Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming
description
Transcript of Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 1
SECAD 2008 August 01st 2008 Turku, Finland
Security Policy Enforcement for the OSGi Framework using
Aspect-Oriented Programming
Phu H. Phung and David Sands
Chalmers Univeristy of Technology
Gothenburg, Sweden
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 2
Motivation
• Life cycle mismatch between the vehicle and its software– current goal: enable truly open systems, i.e. easy to
add third-party services• needs to allow potentially untrusted applications access to
sensitive resources
• Simple sandboxing has obviously limitations– (grants all-or-nothing approach on the basis of trust)
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 3
An example
• “A third party service (in an on-board vehicle computer) needs to be able to send SMS messages in order to function properly”– possible problems of the application
• could be malicious, e.g. send to many messages• may has bugs, e.g. repeatedly send messages
• Need for more fire-grained security policy, e.g.– allow a third party application to access SMS service but
restricted receipt address, with a limit on the number of messages per day, and depending on the vehicle’s location
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 4
Goals• Study the application of fine-grained security
policy enforcement in vehicle systems– Adopting a language-based approach using aspect-
oriented programming with AspectJ compiler – Considering the application in the context of vehicle
telematics/infotainment systems under the OSGi standard • Concerned questions
– What classes of reference monitor-style policies can be enforced using AspectJ?
– How can this approach be integrated with the OSGi platform without making platform modifications?
– What are the shortcomings of using AspectJ for implementing reference monitors?
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 5
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 6
Security Policy Enforcement by Program Transformation
• New code will be added in security-relevant actions or events to check the program respects the security policies– the modified program is guaranteed not to violate the
policy
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 7
An enforcement example
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 8
Aspect-Oriented Programming and AspectJ
• Aspect-oriented programming (AOP): a new programming paradigm– to modularise cross-cutting functionalities of complex
software systems• AspectJ is a language that extends Java and
implements the paradigm of AOP– Pointcut: defines the point and the condition under
which the aspect modifies the behaviour of an application
– Advice: defines what modifications should be applied
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 9
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 10
Security policies based on kinds of response actions
• Suppression policy: prohibiting an action by simply suppressing (ignoring) it
– E.g.: “suppress the alert message when the vehicle speed is over 80mph”
• Insertion policy: requires insertion of additional code before or after execution
– E.g.: “store service object in policy handler after the service starts”
• Truncation policy: if the application attempts to perform a prohibited action then execution will be aborted
– E.g.: stop the application if it attempts to operate the brake system*
• Replacement policy: action should be replaced by a safe alternative action
– E.g.: replace the method call send(..) by the new method secureSend()''
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 11
Other issues related to security policy
• Dealing with History-Dependent Policies– Use security states (variables) to store program history
• System Level and Application Level Security States– Each state level is encoded in a file monitored by
appropriate daemon thread
• Dealing with multiple threads– common states are accessed under mutual exclusion
where states are encoded and synchronized via files
• Interacting among security policies– by reading and writing states in files
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 12
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 13
The case study• J2ME/OSGi standard
– a telematics client application can be downloaded and installed over the air from a control center
• The study uses the architecture described in the standard– Testing on the Knopflerfish open source OSGi
framework for the in-vehicle system.
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 15
The scenario• A hotel service company offers an infotainment
application for in-vehicle systems that provides useful information about hotels near by the vehicle location.
• as in the GST standard– a driver makes a corresponding request to the
control centre– The control centre request to the third party– Install over the air the application
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 16
The deployment model
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 17
Test example• A simple application bundle simulating the hotel guide
service has been implemented• Simple security policies reflecting various identified
classes of policies described in AspectJ are used to weave the bundle
• The woven bundle was re-deployed and run successfully on the Knopflerfish OSGi framework.
• Several test cases were performed to illustrate that the defined security polices are correctly enforced for the bundle.
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 18
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 19
Concluding remarks• How various sorts of security policies are
categorised and described in AspectJ has been illustrated
• Resulted in the first study of security policy enforcement using an aspect-oriented programming language in an open system like the OSGi framework– based on the more industrially well-know language
without defining any new policy languages• The security assurance in the study is promising
– (certainly adequate for small examples)– can be deployed in the OSGi framework
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 20
Further Work• The small-scale examples did not encounter
problems with representing history information explicitly– larger examples remains to be seen
• Temporal policies could be considered• The composition of different security policies• The integration of weaving process and a
middleware to support ``online'' security policy enforcement at in-vehicle systems.