Multilevel Security with AspectJ Roshan Ramachandran, David J. Pearce and Ian Welch Victoria University of Wellington, New Zealand

Multilevel Security with AspectJ

Roshan Ramachandran, David J. Pearce and Ian Welch

Victoria University of Wellington,New Zealand

COMP205 Software Design and Engineering

What is MLS?

• Multilevel Security (Bell-LaPadula):– Three roles: object, subject and reference

monitor

– Two rules:• No Read Up (NRU) – Subject cannot read object

with higher classification• No Write Down (NWD) – Subject cannot write

object with lower classification

– Reference monitor checks NRU and NWD rules• Called on each read/write of an object


MLS & OOP

• Object-Oriented MLS implementation:– Clearances & classifications embedded in

objects & subjects– Calls to reference monitor are manual– E.g

– Security code clearly a cross cutting concern!

– Can we implement security as an Aspect?

if(!securitySource.canDownload(theUser, filePath)) {

out.print(permissionDeniedMessage);

return true;

}

subjectobject


MLS & OOP

• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes

• If just one missed, security is compromised

– Code is tangled and, hence, less readable


MLS & OOP

• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes

• If just one missed, security is compromised

– Code is tangled and, hence, less readable

• Aspect-Oriented MLS implementation– Quantification provides stronger security– Code is not tangled and, hence, more readable


What we did

• Problem– Can AspectJ provide these benefits?– Can we reuse such Aspects?

• Our Approach– Two case studies considered

• One artificial, one real-world

– AspectJ implementations developed– Insights and observations extracted!


Case Study #1 – Payroll System

• Payroll System– SUBJECTS: User Threads

• Normal employees have low clearance• Managers have high clearance

– OBJECTS: Employee, WorkInfo and PayInfo• Employee instances have “low” classification• WorkInfo and PayInfo instances have “high” classification

Employee

namephoneoffice

WorkInfo

…

PayInfo

…

1

1

1

Thread

UserThread

…

abstract aspect BLPPolicy {

protected interface SUBJECT { }

protected interface OBJECT { }

abstract pointcut read(OBJECT o);

abstract pointcut write(OBJECT o);

before(OBJECT o) : read(o) &&

if(Thread.currentThread() instanceof SUBJECT) {

int oc = classification(o);

int sc = clearance((SUBJECT) Thread.currentThread());

if(sc < oc) throw new SecurityException();

}

before(OBJECT o) : write(o) &&


…

}

abstract int clearance(SUBJECT s);

abstract int classification(OBJECT o);

}


Payroll Policy

aspect PayrollPolicy extends BLPPolicy {

declare parents : UserThread implements SUBJECT;

declare parents : WorkInfo implements OBJECT;

declare parents : PayInfo implements OBJECT;

declare parents : Employee implements OBJECT;

pointcut read(OBJECT o) : target(o) && get(* *.*);

pointcut write(OBJECT o) : target(o) && set(* *.*);

int clearance(SUBJECT s) { … }

int classification(OBJECT o) { … }

}


Case Study #2 – FTP Server

• jFTPd– Third party application (approx 20 classes)– Users can upload and download files– SUBJECTS: FTPConnections, OBJECTS: files

– FTPUser contains user information– FTPSecuritySource implements existing security policy

FTPUser

…

FTPSecuritySource

…

<<interface>>

Runnable

FTPConnection

doCommand()…

1

1 1

1


Problems

• Roles not so clearly defined:

– OBJECTS are files, but cannot really “see” them• Instead, they are represented by proxy• E.g. FileInputStream, FileReader

– SUBJECTS are instances of “Runnable”• Cannot get Runnable instance associated with

thread!• So, unable to identify subject inside advice


The Plan

• Intercept all file reads/write sytem calls– E.g. FileInputStream.read(), FileReader.write()

• Associate classification with “file” instances– Given “FileInputStream” instance, determine

classification of file it represents

• Associate clearance with “user” threads– Given Thread, determine FTPConnection object it

corresponds to

aspect JFTPdPolicy extends BLPPolicy {

Map<Object,String> objects = …;

Map<Thread,FTPConnection> subjects = …;

pointcut read(Object o) : target(o) &&

(call(* InputStream.read*(..)) ||

(call(* Reader.read*(..)) || … );

pointcut write(Object o) : target(o) && … ;

after(String s) returning(Object o) : args(s) &&

call(FileInputStream.new(String)) { objects.put(o,s); }

…

after(FTPConnection f) returning(Thread) : args(f) &&

call(Thread.new(Runnable)) { subjects.put(t,f); }

…

// lookup username then clearance

int clearance(Object o) { … }

// lookup filename then classification

int classification(Object o) { … }










…



…














…



…





aspect JFTPdPolicy extends BLPPolicy { Map<Object,String> objects = …;








…



…





abstract aspect BLPPolicy {

protected interface SUBJECT { }

protected interface OBJECT { }

abstract pointcut read(Object o);

abstract pointcut write(Object o);

before(Object o) : read(o) &&


int oc = classification(o);

int sc = clearance(Thread.currentThread());

if(sc < oc) throw new SecurityException();

}

before(OBJECT o) : write(o) &&


…

}

abstract int clearance(Object s);

abstract int classification(Object o);

}


Conclusions

• Benefits– MLS is stronger!– MLS is less tangled!

• Issues– AspectJ code is subtle

• Must intercept InputStream NOT FileInputStream• How to be sure ALL file reads/writes covered?

– Aspect brittle to changes in System libraries– Roles not so clearly defined in aspects– System classes cannot be weaved

• Some associations must be maintained manually

Documents

Multilevel Security with AspectJ Roshan Ramachandran, David J. Pearce and Ian Welch Victoria University of Wellington, New Zealand