Aspect-oriented Information Flow Control

advertisement
Aspect-oriented Information Flow Control
Department of Computer Science
University of Pretoria
Pretoria 0002
South Africa
Keshnee Padayachee
padayk@unisa.ac.za
J.H.P Eloff
eloff@cs.up.ac.za
Judith Bishop
jbishop@cs.up.ac.za
Abstract: An initiative towards including security in the earlier phases of the software life-cycle is gaining
momentum, as it is much easier to design with security from the onset, than to use the penetrate-and-patch
approach. Unfortunately, incorporating security into software development takes time and developers tend to focus
more on the features of the software application. The aspect-oriented paradigm can facilitate the implementation of
additional security features to legacy systems without modifying existing code. One kind of security is information
flow control which primarily aims at preventing information leakage in software systems. In this paper it is
proposed that aspect-oriented programming and design may be used to perform information flow analysis by
augmenting an existing system with information flow control features. The paper concludes that the aspectorientated approach may be used to detect information leakage among objects in a software system.
Keywords: Information flow control, aspect-oriented programming, security
1. Introduction
It has become evident that the means by which software is designed and implemented can have a
significant impact on software security. There is often a confusion between security software and
software security: the former entails a set of add-on features such as cryptography while the latter
is an ‘emergent property’ of a complete system [Mcgraw 2003]. Software security involves
designing, analyzing and coding for security over the whole life cycle. Developing secure
software systems requires more than protecting objects from illegal manipulation: it implies
preventing illegal information flow among objects in a system [Izaki et al 2001]. This paper
presents an aspect-oriented approach for detecting this illegal information flow. Emergent
properties of software have been studied in other fields as well, for example in high performance
computing [Subotic and Bishop 2005] .
Incorporating information flow control during software development is extremely challenging.
Firstly, there is the problem of interfacing real applications that have information flow features
with an existing infrastructure that was not designed with information flow in mind. Secondly, it
is difficult to manage and assign security policies during software development Thirdly, the
programmer needs to not only understand the algorithm to be implemented but also what the
desired security policy is and how to formalize it [Zdancewic 2004]. This paper proposes
employing the aspect-oriented paradigm to address these problems. We will show that the
aspect-oriented paradigm can facilitate the insertion of additional security features into legacy
systems without modifying existing code. As roles between application developers and security
specialists are separated aspect-oriented programming can also simplify the management of
security polices [Bodkin 2004]. This paper considers the possibility of developing an
information flow security aspect to augment an existing system to address illegal information
flow.
Several authors have cited the benefits of using aspect-oriented programming (AOP) for
implementing security concerns ([De Win et al 2002, Viega et al 2001]). According to Bodkin
[2004], AOP, is relevant for all major pillars of security: ‘authentication, access control,
1
integrity, non-repudiation, as well as for supporting the administration and monitoring disciplines
required for effective security’. The primary argument supporting AOP is that the average
programmer does not have the requisite skills in security [Viega et al. 2001]. Programming tasks
such as authentication, access control and integrity should be abstracted away from developers
and allocated to security experts. Secondly, it is observed that security concerns such as
encryption and access control tend to crosscut objects. Thirdly, a security aspect can be reused
for other applications since access control has the same requirements for most applications [De
Win et al 2001]. Fourthly, aspect-oriented software design is flexible enough to accommodate
the implementation of additional security features after the functional system has been
developed.
This paper investigates the possibility of using the aspect-oriented paradigm to facilitate the nonintrusive insertion of information flow control features into an existing system. We show that
crosscutting concerns can be added without making invasive modifications on the original code.
Sections 2 and 3 discuss the concepts of information flow control, AOP and its influence on
software security. Section 4 and 5 presents a generalized aspect-oriented approach to detecting
the flow of information between objects in a system and a small case-study to demonstrate its
practicability. Section 6 concludes with the possibility of testing the prototype presented here on
a more scalable system.
2. Background on Information Flow Control
A software system that manipulates and stores sensitive information such as employee salaries,
tax information or identification numbers must prevent such information from leaking out during
execution [Myers 1999]. Security controls, such as firewalls, anti-virus software and access
control mechanisms, are not sufficient to protect against information leakage. For instance,
determining whether a communication violates confidentiality is outside the scope of a firewall
mechanism. Similarly, with encryption, there is no guarantee that once data is decrypted its
confidentiality will be respected [Sabelfeld and Myers 2003]. Information is exchanged among
variables in procedural programs and by messages in object-oriented systems. An illegal flow
arises when information is transmitted from one object to another object in violation of the
information flow security policy [Samarati et al 1997]. A transfer of information does not
necessarily occur every time a message is passed. An object acquires information by changing its
internal state, as a result of changing the values of some of its attributes. Thus, if no such changes
occur as a result of a message invocation in response to a message then no information has been
transferred [Jajodia et al 1992]. For example in the statements below (Figure 1) information
from object W, is being transferred to object P, via two messages namely
getHoursWorked()and Get_Hours(). The former, returns a value which is passed as
argument to the latter. This value is used within the context of object P, either by assigning one
of its attributes to the value obtained from getHoursWorked()or by performing some
operation as a result of the value obtained from getHoursWorked(). Either way information
is flowing into P via W.
Pay_Info P = new Pay_Info(new Double(1.99));
WorkInfo W = new WorkInfo(new Double(5));
P.Get_Hours(W.getHoursWorked());
Figure. 1: Demonstrating Information Flow between objects
2
Keshnee Padayachee
Two basic types of information flow controls have been identified within the object-oriented
perspective, namely language-based information flow controls [Sabelfeld and Myers 2003] and
information flow controls based on message filtering [Jajodia and Kogan 1990, Samarati et al.
1997].
2.1 Language-based Information Flow Controls
The control of information flow was not a widely used practice compared to the control of
access, as it was considered to be highly impractical until the advent of security typed languages
[Sabelfeld and Myers 2003]. In a security typed language, program variables and expressions
are augmented with annotations that specify policies about the use of the typed data (see Figure 2
below). This type of program analysis was pioneered by Denning and Denning [1977]. These
security policies are then enforced by compile-time type checking and thus have little runtime
overhead [Sabelfeld and Myers 2003].
int {public} x;
boolean {secret} b;
int x = 0;
if (b) {
x = 1;
}
Figure. 2. Implicit Flow Example [Myers 1999]
Language-based information-flow techniques require annotations where the programmer must
not only understand the algorithm to be implemented but must also understand the desired
security policy [Zdancewic 2004]. For example, JFlow (see Figure 2 above) developed by
Myers [1999] requires the programmer to be responsible for annotating data values with security
labels. Further security policies may not be available during functional design, thereby resulting
in inconsistencies. As the language-based information flow control method forces the
programmer to consider the security issues together with the functional issues, it conflicts with
the separation of concerns principle advocated to resolve security issues. The aspect-oriented
paradigm enables security policies to be separated from the code thereby enabling developers to
write the main application and the security experts to specify the security policies [Viega et al.
2001].
2.2 Message Filtering Algorithm
Jajodia and Kogan [1990] first proposed the message filtering algorithm for object-oriented
systems where every object is assigned a unique classification. Messages between objects are
intercepted by the message filter which decides upon examining the given message and
classification of the sender and receiver, whether to permit the information flow or not. The
message filtering model is relatively complex to implement within the traditional object-oriented
paradigm. Consequently, Jajodia and Kogan [1990] only consider primitive operations such as
read and write methods and provide no specification of how the message filtering algorithm
might be implemented. The aspect-oriented paradigm allows a more generic implementation of
the message filter aspect through the use of wildcards, instead of only considering primitive
operations such read and write methods. Using wildcards eliminates the need for explicit
naming [Kiczales et al 2000].
3
The next section elaborates on aspect-oriented terminology and relevant security applications
within aspect-orientation.
3. Aspect-oriented programming and its application to security
Aspect-oriented programming was developed to avoid redundancy in programs, hence it has the
potential to improve the reliability, maintainability, reusability [Viega and Voas 2000] and the
robustness of an application [Padayachee and Eloff 2006]. An aspect is a modular unit of a
crosscutting implementation that is provided in terms of pointcuts and advices, specifying what
(advice) and when (pointcut) its code is going to be executed. In the execution of a program,
there will be certain well-defined points called join points where calls to aspect code would be
inserted. The pointcut is used to find a set of join points where aspect code would be inserted. An
advice declaration can be used to specify code that should run when the join points specified by
the pointcut expression is reached. The advice code will be executed when a join point is
reached, either before or after the execution proceeds. A before (or after) advice on a method
execution defines code to be run before (after) the particular method is actually executed. Around
advice defines code which is executed when the join point is reached and has control over
whether the computation at the join point (i.e. an application method) is allowed to execute
[Kiczales et al 2001]. The final application is generated by taking both the application functional
code and its specific aspects. These two entities will be combined at compile time by invoking a
special tool called a weaver.
There has been a significant amount of work done in aspect-oriented security to warrant making
the process more systematic in terms of software design and development. Aspect-oriented
technology has been found to be suitable in terms of implementing some of the major pillars of
security such as access control and authentication, accountability and audit, data protection and
information flow controls in software systems. There is a duality between access control and
information flow control as both mechanisms are concerned with the flow of information. We
highlight the relevance of aspect-oriented technology in terms of both access control and
informational flow control. However, information flow control is more than access control, as an
illegal flow might occur even when only authorized requests are performed on an object. As such
most access control models are supplemented with some form of information flow control.
De Win et al.[2001] provided a practical solution to access control within the aspect-oriented
paradigm by delineating three types of aspects, an Identification aspect, an Authentication aspect
and an Authorization aspect. Ramachandran et al [2006] also addressed authentication and
authorization within the aspect-oriented paradigm but provided a more generic approach, which
has been adopted by this paper. They propose forfeiting explicit naming in favor of more generic
pointcut designators. Due to the duality between information flow and access control the model
developed here does share some parallels with algorithms provided by Ramachandran et
al.[2006]. However they do not address information flow.
Masuhara and Kawauchi [2003] commented on the difficulty of determining the source of
information flow within aspect-orientation. They found that although sanitizing was a
crosscutting concern, there was no possible way to define a pointcut that would be able to detect
whether a string was from an unauthorized source or not, or contained unwanted information.
Hence they proposed a new pointcut called dflow that addresses the data flow between join
points as an extension to the AspectJ language, but they do not comment on the propagation of
information among objects in a system. The model proposed below shows how aspectorientation may be used to determine information flows between objects in a system to facilitate
information flow analysis.
4
Keshnee Padayachee
4. An Aspect-based approach to modeling Information Flow Control
Identifying illegal flows between objects would require an aspect based on the principle of the
message filtering algorithm developed by Jajodia and Kogan [1990]. Here pointcuts would be
utilized to identify flows between objects. Such an aspect will observe objects, and intercept
messages flowing between them. For instance, the aspect’s advice could decide
 to examine the given message and classification of the sender and receiver, or
 to permit the information flow or not.

Figure 3 illustrates sender object (A) sending information to receiver object (B). The flow is
intercepted and tested if it violates the specified information flow policy. If the flow does not
disobey the specified information flow policy then the aspect allows the flow to proceed to
receiver object (B). Otherwise the aspect does not allow the flow to occur or perhaps issues a
warning indicting that there is a possible problem.
ASPECT FLOW
<<POINTCUT>>
<<POINTCUT>>
Intercept: Accessor Methods
Advice: Keep track of information flowing out
of objects
Intercept: Mutator Methods
Advice: Ensure information flowing into an
object is legal before allowing the flow to
proceed otherwise respond appropriately
crosscut
A
crosscut
crosscut
crosscut
B
C
INFORMATION FLOWING BETWEEN INTERACTING
OBJECTS IN A SYSTEM
Figure. 3. Aspect Flow Intercepts Information Flow between Objects.
The Flow aspect considered those actions that resulted in an attribute being assigned (set) or
returned from an object. Note the set and get are constructs of AspectJ specifically and do not
indicate the method names of the object. For instance, get will identify any method that returns
an attribute, irrespective of whether it is actually named 'get'. This notion actually addresses all
interactions between objects including those that occur when objects are being instantiated.
5
When an attribute is returned from a message, the reference of this attribute is stored in an
appropriate container. When an attribute in an object is being assigned to a particular value, this
container is inspected to check if the value was obtained from another object. If this value was
obtained from another object then an appropriate action may be taken if the information flowing
should not be permitted according to the information flow policy (see Figure 4 below).
public aspect Flow {
pointcut getMethods(): get(* *.*);
before( )returning(Object x): getMethods() &&
(within (A || B || C //...and other objects being tracked )){
//Information flowing out of this object
//Store information about this joinpoint
//such as the reference of this object.
}
pointcut setMethods(Object x): ((set (* *.*) || call (* *(..)))
&& args(x)
&& within( A || B || C
//...and other objects being tracked ));
before(Object x): setMethods(x) {
//if there is an illegal flow between the sender
//and receiver objects
//
Respond appropriately
//else
//
Allow Process to proceed as normal
}
}
Figure. 4. A generalised Aspect to intercept the flow between objects
With respect to the aspect-oriented flow model described above, a small system was built to test
the applicability of the generalized Flow Aspect.
5. Case Study: Testing the Applicability of the Flow Aspect
The system was built using AspectJ (ajdt_1.2_for_eclipse_3.0) as an extension to Java
(J2SDK1.4.2_05), and the Eclipse 3.0 IDE. Firstly a system containing three classes namely
WorkInfo, Employee and Pay_Info was built, integrated and tested as a fully functional
Java application by a single programmer. For clarity, we refer to this system as SystemX. As we
wanted to demonstrate that information flow could be considered after a system was built,
SystemX did not reflect any notion of information flow. The next step involved determining the
specification of the final system with regard to the system’s response to information flow leaks.
The simplest strategy was adopted, where warnings were issued as information leaks were
detected within SystemX. The subsequent process involved ascertaining the information flow
policy, where each class was given a specific classification either classified as ‘secret’ or
‘unclassified’. For example consider the code below taken from SystemX (Figure 5), where
Pay_Info was classified as secret, and WorkInfo and Employee objects were classified as
‘unclassified’, then Line 5 should be acceptable information flow while Line 7 would result in an
information leak and a warning issued.
6
Keshnee Padayachee
1 Employee Micky = new Employee
("MStevens","1234","7,23rd Street Menlo Park");
2 Pay_Info P = new Pay_Info(new Double(1.99));
3 WorkInfo W = new WorkInfo(new Double(5));
4 //this should be allowed
5 P.Get_Hours(W.getHoursWorked());
6 //this should not be allowed and a warning issued
7 Micky.pay(P.getPay())
Figure. 5. Demonstrating Information Flow between objects
The next consideration involved determining the implementation of the security classifications
given to each class. To maintain the notion that information flow control features could be added
non-invasively to an existing system, the classifications had to be considered as a separate
aspectual unit. This involved creating a special type of an aspect known as an intertype
declaration. The classification system was implemented by adding an extra data member to each
class, named “tag”, where “tag” was a value denoting the class as 1 (secret) or 0 (unclassified)
(See Figure 6 below) using intertype declarations. The intertype declaration construct is
supported by aspect-oriented programming languages such as AspectJ and Hyper/J. An intertype
declaration is generally used to add on information such as methods or fields to an object
without modifying the existing class. A design liberty was taken, in that the data members were
made public - it is possible to make these data members private and create accessors to them
within the intertype declaration. The data members were made static as the classifications
were considered to be common to the class.
public aspect Classifications {
public static int Employee.tag = 0; //unclassified
public static int Pay_Info.tag = 1; //secret
public static int WorkInfo.tag = 0; //unclassified
public static int FindTag(String s){
//return classification of object
}
}
Figure. 6. Intertype Declarations used supplement classes in the system with classifications
The Flow aspect below (Figure 7) was derived from the generalised Flow aspect presented in
Section 4. The classes that were being tracked for information leakages were named within this
aspect, namely Employee, Pay_Info and WorkInfo. A special reference variable called
thisJoinPoint (which contains reflective information about the current joinpoint) and
Vector containers were used to gather and store the information about the originating object
respectively. The Vector containers were made static as only one copy of this data member
should exist as it is common to the whole aspect. The Flow aspect and Classifications
Aspect was then weaved together with SystemX.
public aspect Flow {
private static Vector References = new Vector();
private static Vector JoinPoint_String = new Vector();
private static Vector Tag = new Vector();
private static int Count = 0;
pointcut getMethods(): get(* *.*);
before( )returning(Object x): getMethods() &&
(within (Employee||Pay_Info||WorkInfo)){
7
//Store info about this joinpoint,
//the reference & classification
String Signature = thisJoinPoint.getThis().toString();
JoinPoint_String.add(Count,thisJoinPoint.toString());
References.add(Count,x);
Tag.add(Count,
new Integer(Classifications.FindTag(Signature)));
Count++;
}
pointcut setMethods(Object x): ((set (* *.*) || call (* *(..)))
&& args(x)
&& within(Employee||Pay_Info||WorkInfo));
before(Object x): setMethods(x) {
String Signature = thisJoinPoint.getTarget().toString();
for(int i = 0; i < Count; i++){
if (References.get(i)== x){
{
int tag = ((Integer) Tag.get(i)).intValue();
int e = Classifications.FindTag(Signature);
if (e < tag){
//Issue Warning
}
}
}
}
}
}}
Figure. 7. Showing an Aspect to intercept information flowing between objects
Several insights were gathered from this experiment. Evidently, it is possible to add on
information flow to a system without modifying the existing system. It is alsopossible to omit the
Classifications aspect and the Flow aspect, thereby allowing SystemX to be a fully
functional Java application, without information flow controls. There were limitations to this
experiment though. Firstly, only explicit information flows are considered. Secondly, the
classification system was based on classes rather than objects, as specified by Jajodia et al[1992].
However, it is possible to modify the Classifications aspect to classify objects based on
specific information, thus extending the classification system to objects. It is probable that
information flow control slows down program execution, as it involves including additional code
to the functional system. However aspect-oriented programming can alleviate this problem.
Information flow control can be “weaved” in and the program checked for leakages and then
omitted from the final application.
6. Conclusion
Despite its appeal, information flow mechanisms have not yet been successfully applied in
practice. They are difficult to apply and manage in practice and they require programmers to be
security experts. The aspect-oriented paradigm can be used to add security to legacy systems and
due to the separation of roles between application and security developers, and it can make the
management of security polices easier. In this paper, an information flow control model for
existing systems using the aspect-oriented paradigm is posited. Aspects offer several benefits in
terms of compact code and increased confidence but there could be drawbacks as it is a new
technology. Future research will involve a case-study approach with multiple programmers,
8
Keshnee Padayachee
where a larger object-oriented system will be woven with the information flow features and recompiled under the aspect-oriented paradigm. This study will also exploit and comment on
aspect-oriented features such as inter-type declarations and wildcards, and as such will provide
valuable insight into the benefits of using aspect-orientation. We have shown that it is possible to
add on. an albeit limited, information flow without adapting the existing. The model presented
here is certainly useful for tracing purposes during software testing and it may also be used to
track the propagation of software bugs as they ‘flow’ from one object to another.
References
BODKIN, R. 2004. Enterprise Security Aspects. In AOSD'04 International Conference on
Aspect-Oriented Software Development Lancaster, UK, 22-26 March 2004, 1-12.
DE WIN, B., VANHAUTE, B. AND DE DECKER, B. 2002.How aspect-oriented programming
can help to build secure software. Informatica, 26(2), 141-149.
DE WIN, B., VANHAUTE, B. AND DECKER, B. 2001. Security Through Aspect-Oriented
Programming. In Advances in Network and Distributed Systems Security, IFIP TC11
WG11.4 First Working Conference on Network Security, Leuven, Belgium, November
2001, DECKER, B. D., PIESSENS, F., SMITS, J.ANDHERREWEGHEN, E. V. (Eds.),
Kluwer Academic Publishers, Boston, 125-138.
DENNING, D. E. AND DENNING, P. J. 1977.Certification of Programs for Secure Information
Flow. Communications of the ACM, 20(7), 504 -513.
IZAKI, K., ANAKA, K. AND TAKIZAWA, M. 2001. Information Flow Control in Role-Based
Model for Distributed Objects. In Eighth International Conference on Parallel and
Distributed Systems Kyongju City, Korea, 26-29 June 2001, 363-370.
JAJODIA, S. AND KOGAN, B. 1990. Integrating an Object-Oriented Data Model with
Multilevel Security. In 1990 IEEE Symposium on Security and Privacy Oakland,
California, 7-9 May 1990, 76-85.
JAJODIA, S., KOGAN, B. AND SANDHU, R.1992.A multilevel-secure object-oriented data
model. Technical Report. George Mason University.
KICZALES, G., HILSDALE, E., HUGUNIN, J., KERSTEN, M. AND PALM, J. 2001.Getting
Started with AspectJ. Communications of the ACM, 44(10), 59-65.
KICZALES, G., HUGUNIN, J., KERSTEN, M., LAMPING, J., LOPES, C. AND W.G., G.
2000. Semantics-Based Crosscutting in AspectJ. In Workshop on Multi-Dimensional
Separation of Concerns inSoftware Engineering (ICSE 2000), 1-6.
MASUHARA, H. AND KAWAUCHI, K. 2003. Dataflow Pointcut in Aspect-Oriented
Programming. In Proceedings of The First Asian Symposium on Programming
Languages and Systems (APLAS'03) Beijing, China, 27-29 November, OHORI, A. (Ed.),
LNCS2895, 105-121.
MCGRAW, G. 2003.From the Ground Up: The DIMACS Software Security Workshop. IEEE
Security and Privacy, 1(2), 59-66.
MYERS, A. C. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings
of the 26th ACM Symposium on Principles of Programming Languages(POPL ‘99) San
Antonio,Texas, USA, 20-22 January 1999, 228-241.
PADAYACHEE, K. AND ELOFF, J. H. P. 2006. The Next Challenge: Aspect-Oriented
Programming. In Proceedings of the Sixth IASTED International Conference on
Modelling, Simulation and Optimization Gaborone, Botswana, 11-13 September 2006,
NYONGESA, H. (Ed.), ACTA Press, 304-307.
9
RAMACHANDRAN, R., PEARCE, D. J. AND WELCH, I. 2006. AspectJ for Multilevel
Security. In The 5th AOSD Workshop on Aspects, Components, and Patterns for
Infrastructure Software (ACP4IS) Bonn, Germany, 2006, 21 March 2006, 1-5.
SABELFELD, A. AND MYERS, A. C. 2003. Language-Based Information-Flow Security. IEEE
Journal on Selected Areas in Communications, 21(1), 5-9.
SAMARATI, P., BERTINO, E., CIAMPICHETTI, A. AND JAJODIA, S. 1997.Information
Flow Control in Object-Oriented Systems. IEEE Transactions on Knowledge and Data
Engineering, 9(4), 624-538.
SUBOTIC, S. AND BISHOP, J. 2005. Emergent Behaviour of Aspects in High Performance and
Distributed Computing. In Proc. SAICSIT White River, South Africa, September 2005,
11-19.
VIEGA, J., BLOCH, J. T. AND CHANDRA, P. 2001.Applying Aspect-Oriented Programming
to Security. Cutter IT Journal, 14(2), 31-39.
VIEGA, J. AND VOAS, J. 2000.Can Aspect-Oriented Programming Lead to More Reliable
Software. IEEE Software, 17(6), 19 -21.
ZDANCEWIC, S. 2004. Challenges in Information-flow Security. In The First International
Workshop on Programming Language Interference and Dependence (PLID) Verona,
Italy, 25 Aug. 2004, 1-5.
10
Keshnee Padayachee
Download