330 likes | 441 Views
An Aspect-Oriented Approach For Web Application Access Control. Presented by: Mohamed Hassan Carleton University mhassan2@connect.carleton.ca. Supervisor: Prof. Samuel A. Ajila. Outline. Object-Oriented Modeling What is Aspect-Oriented? Aspect-Oriented Modeling Motivated Example
E N D
An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University mhassan2@connect.carleton.ca Supervisor: Prof. Samuel A. Ajila
Outline • Object-Oriented Modeling • What is Aspect-Oriented? • Aspect-Oriented Modeling • Motivated Example • Problem Statement • Contribution • AO Reference Architecture • Related Works • Integrated AO Access Control • Implementation for Integrated Access Control • Conclusion • Future Works
UK UK UK UK Synchronize Real-Time Monitoring Security RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Object-Oriented Modeling Standard Model Concern requirements
Object-Oriented Modeling (contd.) OO Limitation: No separation of concerns • Concerns are spread out. Single concern affects multiple models. • Multiple Concerns are interleaved in a single model. • No mechanism for modeling interweaving crosscutting concerns.
What is Aspect-Oriented? “A technique that resolves crosscutting concerns where each concern is encapsulated in a modular unit called Aspect” [Elrad et. al].
Aspect-Oriented Modeling UK UK UK UK RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Access Control Requirements Base Requirements Real-Time Requirements Synchronize Requirements Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver
Aspect-Oriented Modeling(contd.) UK UK UK UK RMTR RMTR RMTR RMTR air_in air_in air_in air_in taxi_in taxi_in taxi_in taxi_in taxi_out taxi_out taxi_out taxi_out air_out air_out air_out air_out Objective: 1- Validation of modules Access Control Requirements Base Requirements Real-Time Requirements Synchronize Requirements Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver
Aspect-Oriented Modeling(contd.) Objective: 2- Reuse of modules Aspect Library Aspect Access Control Aspect Real-Time Aspect Synchronize Woven Model Base Model Weaver
Aspect-Oriented Modeling(contd.) Objective: 3- Plug and reuse models Aspect Library Base Model (1) Base Model (2) Woven Models Base Model (3)
Motivated Example Jointpoints ? Aspect weaver Aspect Authentication Security holes ? ?
Problem Statement • Access control spread across application. • Hard to understand, reusable or analyze. • Security policy can very in time. • Weaving overhead and poor performance. • Aspect itself can be targeted by intrusions. • Aspect must be secured. • Aspects must be woven to the application in a proper order. • Aspect woven procedure.
Contribution An integration aspect-oriented approach to secure the web application • Apply security rules depending on the application version before establishing the connection. • Dynamically apply proper login menu depending on the connection type and the user behaviors. • Weave history technique: • Weave only modified part of aspect • Analyze aspect for un-authorize change
AO Reference Architecture [Schauerhuber et al.] ConcernDecomposition «import» «import» AdaptationSubject AdaptationKind «import» «import» Language General decomposition of the system into concerns Describes where to introduce the aspect’s adaptation Concepts to describe how an aspect adapts a concern Language underlyingthe specification of base and aspect
Integrated AO Access Control Design principles • Each aspect module has multiple design iterative. • Step 1: Class Diagram • Define class: Attributes/ methods Relationship between classes • Step 2: Sequence Diagram (and other diagrams) • Specify messages between objects
Integrated AO Access Control Design principles (contd.) • Security policy definition: A joined abstract modules that collect the rules into organized structure. • Collects logical definitions for security rules into a central location. • Allows elements to be reused with other central location in other applications. • Provides basic for security Library.
Integrated AO Access Control Design principles (contd.) • Security policy weaved only once to the base module. • Aspect propagates the changes in the aspect definition refereeing to its woven state.
Integrated AO Access Control <<aspect>> Replace <<aspect>> BaseAspect Abstract aspects Weave history First activity Fourth activity Second activity Weaver Input: requested aspect from aspect library Previous woven aspect Timestamp (last modified) Timestamp (last woven) Output: weaved aspect begin Weave history end. Third activity
Integrated AO Access Control Weave history Activity 1 Weave history
Integrated AO Access Control <<aspect>> Weaved_rules <<aspect>> New_rules Weave history Activity 2 New rules weaved rules The difference of rules
Integrated AO Access Control <<aspect>> Modified_Aspect <<aspect>> Weaved_rules <<aspect>> User_Auth <<aspect>> Session_V2 Weave history Activity 3 Copy modified aspect Sub-aspects weaved version
Integrated AO Access Control <<aspect>> Modified_Aspect Weave history Activity 4 Modified aspect Base model
Transition from design to development • Aspect Oriented Programming. • AspectJ + Eclipse • Generate aspect-oriented programming codes using: • Defined models that are created using UML and security design. • Prototyping effort.
Implementation for Integrated Access Control Connection() Aspect Access control Login() Enter_Menu() Web Application
Implementation for Integrated Access Control Step (1) Client Connection Connection_menu() New_Result()
Implementation for Integrated Access Control Step (2) Connection Login menu Enter menu Connection_type()
Implementation for Integrated Access Control Check for un-authorized aspect Connection Client Connection() New_Result() Yes Check aspect list Execute aspect Security threat
Conclusion An integrated aspect-oriented approach is proposed to secure web application from any violation. • Aspects are presented using UML modeling. • Representation are supplied with supplementary meta-attributes to hold weaving instruction. • Aspect models defined generic abstract aspects that encapsulate the pointcuts. • High degree of independent. • More reusable in different context (aspect library).
Conclusion (contd.) First: • Aspect module collects information from application using before joinpoint. • Implemented the parallel-box concept. • Traces client behaviours in two different versions of the program.
Conclusion(contd.) Second: • Aspect module defines start and end points of the login method using around joinpoint. • Overrides login menu depending on connection type and client behaviours. • Required bi-direction transformation of rules between aspect and application.
Conclusion(contd.) Third: • Weaving history module is presented. • Weave only modified part of the aspect. • Analyze aspect modules for any unauthorized changes before weaves them to the application.
Future works We are interested in extending our works in three different areas: • Analyze technique that verifies the weave of access control aspects. • Build a dynamic weaving history technique. • User interface to facilitate aspect selection and apply security rules.
Thank you for attention! Questions?