Embed Size (px)
Citation preview
Guest lecture for Software Architecture course – HT2009
Phu H. Phung, [email protected]
October 09th 2009
Acknowledgements: Erik Hilsdale, Gregor Kiczales, Martin Giese
ASPECTASPECT--ORIENTED PROGRAMMINGORIENTED PROGRAMMING
� This lecture is to
introduce the overview
concept of AOP, the
language/tools and the
speaker’s research
related to AOP
Why AOP?
Key points
Language & Tools
AOP and Security
Summary
A modularized function example: A modularized function example:
XML parsing in Apache TomcatXML parsing in Apache Tomcat
All in one class
A nonA non--modularized function example: modularized function example:
Logging in Apache TomcatLogging in Apache Tomcat
Logging is not modularized and appears in almost every class
A nonA non--modularized function example: modularized function example:
Session Session ExpirationExpiration in Apache Tomcatin Apache Tomcat
Logging and Session Expiration in Tomcat are examples of tangled code
Tangled code Tangled code difficultiesdifficulties
� Redundant
� Repeated code in many places
� Difficult to reason about� non-explicit structure
� the big picture of the tangling isn’t clear
� Difficult to change� have to find all the code involved
� and be sure to change it consistently
� and be sure not to break it by accident
Software concernsSoftware concerns
Separation of concerns Crosscutting concerns
� A complex system consists of distinct parts call
concerns
� Represented by new
abstractions such as
modules, classes
� These abstractions are separate and independent
� Implementations cut across multiple
abstractions in a system
� Code is tangled in almost
everywhere in a system
The goal of AOPThe goal of AOPis to capture the structure of crosscutting concerns is to capture the structure of crosscutting concerns explicitlyexplicitly
Aspects are well-modularized crosscutting concerns
Aspects
AOP benefitsAOP benefits
� good modularity, even for crosscutting concerns
� less tangled code
� more natural code
� shorter code
� easier maintenance and evolution
� easier to reason about, debug, change
� more reusable
� library aspects
� plug and play aspects when appropriate
AOP ideaAOP idea
� Capture the structure of crosscutting
concerns explicitly
� implementation cutting cross multiple abstractions in a system, e.g. logging
� Embed additional code at execution points
matching certain conditions
� i.e. adding function name when logging a system call
A new concept: Join pointA new concept: Join point
� A dynamic execution point of the program,
e.g:
� Method calls
� Constructor calls
� Property access (read/write)
� Exceptions
� …
Join point examplesJoin point examples
a Figure
a Line
and returns or throws
a method is called
dispatch
dispatch
a method is called
and a returns or throws
a method executes
and returnsor throws
ConstructsConstructs
� Point-cut
� Collections of joint points and values at points
� Advice
� declare that certain code should execute at each of the join points in the pointcut
� The additional code can be inserted before, after or even instead of existing code
� Aspect
� point-cut + advice + member declarations
before( {target: window, method: 'alert'},
function() {
log('AOP test: window.alert is invoked');
}
);
A simple AOP exampleA simple AOP example
A point cut
Advice(additional code at an
execution point)
Advice types:before, after, around
More about AdviceMore about Advice
ImplementationImplementation
� Using a tool called aspect weaver to weave
the advice code into the main program code.
Main program
Aspects
Woven program with the aspects
Aspect
weaver
Hello World ExampleHello World Example
//file Hello.javapublic class Hello{
void greeting(){System.out.println(“Hello World!”);
}public static void main(String[] args){
new Hello.greeting();}
}
javac Hello.java
java Hello
Hello World!
C:\>
C:\>
C:\>
An aspect example (An aspect example (AspectJAspectJlanguage)language)
//file HelloAspect.javapublic aspect GreetingAspect{
void before(): call(void Hello.greeting()){System.out.print(“AOP test: ”);
}}
ajc Hello.java HelloAspect.java
java Hello
AOP test: Hello World!
C:\>
C:\>
C:\>
AspectJ compiler
AspectJAspectJlanguagelanguage
� An aspect-oriented language for Java� Legal AspectJ programs run on standard Java runtime environment
� The concept of AOP was originated by Gregor Kiczalesand his team at Xerox PARC� AspectJ was originally developed by the team, launched in 1998
� First versions in 2000
� http://eclipse.org/aspectj since 2002
� The original Xerox AspectJ implementation used source weaving
� AspectJ was re-implemented using the Eclipse Java compiler and a byte-code weaver based on The Byte Code Engineering Library (BCEL)
AOP development toolsAOP development tools
� AspectJ - aspect-oriented extension to Java
� Eclipse IDE support for AspectJ
� IDE support for emacs, Netbeans, and Jbuilder
� AspectWerkz� Dynamic, lightweight and high-performance AOP/AOSD framework for
Java. (from March 2005 Aspectwekz has been merged with AspectJ)
� JBoss-AOP � Java AOP architecture used for the JBOSS application server.
� Spring� provide a close integration between AOP implementation and Spring IoC
to help solve common problems in enterprise applications.
� Glassbox� open source application troubleshooting tool for application monitoring.
Other AOP implementationsOther AOP implementations
� Flash ActionScript 2.0
� C/C++
� C#/VB.NET
� Cobol
� Cocoa
� ColdFusion
� Common Lisp
� Delphi
� UML 2.0
� Java
� JavaScript
� Perl
� PHP
� Python
� …
More on www.aosd.net
Summary from the speaker’s research
Conventional security mechanismsConventional security mechanisms
� Firewall
� Cryptography
� Access control
� System calls/
privileged mode
Treat programs as black box,Treat programs as black box,Treat programs as black box,Treat programs as black box,cannot address vuneralbilities inside a programcannot address vuneralbilities inside a programcannot address vuneralbilities inside a programcannot address vuneralbilities inside a program
Melissa (1999)in Ms Outlook
Samy (2005)in MySpace
LanguageLanguage--based securitybased security
� Looking inside a program to enforce security
� Before execution
� analyze the code to ensure it is safe
� rewrite the code to avoid potential harm
� During execution
� monitor security-relevant events and stop the event violating security
� audit the code and take policing action if it did harm
Security Policy Enforcement by Security Policy Enforcement by Program TransformationProgram Transformation
� New code will be added in security-relevant actions or events to check the program respects the security policies� the modified program is guaranteed not to violate the policy
Research questionsResearch questions
� Can AOP be applied into security policy enforcement?
� What classes of security policies that the
AOP technique can be defined and
enforced?
� How mature is the security assurance
provided by the approach?
Study in the context of vehicle softwareStudy in the context of vehicle software
� Study the application of fine-grained security
policy enforcement in vehicle systems� Using AOP technique and deploying the approach in the
vehicle systems
� Considering the application in the context of vehicle telematics/infotainment systems under the OSGi standard
� a telematics client application can be downloaded and
installed over the air from a control centre
� OSGi: Open Services Gateway initiative
A motivating exampleA motivating example
� “A third party service (in an on-board vehicle computer) needs to be able to send SMS messages in order to function properly”� possible problems of the application
� could be malicious, e.g. send to many messages
� may has bugs, e.g. repeatedly send messages
� high cost when abroad
� Need for more fire-grained security policy, e.g.� allow a third party application to access SMS service but
restricted receipt address, with a limit on the number of messages per day, and depending on the vehicle’s location
The deployment modelThe deployment model
Study resultsStudy results
� How various sorts of security policies are categorised and described in AspectJ has been illustrated
� Resulted in the first study of security policy enforcement using an aspect-oriented programming language in an open system like the OSGi framework� based on the more industrially well-know language without defining
any new policy languages
Study in the context of JavaScript securityStudy in the context of JavaScript security
� The concern problems� Injected (untrusted) JavaScript code (e.g.
Cross-Site Scritping-XSS) � A malicious user (the attacker) injects
potentially dangerous JavaScript code into a webpage via data entry in the webpage, e.g.: blog, forum, webmail
� Third party scripts (e.g. advertisement, mashup web applications)
� Buggy code
Previous solutionsPrevious solutions
Server Filtering for Script Detection� detect and remove potential malicious scripts
Problems
� Parser mismatch problem: filter does not always parse in the same way as browser
c.f. Samy / MySpace
� Dynamic scripts problematic...
Dynamic scripts problematicDynamic scripts problematic
<script>
document.write(‘<scr’);
document.write(‘ipt> malic’);
var i= 1;
document.write(‘ious code; </sc’);
document.write(‘ript>’);
</script>
<script> malicious code; </script>
Dynamic scripts problematicDynamic scripts problematic
%61%6C%65%72%74%28%27%58%5
3%53%27%29%3B%0A%0A
alert(‘XSS’)
var abcxyz = window.alert;
abcxyz(‘XSS’);
eval(“alert(‘XSS’)”);
(function(){
return this;})().alert(‘XSS’);
Previous solutionsPrevious solutions
Behavioural Control:Don’t try to detect bad scripts, just prevent bad behaviour
• Modify browser with reference monitor
•Transform code at runtime to make it safe
• Requires browser modification, e.g. BEEP
• Limited policies
• Parser mismatch problem
• Dynamic code
⇒ runtime transformation
⇒high overhead
e.g. BrowserShield
Our solution: Our solution: Lightweight SelfLightweight Self--Protecting JavaScriptProtecting JavaScript
� “inline” the policy into the JavaScript code so
that the code becomes self-protecting
� The policy enforcement is implemented in a
lightweight manner � does not require browser modification
� non invasive: the original code (and any dynamically generated code) is not syntactically modified
� its implementation is a small and simple adaptation of an aspect-oriented programming library
var wrap = function(pointcut, Policy) {
var source = (typeof(pointcut.target.prototype) != 'undefined‘)?
pointcut.target.prototype : pointcut.target;
var method = pointcut.method;
var original = source[method];
var aspect = function() {
var invocation = { object: this, args: arguments };
return Policy.apply(invocation.object,
[{ arguments: invocation.args,
method: method,
proceed : function(){ return original.apply(
invocation.object, invocation.args);}}] );
};
source[method] = aspect;
return aspect;
};
JavaScript AOP weaving JavaScript AOP weaving ( Adapt ( Adapt jQueryjQueryAOP)AOP)
Store the original method
Apply the policy
Control the original method
Enforcement methodEnforcement method
alert implementation
JavaScript execution environment(e.g. browsers)
Native implementations
code pointers User functions
alert(..) window.alert
alert wrapper(+policy code)
Attacker code
alert = function(){...};
alert wrapper
unique
A realizationA realization
� Structure of a webpage containing policy enforcement code
� Policies are located in the first script tag
� Policy enforcement is applied for the rest of code
The enforcement code can be deployed in any sides: server side, proxy or plug-in
EffectivenessEffectiveness
� Defend real-world exploits� phpBB 2.0.18 vulnerabilities – a stored XSS attack
(see demo)
� WebCal vulnerabilities –a reflected XSS attack
� Can enforce application-specific policies� Using building blocks, i.e. security policy patterns
Summary about AOPSummary about AOP
� Motivation for AOP
� Remember: is not to replace (but to supplement) the existing programming paradigms e.g. OOP
� Crosscutting concerns
� Aspects
� Joint-point, point-cut, and advice
� AOP implementations
Further research directionsFurther research directions
� Security policy enforcement for multi-
threads, e.g. in OSGi
� Case studies for particular web
application security
� Securing AOP
