Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University

Similar presentations


Presentation on theme: "An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University"— Presentation transcript:

1 An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University Supervisor: Prof. Samuel A. Ajila

2 Outline Object-Oriented Modeling What is Aspect-Oriented? Aspect-Oriented Modeling Motivated Example Problem Statement Contribution AO Reference Architecture Related Works Integrated AO Access Control Implementation for Integrated Access Control Conclusion Future Works

3 Object-Oriented Modeling UK Security RMTR air_in taxi_in taxi_out air_out UK Monitoring RMTR air_in taxi_in taxi_out air_out UK Synchronize RMTR air_in taxi_in taxi_out air_out UK Real-Time RMTR air_in taxi_in taxi_out air_out Standard Model Concern requirements

4 Object-Oriented Modeling (contd.) OO Limitation: No separation of concerns Concerns are spread out. Single concern Concerns are spread out. Single concern affects multiple models. Multiple Concerns are interleaved in Multiple Concerns are interleaved in a single model. No mechanism for modeling interweaving crosscutting concerns. No mechanism for modeling interweaving crosscutting concerns.

5 What is Aspect-Oriented? “A technique that resolves crosscutting concerns where each concern is encapsulated in a modular unit called Aspect” [Elrad et. al].

6 Base Model UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Base Requirements Access Control Requirements Synchronize Requirements Real-Time Requirements Aspect-Oriented Modeling Weaver

7 Base Model UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Base Requirements Access Control Requirements Synchronize Requirements Real-Time Requirements Aspect-Oriented Modeling (contd.) Objective: 1- Validation of modules Weaver

8 Base Model Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize Aspect Library Objective: 2- Reuse of modules Weaver Aspect-Oriented Modeling (contd.)

9 Base Model (1) Woven Models Aspect Library Aspect-Oriented Modeling (contd.) Objective: 3- Plug and reuse models Base Model (2) Base Model (3)

10 Jointpoints Security holes Aspect Authentication ? ? ? Aspect weaver Motivated Example

11 Problem Statement Access control spread across application. Access control spread across application.  Hard to understand, reusable or analyze. Security policy can very in time. Security policy can very in time.  Weaving overhead and poor performance. Aspect itself can be targeted by intrusions. Aspect itself can be targeted by intrusions.  Aspect must be secured. Aspects must be woven to the application Aspects must be woven to the application in a proper order. in a proper order.  Aspect woven procedure.

12 Contribution Apply security rules depending on the application version before establishing the connection. Apply security rules depending on the application version before establishing the connection. Dynamically apply proper login menu depending on the connection type and the user behaviors. Dynamically apply proper login menu depending on the connection type and the user behaviors. Weave history technique: Weave history technique: Weave only modified part of aspect Weave only modified part of aspect Analyze aspect for un-authorize change Analyze aspect for un-authorize change An integration aspect-oriented approach to secure the web application

13 ConcernDecomposition AdaptationKindAdaptationSubject Language «import» AO Reference Architecture [Schauerhuber et al.] General decomposition of the system into concerns Describes where to introduce the aspect’s adaptation Concepts to describe how an aspect adapts a concern Language underlying the specification of base and aspect

14 Related works

15 Integrated AO Access Control Design principles 1. Each aspect module has multiple design iterative. Step 1: Class Diagram Step 1: Class Diagram  Define class: Attributes/ methods Relationship between classes Relationship between classes Step 2: Sequence Diagram (and other diagrams) Step 2: Sequence Diagram (and other diagrams)  Specify messages between objects

16 Security policy definition: A joined abstract modules that collect the rules into organized structure. 2. Security policy definition: A joined abstract modules that collect the rules into organized structure. Collects logical definitions for security rules into a central location. Collects logical definitions for security rules into a central location. Allows elements to be reused with other central location in other applications. Allows elements to be reused with other central location in other applications. Provides basic for security Library. Provides basic for security Library. Design principles (contd.) Integrated AO Access Control

17 3. Security policy weaved only once to the base module. Design principles (contd.) Integrated AO Access Control  Aspect propagates the changes in the aspect definition refereeing to its woven state.

18 Integrated AO Access Control > BaseAspect > Replace Abstract aspects Input: requested aspect from aspect library Previous woven aspect Timestamp (last modified) Timestamp (last woven) Output: weaved aspect begin Weave history end. First activity Second activity Third activity Fourth activity Weave history Weaver

19 Integrated AO Access Control Weave history Activity 1 Weave history

20 > Weaved_rules Integrated AO Access Control New rules weaved rules Activity 2 Weave history The difference of rules > New_rules

21 > User_Auth > Weaved_rules > Session_V2 Sub-aspects weaved version Integrated AO Access Control > Modified_Aspect Copy modified aspect Activity 3 Weave history

22 Integrated AO Access Control Modified aspect Base model Activity 4 Weave history > Modified_Aspect

23 Transition from design to development Aspect Oriented Programming. Aspect Oriented Programming.  AspectJ + Eclipse Generate aspect-oriented programming codes using: Generate aspect-oriented programming codes using:  Defined models that are created using UML and security design. Prototyping effort. Prototyping effort.

24 Aspect Access control Connection() Enter_Menu() Login() Implementation for Integrated Access Control Web Application

25 Implementation for Integrated Access Control Connection_menu() New_Result() Connection Client Step (1)

26 Implementation for Integrated Access Control Connection_type() Login menu Connection Enter menu Step (2)

27 Implementation for Integrated Access Control Connection() New_Result() Check for un-authorized aspect Check aspect list Security threat Connection Client Execute aspect Yes

28 Conclusion Aspects are presented using UML modeling. Aspects are presented using UML modeling. Representation are supplied with supplementary meta-attributes to hold weaving instruction. Representation are supplied with supplementary meta-attributes to hold weaving instruction. Aspect models defined generic abstract aspects that encapsulate the pointcuts. Aspect models defined generic abstract aspects that encapsulate the pointcuts.  High degree of independent.  More reusable in different context (aspect library). An integrated aspect-oriented approach is proposed to secure web application from any violation.

29 Conclusion (contd.) Aspect module collects information from application using before joinpoint. Aspect module collects information from application using before joinpoint.  Implemented the parallel-box concept.  Traces client behaviours in two different versions of the program. First:

30 Conclusion (contd.) Aspect module defines start and end points of the login method using around joinpoint. Aspect module defines start and end points of the login method using around joinpoint.  Overrides login menu depending on connection type and client behaviours.  Required bi-direction transformation of rules between aspect and application. Second:

31 Conclusion (contd.) Weaving history module is presented. Weaving history module is presented.  Weave only modified part of the aspect.  Analyze aspect modules for any unauthorized changes before weaves them to the application. Third:

32 Future works Analyze technique that verifies the weave of access control aspects. Analyze technique that verifies the weave of access control aspects. Build a dynamic weaving history technique. Build a dynamic weaving history technique. User interface to facilitate aspect selection and apply security rules. User interface to facilitate aspect selection and apply security rules. We are interested in extending our works in three different areas:

33 Questions? Thank you for attention!


Download ppt "An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University"

Similar presentations


Ads by Google