Multilevel Security with AspectJ Roshan Ramachandran, David J. Pearce and Ian Welch Victoria...
-
Upload
derek-smith -
Category
Documents
-
view
214 -
download
0
Transcript of Multilevel Security with AspectJ Roshan Ramachandran, David J. Pearce and Ian Welch Victoria...
Multilevel Security with AspectJ
Roshan Ramachandran, David J. Pearce and Ian Welch
Victoria University of Wellington,New Zealand
COMP205 Software Design and Engineering
What is MLS?
• Multilevel Security (Bell-LaPadula):– Three roles: object, subject and reference
monitor
– Two rules:• No Read Up (NRU) – Subject cannot read object
with higher classification• No Write Down (NWD) – Subject cannot write
object with lower classification
– Reference monitor checks NRU and NWD rules• Called on each read/write of an object
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Clearances & classifications embedded in
objects & subjects– Calls to reference monitor are manual– E.g
– Security code clearly a cross cutting concern!
– Can we implement security as an Aspect?
if(!securitySource.canDownload(theUser, filePath)) {
out.print(permissionDeniedMessage);
return true;
}
subjectobject
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes
• If just one missed, security is compromised
– Code is tangled and, hence, less readable
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes
• If just one missed, security is compromised
– Code is tangled and, hence, less readable
• Aspect-Oriented MLS implementation– Quantification provides stronger security– Code is not tangled and, hence, more readable
COMP205 Software Design and Engineering
What we did
• Problem– Can AspectJ provide these benefits?– Can we reuse such Aspects?
• Our Approach– Two case studies considered
• One artificial, one real-world
– AspectJ implementations developed– Insights and observations extracted!
COMP205 Software Design and Engineering
Case Study #1 – Payroll System
• Payroll System– SUBJECTS: User Threads
• Normal employees have low clearance• Managers have high clearance
– OBJECTS: Employee, WorkInfo and PayInfo• Employee instances have “low” classification• WorkInfo and PayInfo instances have “high” classification
Employee
namephoneoffice
WorkInfo
…
PayInfo
…
1
1
1
Thread
UserThread
…
abstract aspect BLPPolicy {
protected interface SUBJECT { }
protected interface OBJECT { }
abstract pointcut read(OBJECT o);
abstract pointcut write(OBJECT o);
before(OBJECT o) : read(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
int oc = classification(o);
int sc = clearance((SUBJECT) Thread.currentThread());
if(sc < oc) throw new SecurityException();
}
before(OBJECT o) : write(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
…
}
abstract int clearance(SUBJECT s);
abstract int classification(OBJECT o);
}
COMP205 Software Design and Engineering
Payroll Policy
aspect PayrollPolicy extends BLPPolicy {
declare parents : UserThread implements SUBJECT;
declare parents : WorkInfo implements OBJECT;
declare parents : PayInfo implements OBJECT;
declare parents : Employee implements OBJECT;
pointcut read(OBJECT o) : target(o) && get(* *.*);
pointcut write(OBJECT o) : target(o) && set(* *.*);
int clearance(SUBJECT s) { … }
int classification(OBJECT o) { … }
}
COMP205 Software Design and Engineering
Case Study #2 – FTP Server
• jFTPd– Third party application (approx 20 classes)– Users can upload and download files– SUBJECTS: FTPConnections, OBJECTS: files
– FTPUser contains user information– FTPSecuritySource implements existing security policy
FTPUser
…
FTPSecuritySource
…
<<interface>>
Runnable
FTPConnection
doCommand()…
1
1 1
1
COMP205 Software Design and Engineering
Problems
• Roles not so clearly defined:
– OBJECTS are files, but cannot really “see” them• Instead, they are represented by proxy• E.g. FileInputStream, FileReader
– SUBJECTS are instances of “Runnable”• Cannot get Runnable instance associated with
thread!• So, unable to identify subject inside advice
COMP205 Software Design and Engineering
The Plan
• Intercept all file reads/write sytem calls– E.g. FileInputStream.read(), FileReader.write()
• Associate classification with “file” instances– Given “FileInputStream” instance, determine
classification of file it represents
• Associate clearance with “user” threads– Given Thread, determine FTPConnection object it
corresponds to
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy { Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
abstract aspect BLPPolicy {
protected interface SUBJECT { }
protected interface OBJECT { }
abstract pointcut read(Object o);
abstract pointcut write(Object o);
before(Object o) : read(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
int oc = classification(o);
int sc = clearance(Thread.currentThread());
if(sc < oc) throw new SecurityException();
}
before(OBJECT o) : write(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
…
}
abstract int clearance(Object s);
abstract int classification(Object o);
}
COMP205 Software Design and Engineering
Conclusions
• Benefits– MLS is stronger!– MLS is less tangled!
• Issues– AspectJ code is subtle
• Must intercept InputStream NOT FileInputStream• How to be sure ALL file reads/writes covered?
– Aspect brittle to changes in System libraries– Roles not so clearly defined in aspects– System classes cannot be weaved
• Some associations must be maintained manually