Aspects with Program Analysis for Security Policies

Enforcing security policies to IT systems, especially for a mobile distributed system , is challenging. As society becomes more IT-savvy, our expectations about security and privacy evolve. This is usually followed by changes in regulation in the form of standards and legislation. In many cases, small modification of the security requirement might lead to substantial changes in a number of modules within a large mobile distributed system. Indeed, security is a crosscutting concern which can spread to many business modules within a system, and is difficult to be integrated in a modular way. This dissertation explores the principles of adding challenging security policies to existing systems with great flexibility and modularity. The policies concerned cover both classical access control and explicit information flow policies. We built our solution by combining aspect-oriented programming techniques with static program analysis techniques. The former technique can separate security concerns out of the main logic, and thus improves system modularity. The latter can analyze the system behavior, and thus helps detect software bugs or potential malicious code. We present AspectKE, an aspect-oriented extension of the process calculus KLAIM that excels at modeling mobile, distributed systems. A novel feature of our approach is that advices are able to analyze the future use of data, which is achieved by using program analysis techniques. We also present AspectK to propose other possible aspect-oriented extensions based on KLAIM, followed by a discussion of open joinpoints that commonly exist in coordination languages such as KLAIM. Based on the idea of AspectKE, we design and implement a proof-of-concept programming language AspectKE*, which enables program-ii mers to easily specify analysis-based security policies with the help of high-level program analysis predicates and functions. The prototype is efficiently realized by a two-stage implementation strategy and a static-dynamic dual value evaluation mechanism. We have performed two case studies to evaluate our programming model and language design. One application is based on a electronic health care workflow system. The other is a distributed chat system. We considered a number of security policies for both primary and secondary use of data, classical access control and predictive access control-control access based on the future behavior of a program. Some of the above mentioned policies can only be enforced by analysis of process continuations. Most of the work behind this dissertation has been carried out independently and I take full responsibility for its contents. During the three year study, …

[1]  Gregor Kiczales,et al.  A semantics for advice and dynamic join points in aspect-oriented programming , 2001, TOPL.

[2]  Rocco De Nicola,et al.  Types for access control , 2000, Theor. Comput. Sci..

[3]  Stefan Hanenberg,et al.  Evolvable Pattern Implementations Need Generic Aspects , 2004, RAM-SE.

[4]  Flemming Nielson,et al.  Advice from Belnap Policies , 2009, 2009 22nd IEEE Computer Security Foundations Symposium.

[5]  Laurie Hendren,et al.  Soot: a Java bytecode optimization framework , 2010, CASCON.

[6]  Ken Arnold,et al.  JavaSpaces¿ Principles, Patterns, and Practice , 1999 .

[7]  Shigeru Chiba Javassist - A Reflection-based Programming Wizard for Java , 1998 .

[8]  Andrew C. Myers,et al.  Language-based information-flow security , 2003, IEEE J. Sel. Areas Commun..

[9]  David Walker,et al.  A theory of aspects , 2003, ICFP '03.

[10]  Mira Mezini,et al.  An Overview of CaesarJ , 2006, LNCS Trans. Aspect Oriented Softw. Dev..

[11]  Joan Feigenbaum,et al.  The KeyNote Trust-Management System Version 2 , 1999, RFC.

[12]  Mira Mezini,et al.  Aspect-Oriented Web Service Composition with AO4BPEL , 2004, ECOWS.

[13]  Wouter Joosen,et al.  True and Transparent Distributed Composition of Aspect-Components , 2006, Middleware.

[14]  Charles Safran,et al.  Toward a national framework for the secondary use of health data: an American Medical Informatics Association White Paper. , 2007, Journal of the American Medical Informatics Association : JAMIA.

[15]  Andrew C. Myers,et al.  Jif: java information flow , 1999 .

[16]  Rocco De Nicola,et al.  Interactive mobile agents in X-KLAIM , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[17]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[18]  Emil C. Lupu,et al.  Ponder: A Language for Specifying Security and Management Policies for Distributed Systems , 2000 .

[19]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[20]  Kevin W. Hamlen,et al.  Security Policy Enforcement by Automated Program-rewriting , 2006 .

[21]  Luis Daniel Benavides Navarro,et al.  Explicitly distributed AOP using AWED , 2006, AOSD '06.

[22]  Éric Tanter,et al.  A Versatile Kernel for Distributed AOP , 2006, DAIS.

[23]  Rocco De Nicola,et al.  Programming Access Control: The KLAIM Experience , 2000, CONCUR.

[24]  Alfred V. Aho,et al.  Compilers: Principles, Techniques, and Tools , 1986, Addison-Wesley series in computer science / World student series edition.

[25]  Markus Dahm Byte Code Engineering with the BCEL API , 2007 .

[26]  Peter Sewell,et al.  Cassandra: flexible trust management, applied to electronic health records , 2004, Proceedings. 17th IEEE Computer Security Foundations Workshop, 2004..

[27]  Mira Mezini,et al.  Expressive Pointcuts for Increased Modularity , 2005, ECOOP.

[28]  Nahid Shahmehri,et al.  Privacy in the Semantic Web: What Policy Languages Have to Offer , 2007, Eighth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'07).

[29]  Nora Cuppens-Boulahia,et al.  Availability enforcement by obligations and aspects identification , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[30]  Stanley M. Sutton,et al.  Hyper/J™: multi-dimensional separation of concerns for Java™ , 2001, ICSE '02.

[31]  Jun Han,et al.  Coordination Systems in Role-Based Adaptive Software , 2005, COORDINATION.

[32]  S. Chiba,et al.  Remote pointcut: a language construct for distributed AOP , 2004, AOSD '04.

[33]  Wouter Joosen,et al.  Developing secure applications through aspect-oriented programming , 2004 .

[34]  Rocco De Nicola,et al.  A Software Framework for Rapid Prototyping of Run-Time Systems for Mobile Calculi , 2004, Global Computing.

[35]  ROBIN MILNER,et al.  Edinburgh Research Explorer A Calculus of Mobile Processes, I , 2003 .

[36]  Hidehiko Masuhara,et al.  SCoPE: an AspectJ compiler for supporting user-defined analysis-based pointcuts , 2007, AOSD.

[37]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[38]  Gustavo Alonso,et al.  Dynamic weaving for aspect-oriented programming , 2002, AOSD '02.

[39]  Paul Bowman,et al.  Hitting the distributed computing sweet spot with TSpaces , 2001, Comput. Networks.

[40]  John DeTreville,et al.  Binder, a logic-based security language , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[41]  David Gelernter,et al.  Generative communication in Linda , 1985, TOPL.

[42]  Timothy W. Finin,et al.  A Policy Based Approach to Security for the Semantic Web , 2003, SEMWEB.

[43]  A Min Tjoa,et al.  First International Conference on Availability, Reliability and Security (ARES´06) , 2006 .

[44]  Eric Bodden,et al.  Aspect-Oriented Race Detection in Java , 2010, IEEE Transactions on Software Engineering.

[45]  Claude Kirchner,et al.  Weaving rewrite-based access control policies , 2007, FMSE '07.

[46]  Wouter Joosen,et al.  Implementing a modular access control service to support application-specific policies in CaesarJ , 2005, AOMD '05.

[47]  Flemming Nielson,et al.  Principles of Program Analysis , 1999, Springer Berlin Heidelberg.

[48]  Henk Barendregt,et al.  The Lambda Calculus: Its Syntax and Semantics , 1985 .

[49]  Gianluigi Zavattaro,et al.  Secure shared data-space coordination languages: A process algebraic survey , 2006, Sci. Comput. Program..

[50]  Indrakshi Ray,et al.  Using aspects to design a secure system , 2002, Eighth IEEE International Conference on Engineering of Complex Computer Systems, 2002. Proceedings..

[51]  Flemming Nielson,et al.  From Flow Logic to Static Type Systems for Coordination Languages , 2010, COORDINATION.

[52]  Roberto Gorrieri,et al.  Supporting Secure Coordination in SecSpaces , 2006, Fundam. Informaticae.

[53]  Wouter Joosen,et al.  Support for distributed adaptations in aspect-oriented middleware , 2008, AOSD.

[54]  Yi Deng,et al.  Applying Aspect-Orientation in Designing Security Systems: A Case Study , 2004, SEKE.

[55]  Flemming Nielson,et al.  Sandboxing in myKlaim , 2006, First International Conference on Availability, Reliability and Security (ARES'06).

[56]  James H. Andrews,et al.  Process-Algebraic Foundations of Aspect-Oriented Programming , 2001, Reflection.

[57]  Jan Vitek,et al.  Coordinating processes with secure spaces , 2003, Sci. Comput. Program..

[58]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[59]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[60]  Flemming Nielson,et al.  Semantics with Applications: An Appetizer , 2007, Undergraduate Topics in Computer Science.

[61]  David Sands,et al.  Security Policy Enforcement in the OSGi Framework Using Aspect-Oriented Programming , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[62]  Mark Evered,et al.  A Case Study in Access Control Requirements for a Health Information System , 2004, ACSW.

[63]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[64]  Flemming Nielson,et al.  Flow Logic: A Multi-paradigmatic Approach to Static Analysis , 2002, The Essence of Computation.

[65]  Flemming Nielson,et al.  Advice for Coordination , 2008, COORDINATION.

[66]  Eric Wohlstadter,et al.  Enforcing security for desktop clients using authority aspects , 2009, AOSD '09.

[67]  Piero A. Bonatti,et al.  Driving and monitoring provisional trust negotiation with metapolicies , 2005, Sixth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY'05).

[68]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[69]  K. Win A Review of Security of Electronic Health Records , 2005, Health information management : journal of the Health Information Management Association of Australia.

[70]  Xiangmin Zhang,et al.  Java Security , 2000 .

[71]  Daniel P. Friedman,et al.  Aspect-Oriented Programming is Quantification and Obliviousness , 2000 .

[72]  H. James Hoover,et al.  Transactional pointcuts: designation reification and advice of interrelated join points , 2009, GPCE '09.

[73]  Radha Jagadeesan,et al.  µABC: A Minimal Aspect Calculus , 2004, CONCUR.

[74]  Flemming Nielson,et al.  AspectKE*: Security Aspects with Program Analysis for Distributed Systems , 2010 .

[75]  Grigore Rosu,et al.  Java-MOP: A Monitoring Oriented Programming Environment for Java , 2005, TACAS.

[76]  Xavier Leroy Java Bytecode Verification: An Overview , 2001, CAV.

[77]  Emilio Tuosto,et al.  The Klaim Project: Theory and Practice , 2003, Global Computing.

[78]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[79]  Laurence Duchien,et al.  JAC: an aspect‐based distributed dynamic framework , 2004, Softw. Pract. Exp..

[80]  Flemming Nielson,et al.  Static Validation of Licence Conformance Policies , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[81]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[82]  Sriram K. Rajamani,et al.  Thorough static analysis of device drivers , 2006, EuroSys.

[83]  Rocco De Nicola,et al.  KLAIM: A Kernel Language for Agents Interaction and Mobility , 1998, IEEE Trans. Software Eng..

[84]  Daniel S. Dantas Analyzing security advice in functional aspect-oriented programming languages , 2007 .

[85]  Peter J. Denning,et al.  Certification of programs for secure information flow , 1977, CACM.

[86]  Gordon D. Plotkin,et al.  A structural approach to operational semantics , 2004, J. Log. Algebraic Methods Program..

[87]  Rocco De Nicola,et al.  Klava: a Java package for distributed and mobile applications , 2002, Softw. Pract. Exp..

[88]  Shigeru Chiba,et al.  Josh: an open AspectJ-like language , 2004, AOSD '04.

[89]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[90]  Thierry Coupaye,et al.  ASM: a code manipulation tool to implement adaptable systems , 2002 .

[91]  Robin Milner,et al.  A Calculus of Communicating Systems , 1980, Lecture Notes in Computer Science.

[92]  Bart De Decker,et al.  Security Through Aspect-Oriented Programming , 2001, Network Security.

[93]  R. Ramachandran AspectJ for Multilevel Security , 2006 .

[94]  Gruia-Catalin Roman,et al.  Secure Sharing of Tuple Spaces in Ad Hoc Settings , 2003, SecCo.

[95]  Gianluigi Zavattaro,et al.  From Endogenous to Exogenous Coordination Using Aspect-Oriented Programming , 2004, COORDINATION.

[96]  James G. Anderson,et al.  Security of the distributed electronic patient record: a case-based approach to identifying policy issues , 2000, Int. J. Medical Informatics.

[97]  Konstantin Beznosov Requirements for access control: US Healthcare domain , 1998, RBAC '98.

[98]  Christel Baier,et al.  Principles of model checking , 2008 .

[99]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[100]  Hidehiko Masuhara,et al.  A Compilation and Optimization Model for Aspect-Oriented Programs , 2003, CC.

[101]  Radha Jagadeesan,et al.  A Calculus of Untyped Aspect-Oriented Programs , 2003, ECOOP.