Security Advice - Access Control through Aspect-oriented Programming Research

Daniel S. Dantas	David Walker
Princeton University

Research Objectives

We address two fundamental issues in using aspects to enforce security policies. First, in collaboration with Geoff Washburn and Stephanie Weirich at the University of Pennsylvania, we examine what distinct features a programming language needs in order to easily implement information security features in an aspect-oriented style. More specifically, we examine an aspect-oriented implementation of the Java security mechanism, which requires the security advice to be triggered by functions with diverse types. For example, the user may want to run the same access control check on a function that returns a string as its result and another function that returns an integer as its result. This feature, called polymorphic advice, is one of the key results of our new language, AspectML. Finally, we show that an implementation in AspectML of the Java security mechanism compares favorably against the original Java implementation.

The second issue we examine is how aspect-oriented security features can affect the rest of the system. Aspect-oriented programming can undermine a programmer's ability to reason locally about the behavior of their code. Aspects can reach inside classes, influence the behavior of local functions, and alter internal data structures. As a result, to understand the behavior of code in a typical aspect-oriented language, programmers will have to examine how any external aspects modify main program behavior. As the number and invasiveness of aspects grows, understanding and maintaining the resulting composite program may become more and more difficult. We examine how to allow programmers to add new, crosscutting features, such as security enforcement, after-the-fact while also allowing them to continue to apply most of the techniques for reasoning about programs they had come to depend upon for program understanding, development, and maintenance. We demonstrate that many common aspects, including security advice, can be implemented as "harmless advice." Harmless advice uses a novel type and effect system related to information-flow type systems like Cornell's Jif language to ensure that harmless advice could not modify the behavior of mainline code. To demonstrate the usefulness of harmless advice for security, we implement many of the security examples used in MIT's Naccio execution monitoring project as harmless advice.

Why Security?

The use of aspects to enforce access control policies is one of the best, most convincing applications of aspect-oriented programming technology. Indeed, many previous researchers have argued that aspect-oriented programming mechanisms enable a more modular implementation of access control infrastructure than standard programming languages. More specifically, since an aspect-oriented implementation can contain not only the definition of what an access control check is supposed to do, but also the complete list of places where that access control check should occur, aspect-oriented security policy specifications are easier to understand. This in turn makes aspect-oriented security policy specifications easier to audit -- the information security auditor need not search through thousands of lines of library or application code to find the relatively few lines of access control checks. In particular, analysis of the aspects that implement a policy can often tell the auditor whether or not access control checks have been omitted. In addition, because all security code is centralized, when security vulnerabilities are identified, security policy updates can be made more easily. Moreover, to distribute the changed policy, a single new aspect can be deployed as opposed to an entire new library or set of libraries.

Publications

AspectML: A Polymorphic Aspect-oriented Functional Programming Language.

Daniel S. Dantas, David Walker, Geoffrey Washburn, and Stephanie Weirich.
ACM Transactions on Programming Languages and Systems, 30(3):1-60. May 2008.
TOPLAS '08 / Interpreter Implementation / Security Case Study

Analyzing Security Advice in Functional Aspect-oriented Programming Languages.

Daniel S. Dantas.
Ph.D Thesis. Princeton University: Computer Science. August 2007.
Ph.D '07 / Thesis Proposal / Thesis Defense

Harmless Advice.

Daniel S Dantas and David Walker.
ACM SIGPLAN - SIGACT Symposium on Principles of Programming Languages. January 2006.
POPL '06 / Conference Presentation / Interpreter Implementation / Security Case Study

PolyAML: A Polymorphic Aspect-oriented Functional Programming Language.

Daniel S. Dantas, David Walker, Geoffrey Washburn and Stephanie Weirich.
ACM International Conference on Functional Programming. September 2005.
ICFP '05 / Conference Presentation / Interpreter Implementation

Harmless Advice.

Daniel S. Dantas and David Walker.
ACM SIGPLAN International Workshop on Foundations of Object-Oriented Languages. January 2005.
FOOL '05 / Workshop Presentation