Rodolfo Toledo
Éric Tanter
ABSTRACT
Can access control be fully modularized as an aspect? Most proposals for aspect-oriented access control are limited to factoring out access control checks, still relying on a non-modular and ad hoc infrastructure for permission checking. Recently, we proposed an approach for modular access control, called ModAC. ModAC successfully modularizes both the use of and the support for access control by means of restriction aspects and scoping strategies. However, ModAC is only informally described and therefore does not provide any formal guarantee with respect to its effectiveness. In addition, like in many other proposals for aspect-oriented access control, the presence of untrusted aspects is not at all considered, thereby jeopardizing the practical applicability of such approaches. This paper demonstrates that it is possible to fully modularize aspect control, even in the presence of untrusted aspects. It does so by describing a self-protecting aspect that secures ModAC. We validate this result by describing a core calculus for AspectScript, an aspect-oriented extension of JavaScript, and using this calculus to prove effectiveness and non-interference properties of ModAC. Beyond being an important validation for AOP itself, fully modularizing access control with aspects allows access control to be added to other aspect languages, without requiring ad hoc support.
- M. Abadi and C. Fournet. Access control based on execution history. In Proceedings of the 10th annual Network and Distributed System Security Symposium, pages 107--121, 2003.Google Scholar
- Proceedings of the 9th ACM International Conference on Aspect-Oriented Software Development (AOSD 2010), Rennes and Saint Malo, France, Mar. 2010. ACM Press.Google Scholar
- M. Bagherzadeh, H. Rajan, G. T. Leavens, and S. Mooney. Translucid contracts: Expressive specification and modular verification for aspect-oriented interfaces. In Proceedings of the 10th ACM International Conference on Aspect-Oriented Software Development (AOSD 2011), Porto de Galinhas, Brazil, Mar. 2011. ACM Press. Google ScholarDigital Library
- D. Box and C. Sells. Essential .NET: The common language runtime, volume 1. Addison-Wesley, Nov. 2002. Google ScholarDigital Library
- D. Caromel and J. Vayssière. A security framework for reflective Java applications. Software: Practice and Experience, 33(9):821--846, 2003. Google ScholarDigital Library
- C. Clifton and G. T. Leavens. MiniMAO$_1$: An imperative core language for studying aspect-oriented reasoning. Science of Computer Programming, 63:312--374, 2006. Google ScholarDigital Library
- D. S. Dantas and D. Walker. Harmless advice. In Proceedings of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL 2006), pages 383--396, Charleston, South Carolina, USA, Jan. 2006. ACM Press. Google ScholarDigital Library
- W. De Borger, B. De Win, B. Lagaisse, and W. Joosen. A permission system for secure AOP. In AOSD 2010, pages 205--216. Google ScholarDigital Library
- B. De Win, W. Joosen, and F. Piessens. Developing secure applications through Aspect-Oriented programming. In Aspect-Oriented Software Development, pages 633--650. Addison-Wesley Professional, Oct. 2004.Google Scholar
- C. Dutchyn, D. B. Tucker, and S. Krishnamurthi. Semantics and scoping of aspects in higher-order languages. Science of Computer Programming, 63(3):207--239, Dec. 2006. Google ScholarDigital Library
- ECMA International. ECMAScript Language Specification. ECMA-262. 5th edition, Apr. 2009.Google Scholar
- U. Erlingsson and F. Schneider. IRM enforcement of Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy, pages 246--255, 2000. Google ScholarDigital Library
- M. Felleisen, R. B. Findler, and M. Flatt. Semantics Engineering with PLT Redex. MIT Press, 2009. Google ScholarDigital Library
- D. Ferraiolo and R. Kuhn. Role-Based access control. 15th NIST-NCSC National Computer Security Conference, pages 554--563, 1992.Google Scholar
- C. Fournet and A. D. Gordon. Stack inspection: theory and variants. ACM Transactions on Programming Languages and Systems (TOPLAS), 25(3):360 -- 399, 2003. Google ScholarDigital Library
- J. Gosling, B. Joy, G. Steele, and G. Bracha. The Java Language Specification, 3rd edition. Addison-Wesley, 2005. Google ScholarDigital Library
- A. Guha, C. Saftoiu, and S. Krishnamurthi. The essence of JavaScript. In T. D'Hondt, editor, Proceedings of the 24th European Conference on Object-oriented Programming (ECOOP 2010), number 6183 in Lecture Notes in Computer Science, pages 126--150, Maribor, Slovenia, June 2010. Springer-Verlag. Google ScholarDigital Library
- N. Hardy. The confused deputy. SIGOPS Operating Systems Review, 22(4):36--38, 1988. Google ScholarDigital Library
- M. Huang, C. Wang, and L. Zhang. Toward a reusable and generic security aspect library. In AOSD Technologies for Application-Level Security, 2004.Google Scholar
- G. Kiczales, E. Hilsdale, J. Hugunin, M. Kersten, J. Palm, and W. Griswold. An overview of AspectJ. In J. L. Knudsen, editor, Proceedings of the 15th European Conference on Object-Oriented Programming (ECOOP 2001), number 2072 in Lecture Notes in Computer Science, pages 327--353, Budapest, Hungary, June 2001. Springer-Verlag. Google ScholarDigital Library
- A. Mourad, M. Laverdière, and M. Debbabi. An aspect-oriented approach for the systematic security hardening of code. Computers & Security, 27(3--4):101--114, June 2008.Google Scholar
- B. C. d. S. Oliveira, T. Schrijvers, and W. R. Cook. EffectiveAdvice: discplined advice with explicit effects. In AOSD 2010citeaosd2010, pages 109--120. Google ScholarDigital Library
- R. Ramachandran. AspectJ for Multilevel Security. Master Thesis, Victoria University of Wellington, 2006.Google Scholar
- P. Samarati and S. D. C. di Vimercati. Access control: Policies, models, and mechanisms. In Foundations of Security Analysis and Design, volume 2171 of Lecture Notes in Computer Science, pages 137--196. Springer Berlin / Heidelberg, London, UK, 2001. Google ScholarDigital Library
- P. Słowikowski and K. Zielinski. Comparison study of aspect-oriented and container managed security. In Proceedings of the Workshop on Analysis of Aspect Oriented Software, Germany, 2003.Google Scholar
- É. Tanter. Expressive scoping of dynamically-deployed aspects. In Proceedings of the 7th ACM International Conference on Aspect-Oriented Software Development (AOSD 2008), pages 168--179, Brussels, Belgium, Apr. 2008. ACM Press. Google ScholarDigital Library
- É. Tanter. Beyond static and dynamic scope. In Proceedings of the 5th ACM Dynamic Languages Symposium (DLS 2009), pages 3--14, Orlando, FL, USA, Oct. 2009. ACM Press. Google ScholarDigital Library
- É. Tanter. Execution levels for aspect-oriented programming. In AOSD 2010, pages 37--48. Google ScholarDigital Library
- É. Tanter, J. Fabry, R. Douence, J. Noyé, and M. Südholt. Scoping strategies for distributed aspects. Science of Computer Programming, 75(12):1235--1261, 2010. Google ScholarDigital Library
- R. Toledo, P. Leger, and É. Tanter. AspectScript: Expressive aspects for the Web. In AOSD 2010citeaosd2010, pages 13--24. Google ScholarDigital Library
- R. Toledo, A. Núnez, É. Tanter, and J. Noyé. Aspectizing Java access control. IEEE Transactions on Software Engineering, 38(1):101--117, Jan./Feb. 2012. Google ScholarDigital Library
- R. Toledo and É. Tanter. Secure and modular access control with aspects--supplementary material. http://users.dcc.uchile.cl/ rtoledo/modac-aosd/.Google Scholar
- R. Toledo and É. Tanter. Access control in JavaScript. IEEE Software, 28(5):76--84, Sept./Oct. 2011. Google ScholarDigital Library
- B. Vanhaute, B. De Decker, and B. De Win. Building frameworks in AspectJ. Workshop on Advanced Separation of Concerns (ECOOP), pages 1--6, 2001.Google Scholar
- J. Viega, J. Bloch, and P. Chandra. Applying Aspect-Oriented programming to security. Cutter IT Journal, 14(2):31--39, Feb. 2001.Google Scholar
Index Terms
- Secure and modular access control with aspects
Recommendations
Taming aspects
VariComp '13: Proceedings of the 4th international workshop on Variability & compositionAspect-oriented programming languages support the modular definition of crosscutting abstractions. In most languages, this is achieved through pointcuts, which provide a means for quantifying over execution events in order to implicitly trigger advice. ...
AspectScript: expressive aspects for the web
AOSD '10: Proceedings of the 9th International Conference on Aspect-Oriented Software DevelopmentJavaScript is widely used to build increasingly complex Web applications. Unsurprisingly, these applications need to address cross-cutting concerns. Therefore support for aspect-oriented programming is crucial to preserve proper modularity. However, ...
Scoping strategies for distributed aspects
Dynamic deployment of aspects brings greater flexibility and reuse potential, but requires a proper means for scoping aspects. Scoping issues are particularly crucial in a distributed context: adequate treatment of distributed scoping is necessary to ...
Comments