1 / 33

An Aspect-Oriented Approach For Web Application Access Control

An Aspect-Oriented Approach For Web Application Access Control. Presented by: Mohamed Hassan Carleton University mhassan2@connect.carleton.ca. Supervisor: Prof. Samuel A. Ajila. Outline. Object-Oriented Modeling What is Aspect-Oriented? Aspect-Oriented Modeling Motivated Example

miriam
Download Presentation

An Aspect-Oriented Approach For Web Application Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University mhassan2@connect.carleton.ca Supervisor: Prof. Samuel A. Ajila

  2. Outline • Object-Oriented Modeling • What is Aspect-Oriented? • Aspect-Oriented Modeling • Motivated Example • Problem Statement • Contribution • AO Reference Architecture • Related Works • Integrated AO Access Control • Implementation for Integrated Access Control • Conclusion • Future Works

  3. UK UK UK UK Synchronize Real-Time Monitoring Security RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Object-Oriented Modeling Standard Model Concern requirements

  4. Object-Oriented Modeling (contd.) OO Limitation: No separation of concerns • Concerns are spread out. Single concern affects multiple models. • Multiple Concerns are interleaved in a single model. • No mechanism for modeling interweaving crosscutting concerns.

  5. What is Aspect-Oriented? “A technique that resolves crosscutting concerns where each concern is encapsulated in a modular unit called Aspect” [Elrad et. al].

  6. Aspect-Oriented Modeling UK UK UK UK RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Access Control Requirements Base Requirements Real-Time Requirements Synchronize Requirements Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver

  7. Aspect-Oriented Modeling(contd.) UK UK UK UK RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Objective: 1- Validation of modules Access Control Requirements Base Requirements Real-Time Requirements Synchronize Requirements Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver

  8. Aspect-Oriented Modeling(contd.) Objective: 2- Reuse of modules Aspect Library Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver

  9. Aspect-Oriented Modeling(contd.) Objective: 3- Plug and reuse models Aspect Library Base Model (1) Base Model (2) Woven Models Base Model (3)

  10. Motivated Example Jointpoints ? Aspect weaver Aspect Authentication Security holes ? ?

  11. Problem Statement • Access control spread across application. • Hard to understand, reusable or analyze. • Security policy can very in time. • Weaving overhead and poor performance. • Aspect itself can be targeted by intrusions. • Aspect must be secured. • Aspects must be woven to the application in a proper order. • Aspect woven procedure.

  12. Contribution An integration aspect-oriented approach to secure the web application • Apply security rules depending on the application version before establishing the connection. • Dynamically apply proper login menu depending on the connection type and the user behaviors. • Weave history technique: • Weave only modified part of aspect • Analyze aspect for un-authorize change

  13. AO Reference Architecture [Schauerhuber et al.] ConcernDecomposition «import» «import» AdaptationSubject AdaptationKind «import» «import» Language General decomposition of the system into concerns Describes where to introduce the aspect’s adaptation Concepts to describe how an aspect adapts a concern Language underlyingthe specification of base and aspect

  14. Related works

  15. Integrated AO Access Control Design principles • Each aspect module has multiple design iterative. • Step 1: Class Diagram • Define class: Attributes/ methods Relationship between classes • Step 2: Sequence Diagram (and other diagrams) • Specify messages between objects

  16. Integrated AO Access Control Design principles (contd.) • Security policy definition: A joined abstract modules that collect the rules into organized structure. • Collects logical definitions for security rules into a central location. • Allows elements to be reused with other central location in other applications. • Provides basic for security Library.

  17. Integrated AO Access Control Design principles (contd.) • Security policy weaved only once to the base module. • Aspect propagates the changes in the aspect definition refereeing to its woven state.

  18. Integrated AO Access Control <<aspect>> Replace <<aspect>> BaseAspect Abstract aspects Weave history First activity Fourth activity Second activity Weaver Input: requested aspect from aspect library Previous woven aspect Timestamp (last modified) Timestamp (last woven) Output: weaved aspect begin Weave history end. Third activity

  19. Integrated AO Access Control Weave history Activity 1 Weave history

  20. Integrated AO Access Control <<aspect>> Weaved_rules <<aspect>> New_rules Weave history Activity 2 New rules weaved rules The difference of rules

  21. Integrated AO Access Control <<aspect>> Modified_Aspect <<aspect>> Weaved_rules <<aspect>> User_Auth <<aspect>> Session_V2 Weave history Activity 3 Copy modified aspect Sub-aspects weaved version

  22. Integrated AO Access Control <<aspect>> Modified_Aspect Weave history Activity 4 Modified aspect Base model

  23. Transition from design to development • Aspect Oriented Programming. • AspectJ + Eclipse • Generate aspect-oriented programming codes using: • Defined models that are created using UML and security design. • Prototyping effort.

  24. Implementation for Integrated Access Control Connection() Aspect Access control Login() Enter_Menu() Web Application

  25. Implementation for Integrated Access Control Step (1) Client Connection Connection_menu() New_Result()

  26. Implementation for Integrated Access Control Step (2) Connection Login menu Enter menu Connection_type()

  27. Implementation for Integrated Access Control Check for un-authorized aspect Connection Client Connection() New_Result() Yes Check aspect list Execute aspect Security threat

  28. Conclusion An integrated aspect-oriented approach is proposed to secure web application from any violation. • Aspects are presented using UML modeling. • Representation are supplied with supplementary meta-attributes to hold weaving instruction. • Aspect models defined generic abstract aspects that encapsulate the pointcuts. • High degree of independent. • More reusable in different context (aspect library).

  29. Conclusion (contd.) First: • Aspect module collects information from application using before joinpoint. • Implemented the parallel-box concept. • Traces client behaviours in two different versions of the program.

  30. Conclusion(contd.) Second: • Aspect module defines start and end points of the login method using around joinpoint. • Overrides login menu depending on connection type and client behaviours. • Required bi-direction transformation of rules between aspect and application.

  31. Conclusion(contd.) Third: • Weaving history module is presented. • Weave only modified part of the aspect. • Analyze aspect modules for any unauthorized changes before weaves them to the application.

  32. Future works We are interested in extending our works in three different areas: • Analyze technique that verifies the weave of access control aspects. • Build a dynamic weaving history technique. • User interface to facilitate aspect selection and apply security rules.

  33. Thank you for attention! Questions?

More Related