21
Harmless Advice Daniel S Dantas Princeton University with Prof. David

Harmless Advice

Embed Size (px)

DESCRIPTION

Harmless Advice. Daniel S Dantas Princeton University with Prof. David Walker. Aspect-Oriented Programming. Large Program. Want to add a new logging feature that references many parts of the program. Aspect-Oriented Programming. When? (Pointcut) What? (Advice). Join Points. - PowerPoint PPT Presentation

Citation preview

Page 1: Harmless Advice

Harmless Advice

Daniel S Dantas

Princeton University

with Prof. David Walker

Page 2: Harmless Advice

2

Aspect-Oriented Programming

Large Program

Want to add a new logging feature that references many parts of the program

Page 3: Harmless Advice

3

Aspect-Oriented Programming

When? (Pointcut)

What? (Advice)

Added Functionality (Logging)

Join Points

Aspect = Pointcuts + Advice + State

Page 4: Harmless Advice

4

No “Tangling” To understand original functionality,

examine mainline code

No “Scattering” To understand added logging

functionality, examine logging advice only

Easy Consistency Checking To audit added logging code for

consistency, simply analyze pointcut that triggers logging advice

AOP Advantages

LoggingAdvice

Page 5: Harmless Advice

5

But Beware!

Advice may change state & break data invariants in the mainline code

To understand mainline code behavior, must examine main program + all aspects

Aspects prevent local reasoning

Advice

Page 6: Harmless Advice

6

Our Goals

Want the flexibility of aspect-oriented programming

Want to preserve traditional local reasoning principles Want to be able to understand the fundamental

behavior of the mainline code without having to examine all the auxiliary aspects

Page 7: Harmless Advice

7

What is harmless advice?Contributions

Defined a new “harmless” form of advice Harmless advice does not interfere with main

program code Harmlessness is enforced by a type system for

information flow control Proved a noninterference property for the

language Conducted a case study demonstrating harmless

advice is useful for enforcing security invariants

What does that mean?

A spectrum of “interfering” effects: Doing work of any kind (alters timing) Looping or early exit (alters termination) Writing to a file (alters observations of the file system) Writing to a mutable mainline data structure

Criteria impacting our choice: Must help AOP programmers preserve local reasoning

about main program code Must be enforceable Must admit common AOP applications

Page 8: Harmless Advice

8

What Are Aspects Used For? AspectJ Users Email List - What do you use

aspects for? “…a reusable logging aspect” “...I use tracing, profiling, and policy

enforcement aspects on virtually every project I work on”

“…And the standard stuff like: performance monitoring, logging, exception handling”

“…for error handling, to enforce architectural standards,…and for tracing and logging”

Harmless advice will be useful if it can modify termination behavior of the main program

Harmless advice will be useful if it can output information about the main program

Fail upon violating checkPrint main program state to file

Security Checks/Policy Enforcement

Tracers/Loggers/Profilers

Page 9: Harmless Advice

9

Harmless Advice

Allows I/O and altered termination behavior

* original value * new value

original value = new value

Original Program

Aspect 1

Aspect 2

Program + Harmless Advice

Page 10: Harmless Advice

10

System Design

Source language

Core language

Type-directedtranslation

Programmers use an“oblivious” source

Language

Core languagecontains explicit

labels & primitive advice[based on WZL ‘03]

Page 11: Harmless Advice

11

l [e]l [v]

{ pc.x eadv }

Core Language Aspects [WZL]

l2[e]l1[e]

l4[e]

l3[e]

l5[e]l6[e]

Join Points

pc = { l1, l3, l6 }

What? (Advice)

[v/x] eadv [v/x]

( )

→* ( )

{ pc.x eadv }l pc

When? (Pointcut)

Page 12: Harmless Advice

12

Harmful Advice

Advice modifies main program’s state

Advice is not harmless!!

Uses reference rmain

Main Program Advice

{ pc.x (rmain := 3) }

Page 13: Harmless Advice

13

Core Language Typing How to protect main program state from

interference from advice?

Protection Domains

Lattice { P, } P is a set of protection domains defines a partial order on P

Code is executed in a protection domain ; p ├ e :

Code executing in a low protection domain should not interfere with code executing in a high protection domain

p1

p2

p4

p3

Page 14: Harmless Advice

14

How should padv relate to the current protection domain pcurr at advice triggering? Low-protection code should not interfere with

high-protection code

Protection Domains: Advice types ::= … | advicepadv

values v ::= … | { pc.x padv eadv } expressions e ::= … | { epc.x padv eadv }

advice eadv is executed in protection domain padv

padv pcurrpcurr padv

eadv[v/x]( )

eadv[v/x]( )

l [v] triggers { pc.x padv eadv }

pcurr

l [v] triggers { pc.x padv eadv }

pcurr

padv

[v/x]

padv

[v/x]

GOOD!

( ) - OK

BAD!

( )

Page 15: Harmless Advice

15

Noninterference [Pottier…’03]

CoreProgram

CoreProgram

Representationis faithful

(Completeness Lemma)

Differ only in low protection code

Representationis faithful

(Soundness Lemma)

CoreValue

CoreValue :boolEvaluation preserves

noninterference invariants(Preservation Lemma)Core 2

Value :bool

Represents simultaneous executionCore 2

Program :bool

:bool

Must be true or false

Want to Prove:

Proved Non-interference

Page 16: Harmless Advice

16

Language Design

Source language

Core language

Type-directedtranslation

Programmers use an“oblivious” source

Language

Core languagecontains explicit

labels & primitive advice[based on WZL 03]

Page 17: Harmless Advice

17

Source Language ProgramTranslation from Source to Core

Aspect Code < Main Program

(Aspect Code is in Lower Protection Domain than Main Program Code)

Using Protection Domains

Main Program

Aspect Code 1 Aspect Code 2 Aspect Code 3

Main Program

* original value * new value

original value = new value

Original ProgramProgram +

Harmless Advice

Core Noninterference

By Noninterference:

Aspects in Source Language are Harmless

Main Program

Aspect Code 1

Aspect Code 2

Aspect Code 3

Programmers divide code into Main Program + Aspects

Page 18: Harmless Advice

18

File System Security

Limit File Write Location & Size

Only Modify Temp Directories

Only Overwrite Tar Files

Security Case Study

Network Security

Limit Network Send Speed

Only Allow Certain Hosts

Soft Limit Network Send

Speed

Naccio Execution Monitoring SystemSelected Security Policies [Evans & Twyman ‘99]

Implemented “Harmless Advice” Interpreter in Standard ML

Harmless Advice Is Useful for Security

Page 19: Harmless Advice

19

Related Work

Classifying advice “Assistants and Observers” [Clifton... ‘02] “Observation” Advice [Rinard… ‘04] “Almost Spectative” Advice [Katz ‘04]

Aspects and Modularity “Aspectual Collaborations” [Lieberherr… ‘03] “Open Modules” [Aldrich ‘05] Information Hiding for AOP [Sullivan… ‘05] AOP and Modular Reasoning [Kiczales… ‘05]

Page 20: Harmless Advice

20

Future Work AspectML

Polymorphic functional AOPL with G. Washburn and S. Weirich

Extend AspectML to allow harmless advice Allow polymorphic protection domains Allow mainline code programmer to specify harm level

of potential advice Separate IO into Harmless and Harmful IO

Show AspectML “Java Stack-Inspection Security” is harmless

Page 21: Harmless Advice

21

Conclusion Defined a new “harmless” form of advice

Harmless advice does not interfere with main program code

Harmlessness is enforced by a type system for information flow control

Proved a noninterference property for the language

Conducted a case study demonstrating harmless advice is useful for enforcing security invariants

Interpreter and Case Study at: http://www.cs.princeton.edu/sip/projects/aspectml/