Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming
20
SECAD 2008, Aug 01 st 2008, Turku – Finland, Phu H. Phung and David Sands Page 1 SECAD 2008 August 01 st 2008 Turku, Finland Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming Phu H. Phung and David Sands Chalmers Univeristy of Technology Gothenburg, Sweden
description
Inlined Reference Monitors in Vehicle Systems
Transcript of Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 1
SECAD 2008 August 01st 2008 Turku, Finland
Security Policy Enforcement for the OSGi Framework using
Aspect-Oriented Programming
Phu H. Phung and David Sands
Chalmers Univeristy of Technology
Gothenburg, Sweden
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 2
Motivation
• Life cycle mismatch between the vehicle and its software– current goal: enable truly open systems, i.e. easy to
add third-party services• needs to allow potentially untrusted applications access to
sensitive resources
• Simple sandboxing has obviously limitations– (grants all-or-nothing approach on the basis of trust)
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 3
An example
• “A third party service (in an on-board vehicle computer) needs to be able to send SMS messages in order to function properly”– possible problems of the application
• could be malicious, e.g. send to many messages• may has bugs, e.g. repeatedly send messages
• Need for more fire-grained security policy, e.g.– allow a third party application to access SMS service but
restricted receipt address, with a limit on the number of messages per day, and depending on the vehicle’s location
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 4
Goals• Study the application of fine-grained security
policy enforcement in vehicle systems– Adopting a language-based approach using aspect-
oriented programming with AspectJ compiler – Considering the application in the context of vehicle
telematics/infotainment systems under the OSGi standard • Concerned questions
– What classes of reference monitor-style policies can be enforced using AspectJ?
– How can this approach be integrated with the OSGi platform without making platform modifications?
– What are the shortcomings of using AspectJ for implementing reference monitors?
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 5
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 6
Security Policy Enforcement by Program Transformation
• New code will be added in security-relevant actions or events to check the program respects the security policies– the modified program is guaranteed not to violate the
policy
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 7
An enforcement example
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 8
Aspect-Oriented Programming and AspectJ
• Aspect-oriented programming (AOP): a new programming paradigm– to modularise cross-cutting functionalities of complex
software systems• AspectJ is a language that extends Java and
implements the paradigm of AOP– Pointcut: defines the point and the condition under
which the aspect modifies the behaviour of an application
– Advice: defines what modifications should be applied
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 9
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 10
Security policies based on kinds of response actions
• Suppression policy: prohibiting an action by simply suppressing (ignoring) it
– E.g.: “suppress the alert message when the vehicle speed is over 80mph”
• Insertion policy: requires insertion of additional code before or after execution
– E.g.: “store service object in policy handler after the service starts”
• Truncation policy: if the application attempts to perform a prohibited action then execution will be aborted
– E.g.: stop the application if it attempts to operate the brake system*
• Replacement policy: action should be replaced by a safe alternative action
– E.g.: replace the method call send(..) by the new method secureSend()''
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 11
Other issues related to security policy
• Dealing with History-Dependent Policies– Use security states (variables) to store program history
• System Level and Application Level Security States– Each state level is encoded in a file monitored by
appropriate daemon thread
• Dealing with multiple threads– common states are accessed under mutual exclusion
where states are encoded and synchronized via files
• Interacting among security policies– by reading and writing states in files
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 12
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 13
The case study• J2ME/OSGi standard
– a telematics client application can be downloaded and installed over the air from a control center
• The study uses the architecture described in the standard– Testing on the Knopflerfish open source OSGi
framework for the in-vehicle system.
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 14
The OSGi framework
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 15
The scenario• A hotel service company offers an infotainment
application for in-vehicle systems that provides useful information about hotels near by the vehicle location.
• as in the GST standard– a driver makes a corresponding request to the
control centre– The control centre request to the third party– Install over the air the application
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 16
The deployment model
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 17
Test example• A simple application bundle simulating the hotel guide
service has been implemented• Simple security policies reflecting various identified
classes of policies described in AspectJ are used to weave the bundle
• The woven bundle was re-deployed and run successfully on the Knopflerfish OSGi framework.
• Several test cases were performed to illustrate that the defined security polices are correctly enforced for the bundle.
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 18
Outline• Overview of background strands
– Security Policy Enforcement by Program Transformation– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ– Classes of security policies in AspectJ– Other issues related to security policy
• The case study– The OSGi framework
• Conclusion and future work
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 19
Concluding remarks• How various sorts of security policies are
categorised and described in AspectJ has been illustrated
• Resulted in the first study of security policy enforcement using an aspect-oriented programming language in an open system like the OSGi framework– based on the more industrially well-know language
without defining any new policy languages• The security assurance in the study is promising
– (certainly adequate for small examples)– can be deployed in the OSGi framework
SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 20
Further Work• The small-scale examples did not encounter
problems with representing history information explicitly– larger examples remains to be seen
• Temporal policies could be considered• The composition of different security policies• The integration of weaving process and a
middleware to support ``online'' security policy enforcement at in-vehicle systems.
