Upload
derek-smith
View
213
Download
0
Embed Size (px)
Citation preview
Multilevel Security with AspectJ
Roshan Ramachandran, David J. Pearce and Ian Welch
Victoria University of Wellington,New Zealand
COMP205 Software Design and Engineering
What is MLS?
• Multilevel Security (Bell-LaPadula):– Three roles: object, subject and reference
monitor
– Two rules:• No Read Up (NRU) – Subject cannot read object
with higher classification• No Write Down (NWD) – Subject cannot write
object with lower classification
– Reference monitor checks NRU and NWD rules• Called on each read/write of an object
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Clearances & classifications embedded in
objects & subjects– Calls to reference monitor are manual– E.g
– Security code clearly a cross cutting concern!
– Can we implement security as an Aspect?
if(!securitySource.canDownload(theUser, filePath)) {
out.print(permissionDeniedMessage);
return true;
}
subjectobject
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes
• If just one missed, security is compromised
– Code is tangled and, hence, less readable
COMP205 Software Design and Engineering
MLS & OOP
• Object-Oriented MLS implementation:– Relies on programmer to identify all reads/writes
• If just one missed, security is compromised
– Code is tangled and, hence, less readable
• Aspect-Oriented MLS implementation– Quantification provides stronger security– Code is not tangled and, hence, more readable
COMP205 Software Design and Engineering
What we did
• Problem– Can AspectJ provide these benefits?– Can we reuse such Aspects?
• Our Approach– Two case studies considered
• One artificial, one real-world
– AspectJ implementations developed– Insights and observations extracted!
COMP205 Software Design and Engineering
Case Study #1 – Payroll System
• Payroll System– SUBJECTS: User Threads
• Normal employees have low clearance• Managers have high clearance
– OBJECTS: Employee, WorkInfo and PayInfo• Employee instances have “low” classification• WorkInfo and PayInfo instances have “high” classification
Employee
namephoneoffice
WorkInfo
…
PayInfo
…
1
1
1
Thread
UserThread
…
abstract aspect BLPPolicy {
protected interface SUBJECT { }
protected interface OBJECT { }
abstract pointcut read(OBJECT o);
abstract pointcut write(OBJECT o);
before(OBJECT o) : read(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
int oc = classification(o);
int sc = clearance((SUBJECT) Thread.currentThread());
if(sc < oc) throw new SecurityException();
}
before(OBJECT o) : write(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
…
}
abstract int clearance(SUBJECT s);
abstract int classification(OBJECT o);
}
COMP205 Software Design and Engineering
Payroll Policy
aspect PayrollPolicy extends BLPPolicy {
declare parents : UserThread implements SUBJECT;
declare parents : WorkInfo implements OBJECT;
declare parents : PayInfo implements OBJECT;
declare parents : Employee implements OBJECT;
pointcut read(OBJECT o) : target(o) && get(* *.*);
pointcut write(OBJECT o) : target(o) && set(* *.*);
int clearance(SUBJECT s) { … }
int classification(OBJECT o) { … }
}
COMP205 Software Design and Engineering
Case Study #2 – FTP Server
• jFTPd– Third party application (approx 20 classes)– Users can upload and download files– SUBJECTS: FTPConnections, OBJECTS: files
– FTPUser contains user information– FTPSecuritySource implements existing security policy
FTPUser
…
FTPSecuritySource
…
<<interface>>
Runnable
FTPConnection
doCommand()…
1
1 1
1
COMP205 Software Design and Engineering
Problems
• Roles not so clearly defined:
– OBJECTS are files, but cannot really “see” them• Instead, they are represented by proxy• E.g. FileInputStream, FileReader
– SUBJECTS are instances of “Runnable”• Cannot get Runnable instance associated with
thread!• So, unable to identify subject inside advice
COMP205 Software Design and Engineering
The Plan
• Intercept all file reads/write sytem calls– E.g. FileInputStream.read(), FileReader.write()
• Associate classification with “file” instances– Given “FileInputStream” instance, determine
classification of file it represents
• Associate clearance with “user” threads– Given Thread, determine FTPConnection object it
corresponds to
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy {
Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
aspect JFTPdPolicy extends BLPPolicy { Map<Object,String> objects = …;
Map<Thread,FTPConnection> subjects = …;
pointcut read(Object o) : target(o) &&
(call(* InputStream.read*(..)) ||
(call(* Reader.read*(..)) || … );
pointcut write(Object o) : target(o) && … ;
after(String s) returning(Object o) : args(s) &&
call(FileInputStream.new(String)) { objects.put(o,s); }
…
after(FTPConnection f) returning(Thread) : args(f) &&
call(Thread.new(Runnable)) { subjects.put(t,f); }
…
// lookup username then clearance
int clearance(Object o) { … }
// lookup filename then classification
int classification(Object o) { … }
abstract aspect BLPPolicy {
protected interface SUBJECT { }
protected interface OBJECT { }
abstract pointcut read(Object o);
abstract pointcut write(Object o);
before(Object o) : read(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
int oc = classification(o);
int sc = clearance(Thread.currentThread());
if(sc < oc) throw new SecurityException();
}
before(OBJECT o) : write(o) &&
if(Thread.currentThread() instanceof SUBJECT) {
…
}
abstract int clearance(Object s);
abstract int classification(Object o);
}
COMP205 Software Design and Engineering
Conclusions
• Benefits– MLS is stronger!– MLS is less tangled!
• Issues– AspectJ code is subtle
• Must intercept InputStream NOT FileInputStream• How to be sure ALL file reads/writes covered?
– Aspect brittle to changes in System libraries– Roles not so clearly defined in aspects– System classes cannot be weaved
• Some associations must be maintained manually