Security Through Aspect-oriented Programming
Since many applications are too complex to be solved ad hoc, mechanisms are being developed to deal with different concerns separately. An interesting case of this separation is security. The implementation of security mechanisms often interacts or even interferes with the core functionality of the application. This results in tangled, unmanageable code with a higher risk of security bugs.
Aspect-oriented programming promises to tackle this problem by offering several abstractions that help to reason about and specify the concerns one a t a time. In this paper we make use of this approach to introduce security into an application. By means of the example of access control, we investigate how well the state of the art in aspect-oriented programming can deal with the separation of security from an application. We also discuss the benefits and drawbacks of this approach, and how it relates to similar techniques.
Keywordsaspect-oriented programming security separation of concerns
- [Ancona et al., 1999]Ancona, M., Cazzola, W., and Fernandez, E. (1999). Reflective Authorization Systems: Possibilities, Benifits anti Drawbacks. In Secure Internet Programming: Security Issues for Mobile and Distributed Objects.Google Scholar
- [Chiba, 1995]Chiba, S. (1995). A Meta Object Protocol for C++. In Proceedings of the 1995 Conference on Object-Oriented Programming.Google Scholar
- [Cohen et al., 1998]Cohen, S., Chase, J., and Kaminsky, D. (1998). Automatic Program Transformation with JOIE. In Proceedings of the 1998 USENZX Annual Technical Symposium.Google Scholar
- [De Win et al., 2000]De Win, B., Van den Bergh, J., Matthijs, F., De Decker, B., and Joosen, W. (2000). A Security Architecture for Electronic Commerce Applications. In Information Security for Global Information Infrastructures, pages 491–500. IFIP TC11, Kluwer Academic Publishers.Google Scholar
- [Demailly, 1996]Demailly, L. (1996). Netscape Security (problems). http://www.demailly.com/dl/netscapesec/.
- [Evans and Twyman, 19991.Evans, D. and Twyman, A. (1999). Flexible Policy-Directed Code Safety. In Proceedings of the 1999 IEEE Symposium on Security and Privacy.Google Scholar
- [Fraser et al., 1999]Fraser, T., Badger, L., and Feldman, M. (1999). Hardening COTS Software with Generic Software Wrappers. In Proceedings of the 1999 IEEE Symposium on Security and Privacy.Google Scholar
- [Gamma et al., 1994]Gamma, E., Helm, R., Johnson, R., and Vlissides, J. (1994). Design Patterns: Elements of Reusable Object-Oriented Software. Addison Wesley Longman.Google Scholar
- [Gong, 1998]Gong, L. (1998). Java Security Architecture. http://java.sun.com/security.
- [Hagimont and Ismail, 1997]Hagimont, D. and Ismail, L. (1997). A Protection Scheme for Mobile Agents on Java. In Proceedings of the International Conference on Mobile Computing and Networking.Google Scholar
- [Keller and Holzle, 1998]Keller, R. and Holzle, U. (1998). Binary Code Adaptation. In Proceeding of the 1998 European Conference on Object-Oriented Programming.Google Scholar
- [Lai et al., 1999]Lai, C., Gong, L., Nadalin, A., and Schemers, R. (1999). User Authentication and Authorization in the Java Platform. In Proceedings of the 15th Annual Computer Security Applications Conference.Google Scholar
- [Robben et al., 1999]Robben, B., Vanhaute, B., Joosen, W., and Verbaeten, P. (1999). Non-functional Policies. In Cointe, P., editor, Meta-Level Architectures and Reflection, volume 1616 of Lecture Notes in Computer Science, pages 74–92. Springer-Verlag.Google Scholar
- [Stroud and Wue, 1996]Stroud, R. and Wue, Z. (1996). Using Metaobject Protocols to Satifsy Non-functional Requirements. In Advances in Object-Oriented Metalevel Architectures and Reflection.Google Scholar
- [Vanhaute et al., 2001]Vanhaute, B., De Win, B., and De Decker, B. (2001). Building Frameworks in Aspect J. ECOOP2001 Workshop on Advanced Separation of Concerns.Google Scholar
- [Welch and Stroud, 2000]Welch, I. and Stroud, R. (2000). Using Reflection as a Mechanism for Enforcing Security Policies in Mobile Code. In Proceedings of the Sizth European Symposium on Research in Computer Security.Google Scholar