A PEP-PDP Architecture to Monitor and Enforce Security Policies in Java Applications

Security of Java-based applications is crucial to many businesses today. In this paper, we propose an approach to completely automate the generation of a security architecture inside of a target Java application where advanced security policies can be enforced. Our approach combines the use of Aspect-Oriented Programming with the Policy Enforcement Point (PEP) - Policy Decision Point (PDP) paradigm and allows the runtime update of policies.

[1]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[2]  Rupak Majumdar,et al.  Tools and Algorithms for the Construction and Analysis of Systems , 1997, Lecture Notes in Computer Science.

[3]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[4]  Lynn A. Karoly,et al.  Health Insurance Portability and Accountability Act of 1996 (HIPAA) Administrative Simplification , 2010, Practice Management Consultant.

[5]  Ramnivas Laddad,et al.  AspectJ in Action: Enterprise AOP with Spring Applications , 2009 .

[6]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[7]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[8]  Nora Cuppens-Boulahia,et al.  High Level Conflict Management Strategies in Advanced Access Control Models , 2007, ICS@SYNASC.

[9]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[10]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[11]  Frédéric Cuppens,et al.  Organization based access control , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[12]  Cristina V. Lopes,et al.  Aspect-oriented programming , 1999, ECOOP Workshops.

[13]  Jaehong Park,et al.  The UCONABC usage control model , 2004, TSEC.

[14]  SandhuRavi,et al.  The UCONABC usage control model , 2004 .

[15]  Nora Cuppens-Boulahia,et al.  Formal enforcement and management of obligation policies , 2012, Data Knowl. Eng..

[16]  Nora Cuppens-Boulahia,et al.  A delegation model for extended RBAC , 2010, International Journal of Information Security.

[17]  Claude Kirchner,et al.  Weaving rewrite-based access control policies , 2007, FMSE '07.

[18]  Nora Cuppens-Boulahia,et al.  Modeling contextual security policies , 2008, International Journal of Information Security.

[19]  Claude Kirchner,et al.  Modular Access Control Via Strategic Rewriting , 2007, ESORICS.

[20]  Ravi S. Sandhu,et al.  Role-Based Access Control Models , 1996, Computer.

[21]  Kevin W. Hamlen,et al.  Enforcing IRM security policies: Two case studies , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[22]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[23]  Grigore Rosu,et al.  Java-MOP: A Monitoring Oriented Programming Environment for Java , 2005, TACAS.

[24]  Grigore Rosu,et al.  Security-policy monitoring and enforcement with JavaMOP , 2012, PLAS '12.

[25]  Yves Le Traon,et al.  Model-Based Tests for Access Control Policies , 2008, 2008 1st International Conference on Software Testing, Verification, and Validation.

[26]  Patrick Lam,et al.  Role-based access control (RBAC) in Java via proxy objects using annotations , 2010, SACMAT '10.