int value;}private int value;}
……and in another module…and in another module…public aspect ModifiedCheque{public aspect ModifiedCheque{
public int Cheque.getValue()public int Cheque.getValue(){{
return value;}return value;}}}
AspectsAspects
Modular entity that consisting of Modular entity that consisting of pointcuts and advice.pointcuts and advice.
This is a module in and of itself This is a module in and of itself that can have its own attributes that can have its own attributes and proprietary methods.and proprietary methods.
There are also abstract Aspects There are also abstract Aspects which can be inherited from.which can be inherited from.
Sample AspectSample Aspectimport business.cheque;
public aspect chequeLogger{
pointcut callChequeSetters(Cheque cheque):
call(public * Cheque.set*(..))&& target(cheque);
before(): callAllSetters(Cheque cheque){
System.out.println(“Calling set method on cheque” + cheque.toString());}
}//end testAspect
pointcut
advice
wildcards
Class IntroductionClass Introduction
Allows the addition of methods, Allows the addition of methods, attributes and interfaces to an attributes and interfaces to an existing class without subclassing existing class without subclassing or editing existing codeor editing existing code
Violates traditional encapsulation Violates traditional encapsulation methodsmethods
Compiler Warnings & Compiler Warnings & ErrorsErrors
AspectJ pointcuts can be used to generate AspectJ pointcuts can be used to generate compiler errors and warningscompiler errors and warnings
Example:Example:– only ChequeRegistry can access a Cheque Objectonly ChequeRegistry can access a Cheque Object
pointcutpointcut chequeCalls(): chequeCalls():callcall((publicpublic * Cheque.*(..))&& * Cheque.*(..))&&
!!withinwithin(ChequeRegistry); (ChequeRegistry);
declare error: chequeCalls():declare error: chequeCalls():““Security Error: This is a static method access Security Error: This is a static method access violation";violation";
AOSD AOSD (continued)(continued)
Use of Interface IntroductionUse of Interface Introduction– Used pointcuts and method introduction to Used pointcuts and method introduction to
obtain context of some user interface obtain context of some user interface method calls.method calls.
//serverStatus scenariopublic void HQManager.SserverStatus(){}public abstract void HQLocal.SserverStatus();pointcut SserverStatus(HQServerStatusForm form):execution(public HashMap HQServerStatusForm.getStatus())&&
this(form);
before(HQServerStatusForm form): SserverStatus(form){form.hqLocal.SserverStatus();
}
Join point limitationsJoin point limitations
public void setX(int x);public void setX(int x);
Produces the same join point (and Produces the same join point (and permission) as:permission) as:
public void setX(Integer x);public void setX(Integer x);
This reduces the obliviousness of This reduces the obliviousness of the security implementation.the security implementation.
Security Policy Security Policy ImplementationImplementation
Resultant policy is a Resultant policy is a set of Message set of Message Sequence ChartsSequence Charts
I used both high-I used both high-level and low-level level and low-level MSCsMSCs
supervisor : SupervisorClass
: S_ValidityDecision
registry : ChequeRegistry
getNextChequeData( )
Scenario Ordering: <SEQ>PARAIN: supervisor:SupervisorClass registry:ChequeRegistry DEFPARA:
<<scenario>> validityDecision
S_ValidityDecision(DrafterClass, SupervisorClass, ChequeRegistry, ComplexScenario)
getChequeData(int)
NewTask<<OR>>
CreateCheque<<SEQ>>
CompareInfo<<SEQ>>
MailCheque<<SEQ>>
RejectCheque<<SEQ>>
ReturnCheque<<SEQ>>
ValidateCheque<<SEQ>>
EnvironmentInit<<SEQ>>
ValidityDecision<<OR>>
PrintCheques<<SEQ>>
EditCheque<<SEQ>>
DrafterTasks<<OR>>
PrintDecision<<OR>>
EnvelopeOutput<<AND>>
GetStamp<<SEQ>>
GetAddress<<SEQ>>
PrintChequeData
<<SEQ>>
Method MatrixMethod MatrixFirst Example – Cheque ScenarioFirst Example – Cheque Scenario
Caller\Receiver DrafterClass SupervisorClass Cheque
Cheque Mailing Machine
ChequeRegistry ChequeSignature
Envelope
StampRepository
DrafterClass M
SupervisorClass M M M CM
Cheque
ChequeMailingMachine M CM M
ChequeRegistry M M MC M
ChequeSignature
Envelope
StampRepository
M = Method pointcut
C = Constructor pointcut
Bold text indicates actor class
Method Matrix (continued)Method Matrix (continued)DrafterClass Permitted
SupervisorClass Permitted
ChequeMailingMachine Permitted
createCheque(ChequeData) any
getNextChequeData() any
processCheques() any
nextEditCheque() any
attachSignature(int) any addCheque(int) SupervisorClass
removeNextEdit()
SupervisorClass
rejectClaim() any
editCheque(int)SupervisorClass
editChequeToEdit(int) any
editUpdate(ChequeData) any
addCheque(int)
ChequeRegistry
getTasks() getTasks() getTasks()
getNextInvoice()
getChequeMailer() getStamper()
addInvoice(OcrDocument)
SendChequeToPostOffce()
getInvoiceList() getRegistry()
getSupervisor()
isChequesToEdit()
setChequesToEdit(boolean)
public privileged aspect A_ChequeScenarioMonitor {Scenario upperScenario;PermissionTable permissionTable;DrafterClass drafter;SupervisorClass supervisor;ChequeMailingMachine mailer;ChequeRegistry registry;PrimitiveScenario scenario;
/** * This ReferenceMonitor has been designed for the ChequeContainerClass environment. If this is * to be used again in another system then the class that provides the seeds for the scenarios would * have to be changed. * @precondition The container class is of type ChequeContainerClass */public A_ChequeScenarioMonitor(){}
/** * This pointcut is used to determine the top-level scenario transition */pointcut startScenario(): execution(public void ChequeBeanLogic.ejbCreate());//these are the combined (Inner and Agent)class pointcutspointcut callChequeRegistry():call(* ChequeRegistry.*(..)) && (within(DrafterClass)||within(SupervisorClass)||within(ChequeMailingMachine));pointcut callSupervisorClass():call(* SupervisorClass.*(..)) && within(ChequeRegistry);pointcut callDrafterClass():call(* DrafterClass.*(..)) && (within(ChequeRegistry)||within(SupervisorClass));pointcut callChequeMailingMachine():call(* ChequeMailingMachine.*(..)) && (within(SupervisorClass));pointcut callChequeSignature():call(* ChequeSignature.*(..)) && within(SupervisorClass);pointcut callEnvelope():call(* Envelope.*(..))&&within(ChequeMailingMachine);pointcut callStampRepository():call(* StampRepository.*(..))&&within(ChequeMailingMachine);
pointcut scenarioCallPC(): // group all the call Pointcuts togethercallDrafterClass() || callSupervisorClass() || callChequeRegistry()||callChequeMailingMachine()||callChequeSignature()||callEnvelope()||callStampRepository();
// Constructor Pointcutspointcut constructorCalls():call(public ChequeSignature.new(business.SupervisorClass)) && within(SupervisorClass)||call(public Envelope.new()) && within(ChequeMailingMachine);
//Agent class pointcutspointcut agentDrafterClass():execution( public int DrafterClass.createCheque(ChequeData)) ||execution( public ChequeData DrafterClass.nextEditCheque());pointcut agentSupervisorClass():execution(public ChequeData SupervisorClass.getNextChequeData())||execution(public void SupervisorClass.attachSignature(int))||execution(public void SupervisorClass.rejectClaim())||execution(public void editChequeToEdit(int))||execution(public void editUpdate(ChequeData));pointcut agentChequeMailingMachine():execution(public StringBuffer ChequeMailingMachine.processCheques())||execution(private StringBuffer ChequeMailingMachine.printCheque(ChequeData, Envelope))||execution( private void ChequeMailingMachine.getStamp(ChequeData, Envelope))||execution( private void ChequeMailingMachine.getAddress(ChequeData, Envelope));
pointcut scenarioAgentPC():agentDrafterClass() || agentSupervisorClass()||agentChequeMailingMachine()||constructorCalls();
/** *This advice is a supplemental to the constructor to this aspect. It identifies * the ChequeBeanLogic instance and gets the 3 classes that are needed to * seed the first scenario: * The Drafter * The Supervisor * The Cheque Mailing Machine */ after() :startScenario(){JoinPoint jpoint = thisJoinPoint;drafter = ((ChequeBeanLogic)jpoint.getTarget()).getDrafter();supervisor = ((ChequeBeanLogic)jpoint.getTarget()).getSupervisor();mailer = ((ChequeBeanLogic)jpoint.getTarget()).getMailer();registry = ((ChequeBeanLogic)jpoint.getTarget()).getChequeRegistry();
//create a new permissionTable and seed it up with the first scenario.upperScenario = new S_NewTask(drafter, supervisor, registry, null);permissionTable= new PermissionTable(upperScenario);}//end around startScenario and secondary constructor/scenario seeder
before(): scenarioCallPC() || scenarioAgentPC() {scenario =permissionTable.permit(thisJoinPoint);if (scenario == null) {StringBuffer errorMsg = new StringBuffer("permissiondenied");errorMsg.append(thisJoinPoint.toString());System.out.println("error: " + errorMsg);throw new RuntimeException(errorMsg.toString());}}//end before scenario calls()//set the recently created object to a reference in the scenario that was used.
after() returning(Object object) : constructorCalls() {if (scenario != null) {
scenario.setNewObject(object);} }
//Compiler Errorspointcut constructorError():call(public business.*.new(..)) && !constructorCalls() && //discard the constructors that are part of scenarios, they're already covered//these are the exceptions to the rule!within(ejb.*)&& //ejb needs to create seeder classes!(call( public Cheque.new(..)) && within(ChequeRegistry)) && // only ChequeRegistry can make new Cheque objects!(call(public ChequeData.new(..)))&& //anybody can create a ChequeData object!(call(public ChequeSignature.new(..)) && within(Cheque)); // Cheque needs to create a signature
declare error : constructorError():"Security Violation, constructor not permitted";}//end aspect A_ChequeScenarioMonitor
Code Generated fromthe Method Matrix
Reference Monitor Aspect Reference Monitor Aspect CodeCodeSecond Example – Military Certificate Authority ServerSecond Example – Military Certificate Authority Serverpublic privileged aspect AHQManagerMonitor {
pointcut initializationCalls():execution(public void HQForm.new());
pointcut otherCalls():execution(public SessionContext HQManager.getCtx())||//this is needed by the scenariosexecution(public * HQManager.requestCertificate(..))||//container manages the security to this method as it is
used by SAAJexecution(public * HQManager.permit(..));//eliminate recursion...
pointcut managerintercept(HQManager manager):execution(public * HQManager.*(..)) && this(manager)&&
!cflow(initializationCalls())&&!otherCalls();
before(HQManager manager): managerintercept(manager){Scenario scenario = manager.permit(thisJoinPoint);//check for validityif (scenario == null) {//if null, then permission denied – throw exception
StringBuffer errorMsg = new StringBuffer("permissiondenied");errorMsg.append(thisJoinPoint.toString());System.out.println("error: " + errorMsg);throw new RuntimeException(errorMsg.toString());}}
J2EEJ2EE
Not the easiest Not the easiest technology/specification to work with.technology/specification to work with.
Multiple stubs and interfaces made it Multiple stubs and interfaces made it difficult to implement SBAC and weave difficult to implement SBAC and weave the reference monitor code.the reference monitor code.
I was able to use some of the native I was able to use some of the native security features which saved some security features which saved some time and efforttime and effort
Takes a bit of time to set up a J2EE Takes a bit of time to set up a J2EE application server and databaseapplication server and database
ScenarioSEQ
getPermission()toString()getNextPermission()ScenarioSEQ()
(from scenario)
ConstructorPrimitive
getPermission()ConstructorPrimitive()checkScenarioObject()
(from prim itive)MethodPrimitive
MethodPrimitive()getPermission()checkScenarioObject()
(from prim itive)
ScenarioOR
permissionRef : ArrayList
getPermission()getNextPermission()ScenarioOR()orSelected()
(from scenario)
S_CreateCheque
numChildren : int = 5
toString()initializeScenario()S_CreateCheque()
(from creating)
S_NewTask
toString()initializeScenario()S_NewTask()
(from chequeScenario)
Orthogonal Design Orthogonal Design RequirementsRequirements
Superimposition of Multiple Superimposition of Multiple Abstraction ModelsAbstraction Models
Multidimensional Multidimensional DecompositionDecomposition
Tyranny of Tyranny of DecompositionDecomposition “…“…the tyranny of the dominant the tyranny of the dominant
decomposition is the single most decomposition is the single most significant cause of the failure, to significant cause of the failure, to date, to achieve many of the date, to achieve many of the expected benefits of separation of expected benefits of separation of concerns.”concerns.”
Ossher and TarrOssher and Tarr
-HyperJ User Manual, 2001-HyperJ User Manual, 2001
Principle of Principle of ObliviousnessObliviousness
The Principle of Obliviousness allows The Principle of Obliviousness allows programmers to make quantified programmers to make quantified programmatic assertions over programmatic assertions over programs written by programmer programs written by programmer oblivious to such assertions.oblivious to such assertions.
Filman & FriedmanFilman & Friedman
““AOP is Quantification and AOP is Quantification and Obliviousness”Obliviousness”
Cross-cutting ConcernsCross-cutting Concerns
A concern that cuts across the A concern that cuts across the modularity of a software system.modularity of a software system.
Symptoms include Symptoms include – ScatteringScattering: Code related to a single : Code related to a single
concern is spread across several concern is spread across several modulesmodules
– TanglingTangling: Code unrelated to the : Code unrelated to the primary concern of a module is mixed in.primary concern of a module is mixed in.
– Interface Pollution: Interface Pollution: The interface The interface requirements of several clients are requirements of several clients are combined into a single interface for a combined into a single interface for a module.module.
Some Benefits of AOSDSome Benefits of AOSD
Better separation of concernsBetter separation of concerns– Increased ComprehensibilityIncreased Comprehensibility– Source code reductionSource code reduction– Decomposition of modules previously considered Decomposition of modules previously considered
monolithicmonolithic More adaptable and easier to reuse More adaptable and easier to reuse Simpler System evolution:Simpler System evolution:
– The increased modularity of AOSD systems mean The increased modularity of AOSD systems mean that fewer modules are affected when another that fewer modules are affected when another module is altered.module is altered.
Programmer specialization through Programmer specialization through application transparencyapplication transparency– Some concerns, such as security, can be better Some concerns, such as security, can be better
implementedimplemented
Source: Elrad and Coady
SBAC uses ObjectsSBAC uses ObjectsSuper Secure Software Inc.15 Enterprise BlvdToronto, ON
Make payable to:
Date:
Amount:
Memo: Signed
Cheque Number
Signature (Digital)
PayeeDate
Amount
Permission TablePermission Table
Hashtable that contains a collection of Hashtable that contains a collection of permissionspermissions
Each permission hash value based on:Each permission hash value based on:– Caller Object instance hashCaller Object instance hash– Receiver object instance hashReceiver object instance hash– Method nameMethod name– Parameter typesParameter types
Match permission hash to equivalent Match permission hash to equivalent join point hashjoin point hash