research-article

Secure and modular access control with aspects

Authors:

Rodolfo Toledo,

Éric TanterAuthors Info & Claims

AOSD '13: Proceedings of the 12th annual international conference on Aspect-oriented software development

Pages 157 - 170

https://doi.org/10.1145/2451436.2451456

Published: 24 March 2013 Publication History

Abstract

Can access control be fully modularized as an aspect? Most proposals for aspect-oriented access control are limited to factoring out access control checks, still relying on a non-modular and ad hoc infrastructure for permission checking. Recently, we proposed an approach for modular access control, called ModAC. ModAC successfully modularizes both the use of and the support for access control by means of restriction aspects and scoping strategies. However, ModAC is only informally described and therefore does not provide any formal guarantee with respect to its effectiveness. In addition, like in many other proposals for aspect-oriented access control, the presence of untrusted aspects is not at all considered, thereby jeopardizing the practical applicability of such approaches. This paper demonstrates that it is possible to fully modularize aspect control, even in the presence of untrusted aspects. It does so by describing a self-protecting aspect that secures ModAC. We validate this result by describing a core calculus for AspectScript, an aspect-oriented extension of JavaScript, and using this calculus to prove effectiveness and non-interference properties of ModAC. Beyond being an important validation for AOP itself, fully modularizing access control with aspects allows access control to be added to other aspect languages, without requiring ad hoc support.

References

[1]

M. Abadi and C. Fournet. Access control based on execution history. In Proceedings of the 10th annual Network and Distributed System Security Symposium, pages 107--121, 2003.

[2]

Proceedings of the 9th ACM International Conference on Aspect-Oriented Software Development (AOSD 2010), Rennes and Saint Malo, France, Mar. 2010. ACM Press.

[3]

M. Bagherzadeh, H. Rajan, G. T. Leavens, and S. Mooney. Translucid contracts: Expressive specification and modular verification for aspect-oriented interfaces. In Proceedings of the 10th ACM International Conference on Aspect-Oriented Software Development (AOSD 2011), Porto de Galinhas, Brazil, Mar. 2011. ACM Press.

Digital Library

[4]

D. Box and C. Sells. Essential .NET: The common language runtime, volume 1. Addison-Wesley, Nov. 2002.

Digital Library

[5]

D. Caromel and J. Vayssière. A security framework for reflective Java applications. Software: Practice and Experience, 33(9):821--846, 2003.

Digital Library

[6]

C. Clifton and G. T. Leavens. MiniMAO$_1$: An imperative core language for studying aspect-oriented reasoning. Science of Computer Programming, 63:312--374, 2006.

Digital Library

[7]

D. S. Dantas and D. Walker. Harmless advice. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2006), pages 383--396, Charleston, South Carolina, USA, Jan. 2006. ACM Press.

Digital Library

[8]

W. De Borger, B. De Win, B. Lagaisse, and W. Joosen. A permission system for secure AOP. In AOSD 2010, pages 205--216.

Digital Library

[9]

B. De Win, W. Joosen, and F. Piessens. Developing secure applications through Aspect-Oriented programming. In Aspect-Oriented Software Development, pages 633--650. Addison-Wesley Professional, Oct. 2004.

[10]

C. Dutchyn, D. B. Tucker, and S. Krishnamurthi. Semantics and scoping of aspects in higher-order languages. Science of Computer Programming, 63(3):207--239, Dec. 2006.

Digital Library

[11]

ECMA International. ECMAScript Language Specification. ECMA-262. 5th edition, Apr. 2009.

[12]

U. Erlingsson and F. Schneider. IRM enforcement of Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246--255, 2000.

Digital Library

[13]

M. Felleisen, R. B. Findler, and M. Flatt. Semantics Engineering with PLT Redex. MIT Press, 2009.

Digital Library

[14]

D. Ferraiolo and R. Kuhn. Role-Based access control. 15th NIST-NCSC National Computer Security Conference, pages 554--563, 1992.

[15]

C. Fournet and A. D. Gordon. Stack inspection: theory and variants. ACM Transactions on Programming Languages and Systems (TOPLAS), 25(3):360 -- 399, 2003.

Digital Library

[16]

J. Gosling, B. Joy, G. Steele, and G. Bracha. The Java Language Specification, 3rd edition. Addison-Wesley, 2005.

Digital Library

[17]

A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In T. D'Hondt, editor, Proceedings of the 24th European Conference on Object-oriented Programming (ECOOP 2010), number 6183 in Lecture Notes in Computer Science, pages 126--150, Maribor, Slovenia, June 2010. Springer-Verlag.

Digital Library

[18]

N. Hardy. The confused deputy. SIGOPS Operating Systems Review, 22(4):36--38, 1988.

Digital Library

[19]

M. Huang, C. Wang, and L. Zhang. Toward a reusable and generic security aspect library. In AOSD Technologies for Application-Level Security, 2004.

[20]

G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm, and W. Griswold. An overview of AspectJ. In J. L. Knudsen, editor, Proceedings of the 15th European Conference on Object-Oriented Programming (ECOOP 2001), number 2072 in Lecture Notes in Computer Science, pages 327--353, Budapest, Hungary, June 2001. Springer-Verlag.

Digital Library

[21]

A. Mourad, M. Laverdière, and M. Debbabi. An aspect-oriented approach for the systematic security hardening of code. Computers & Security, 27(3--4):101--114, June 2008.

[22]

B. C. d. S. Oliveira, T. Schrijvers, and W. R. Cook. EffectiveAdvice: discplined advice with explicit effects. In AOSD 2010citeaosd2010, pages 109--120.

Digital Library

[23]

R. Ramachandran. AspectJ for Multilevel Security. Master Thesis, Victoria University of Wellington, 2006.

[24]

P. Samarati and S. D. C. di Vimercati. Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design, volume 2171 of Lecture Notes in Computer Science, pages 137--196. Springer Berlin / Heidelberg, London, UK, 2001.

Digital Library

[25]

P. Słowikowski and K. Zielinski. Comparison study of aspect-oriented and container managed security. In Proceedings of the Workshop on Analysis of Aspect Oriented Software, Germany, 2003.

[26]

É. Tanter. Expressive scoping of dynamically-deployed aspects. In Proceedings of the 7th ACM International Conference on Aspect-Oriented Software Development (AOSD 2008), pages 168--179, Brussels, Belgium, Apr. 2008. ACM Press.

Digital Library

[27]

É. Tanter. Beyond static and dynamic scope. In Proceedings of the 5th ACM Dynamic Languages Symposium (DLS 2009), pages 3--14, Orlando, FL, USA, Oct. 2009. ACM Press.

Digital Library

[28]

É. Tanter. Execution levels for aspect-oriented programming. In AOSD 2010, pages 37--48.

Digital Library

[29]

É. Tanter, J. Fabry, R. Douence, J. Noyé, and M. Südholt. Scoping strategies for distributed aspects. Science of Computer Programming, 75(12):1235--1261, 2010.

Digital Library

[30]

R. Toledo, P. Leger, and É. Tanter. AspectScript: Expressive aspects for the Web. In AOSD 2010citeaosd2010, pages 13--24.

Digital Library

[31]

R. Toledo, A. Núnez, É. Tanter, and J. Noyé. Aspectizing Java access control. IEEE Transactions on Software Engineering, 38(1):101--117, Jan./Feb. 2012.

Digital Library

[32]

R. Toledo and É. Tanter. Secure and modular access control with aspects--supplementary material. http://users.dcc.uchile.cl/ rtoledo/modac-aosd/.

[33]

R. Toledo and É. Tanter. Access control in JavaScript. IEEE Software, 28(5):76--84, Sept./Oct. 2011.

Digital Library

[34]

B. Vanhaute, B. De Decker, and B. De Win. Building frameworks in AspectJ. Workshop on Advanced Separation of Concerns (ECOOP), pages 1--6, 2001.

[35]

J. Viega, J. Bloch, and P. Chandra. Applying Aspect-Oriented programming to security. Cutter IT Journal, 14(2):31--39, Feb. 2001.

Cited By

Alsobeh AMagableh AAlSukhni E(2019)Runtime Reusable Weaving Model for Cloud Services Using Aspect-Oriented ProgrammingCloud Security10.4018/978-1-5225-8176-5.ch029(574-591)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-8176-5.ch029
Alsobeh AMagableh AAlSukhni E(2018)Runtime Reusable Weaving Model for Cloud Services Using Aspect-Oriented ProgrammingInternational Journal of Web Services Research10.4018/IJWSR.201801010415:1(71-88)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJWSR.2018010104
Thulnoon ALempereur BShi QAl-Jumeily DHamdan HToral-Cruz HAkleylek SMcheick HBoubiche D(2017)Using aspect oriented programming to enforce privacy preserving communication in distributed systemsProceedings of the Second International Conference on Internet of things, Data and Cloud Computing10.1145/3018896.3065828(1-8)Online publication date: 22-Mar-2017
https://dl.acm.org/doi/10.1145/3018896.3065828
Show More Cited By

Index Terms

Secure and modular access control with aspects
1. Software and its engineering
  1. Software notations and tools
    1. Formal language definitions
    2. General programming languages
      1. Language features
2. Theory of computation
  1. Formal languages and automata theory

Recommendations

Taming aspects
VariComp '13: Proceedings of the 4th international workshop on Variability & composition

Aspect-oriented programming languages support the modular definition of crosscutting abstractions. In most languages, this is achieved through pointcuts, which provide a means for quantifying over execution events in order to implicitly trigger advice. ...
AspectScript: expressive aspects for the web
AOSD '10: Proceedings of the 9th International Conference on Aspect-Oriented Software Development

JavaScript is widely used to build increasingly complex Web applications. Unsurprisingly, these applications need to address cross-cutting concerns. Therefore support for aspect-oriented programming is crucial to preserve proper modularity. However, ...
Scoping strategies for distributed aspects

Dynamic deployment of aspects brings greater flexibility and reuse potential, but requires a proper means for scoping aspects. Scoping issues are particularly crucial in a distributed context: adequate treatment of distributed scoping is necessary to ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

AOSD '13: Proceedings of the 12th annual international conference on Aspect-oriented software development

March 2013

232 pages

ISBN:9781450317665

DOI:10.1145/2451436

General Chair:
Hidehiko Masuhara
The University of Tokyo, Japan
,
Program Chairs:
Jörg Kienzle
McGill University, Canada
,
Elisa Baniassad
Australian National University, Australia
,
David H. Lorenz
The Open University of Israel, Israel

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

AOSA: Aspect-Oriented Software Association

In-Cooperation

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 March 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

AOSD '13

Sponsor:

AOSA

AOSD '13: Aspect-Oriented Software Development

March 24 - 29, 2013

Fukuoka, Japan

Acceptance Rates

Overall Acceptance Rate 41 of 139 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
115
Total Downloads

Downloads (Last 12 months)2
Downloads (Last 6 weeks)0

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Alsobeh AMagableh AAlSukhni E(2019)Runtime Reusable Weaving Model for Cloud Services Using Aspect-Oriented ProgrammingCloud Security10.4018/978-1-5225-8176-5.ch029(574-591)Online publication date: 2019
https://doi.org/10.4018/978-1-5225-8176-5.ch029
Alsobeh AMagableh AAlSukhni E(2018)Runtime Reusable Weaving Model for Cloud Services Using Aspect-Oriented ProgrammingInternational Journal of Web Services Research10.4018/IJWSR.201801010415:1(71-88)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.4018/IJWSR.2018010104
Thulnoon ALempereur BShi QAl-Jumeily DHamdan HToral-Cruz HAkleylek SMcheick HBoubiche D(2017)Using aspect oriented programming to enforce privacy preserving communication in distributed systemsProceedings of the Second International Conference on Internet of things, Data and Cloud Computing10.1145/3018896.3065828(1-8)Online publication date: 22-Mar-2017
https://dl.acm.org/doi/10.1145/3018896.3065828
Thlunoon AKifayat K(2017)Enforcing Access Control Models in System Applications by Using Aspect-Oriented Programming: A Literature Review2017 10th International Conference on Developments in eSystems Engineering (DeSE)10.1109/DeSE.2017.35(100-105)Online publication date: Jun-2017
https://doi.org/10.1109/DeSE.2017.35
Tanter ÉFigueroa ITabareau N(2014)Execution levels for aspect-oriented programmingScience of Computer Programming10.5555/2748144.274839480:PB(311-342)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.5555/2748144.2748394
Pasquier TBacon JShand BPeternier ABinder WErnst EHirschfeld R(2014)FlowRProceedings of the 13th international conference on Modularity10.1145/2577080.2577090(37-48)Online publication date: 22-Apr-2014
https://dl.acm.org/doi/10.1145/2577080.2577090
Tanter ÉCazzola WGonzález SVan Landuyt DLahire P(2013)Taming aspectsProceedings of the 4th international workshop on Variability & composition10.1145/2451617.2451623(19-19)Online publication date: 26-Mar-2013
https://dl.acm.org/doi/10.1145/2451617.2451623
Zhu YZhu H(2013)Formal verification of mandatory access control for privacy cloudProceedings of 2013 3rd International Conference on Computer Science and Network Technology10.1109/ICCSNT.2013.6967116(297-300)Online publication date: Oct-2013
https://doi.org/10.1109/ICCSNT.2013.6967116

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten