Jay Ligatti, Billy Rickey, and Nalin Saigal Department of Computer Science and Engineering, University of South Florida LoPSiL: A Location-based Policy-

Slides:



Advertisements
Similar presentations
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Advertisements

Jay Ligatti and Srikar Reddy University of South Florida.
ICS103 Programming in C Lecture 1: Overview of Computers & Programming
EXTENSIBILITY, SAFETY AND PERFORMANCE IN THE SPIN OPERATING SYSTEM B. Bershad, S. Savage, P. Pardyak, E. G. Sirer, D. Becker, M. Fiuczynski, C. Chambers,
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Introduction CSCI 444/544 Operating Systems Fall 2008.
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
July 11 th, 2005 Software Engineering with Reusable Components RiSE’s Seminars Sametinger’s book :: Chapters 16, 17 and 18 Fred Durão.
OOP in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette and Carl Lagoze Cornell Digital Library Research Group ECDL2000 Lisbon, Portugal September.
More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)
A Type System for Expressive Security Policies David Walker Cornell University.
Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker.
 2006 Pearson Education, Inc. All rights reserved Introduction to Classes and Objects.
Vakgroep Informatietechnologie – IBCN Software Architecture Prof.Dr.ir. F. Gielen Quality Attributes & Tactics (4) Modifiability.
Chapter 13: Object-Oriented Programming
CS884 (Prasad)Java Goals1 “Perfect Quote” You know you've achieved perfection in design, Not when you have nothing more to add, But when you have nothing.
ICPCA 2008 Research of architecture for digital campus LBS in Pervasive Computing Environment 1.
Policy-Carrying, Policy-Enforcing Digital Objects Sandra Payette Project Prism - Cornell University DLI2 All-Projects Meeting June 14, 2000.
1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
Copyright Arshi Khan1 System Programming Instructor Arshi Khan.
OOP Languages: Java vs C++
Understanding Android Security Yinshu Wu William Enck, Machigar Ongtang, and PatrickMcDaniel Pennsylvania State University.
The Impact of Programming Language Theory on Computer Security Drew Dean Computer Science Laboratory SRI International.
Computer Programming-1 CSC 111 Chapter 1 : Introduction.
Chapter 10 Architectural Design
Modularizing Crosscutting Concerns in Software Nalin Saigal.
Array.
Univ. Notre Dame, September 25, 2003 Support for Run-Time Adaptation in RAPIDware Philip K. McKinley Software Engineering and Networking Systems Laboratory.
An Introduction to Software Architecture
Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
Composing Adaptive Software Authors Philip K. McKinley, Seyed Masoud Sadjadi, Eric P. Kasten, Betty H.C. Cheng Presented by Ana Rodriguez June 21, 2006.
Chapter 06 (Part I) Functions and an Introduction to Recursion.
USF Dept of Computer Science and Engineering Programming Languages and Software Security Research Lab.
Java Security Nathan Moore CS 665. Overview Survey of Java Inherent Security Properties Java Runtime Environment Java Virtual Machine Java Security Model.
Aspect Oriented Programming Sumathie Sundaresan CS590 :: Summer 2007 June 30, 2007.
Model-Driven Analysis Frameworks for Embedded Systems George Edwards USC Center for Systems and Software Engineering
JCMP: Linking Architecture with Component Building Guoqing Xu, Zongyuan Yang and Haitao Huang Software Engineering Lab, East China Normal University SACT-01,
CE Operating Systems Lecture 3 Overview of OS functions and structure.
1. 2 Preface In the time since the 1986 edition of this book, the world of compiler design has changed significantly 3.
Celluloid An interactive media sequencing language.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
1 Management of Distributed Data Tomasz Müldner, Elhadi Shakshuki*, Zhonghai Luo and Michael Powell Jodrey School of Computer Science, Acadia University,
A. Frank - P. Weisberg Operating Systems Structure of Operating Systems.
SASI Enforcement of Security Policies : A Retrospective* PSLab 오민경.
Java Programming, Second Edition Chapter Twelve Advanced Inheritance Concepts.
Chapter 1 Basic Concepts of Operating Systems Introduction Software A program is a sequence of instructions that enables the computer to carry.
From Use Cases to Implementation 1. Structural and Behavioral Aspects of Collaborations  Two aspects of Collaborations Structural – specifies the static.
Programming Fundamentals Enumerations and Functions.
CEN6502, Spring Understanding the ORB: Client Side Structure of ORB (fig 4.1) Client requests may be passed to ORB via either SII or DII SII decide.
ECE 750 Topic 8 Meta-programming languages, systems, and applications Automatic Program Specialization for J ava – U. P. Schultz, J. L. Lawall, C. Consel.
C++ Functions A bit of review (things we’ve covered so far)
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
From Use Cases to Implementation 1. Mapping Requirements Directly to Design and Code  For many, if not most, of our requirements it is relatively easy.
Topic 4: Distributed Objects Dr. Ayman Srour Faculty of Applied Engineering and Urban Planning University of Palestine.
Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.
1 Jay Ligatti (Princeton University); joint work with: Lujo Bauer (Carnegie Mellon University), David Walker (Princeton University) Enforcing Non-safety.
Done By: Ashlee Lizarraga Ricky Usher Jacinto Roches Eli Gomez
Lecture 1: Introduction to JAVA
Model-Driven Analysis Frameworks for Embedded Systems
Building Systems That Flexibly Control Downloaded Executable Content
Enforcing Non-safety Security Policies with Program Monitors
New Research in Software Security
An Introduction to Software Architecture
Outline Chapter 2 (cont) OS Design OS structure
Understanding Android Security
From Use Cases to Implementation
Presentation transcript:

Jay Ligatti, Billy Rickey, and Nalin Saigal Department of Computer Science and Engineering, University of South Florida LoPSiL: A Location-based Policy- specification Language 1/51

Introduction Policy-specification languages are domain-specific programming languages designed to make it easier to specify and enforce sound security policies policy allowOnlyHTTP(Socket s) { if (s.getPort() == 80 || s.getPort() == 443) then ALLOW else DISALLOW } 2/51

1. To specify and enforce custom constraints (i.e., a policy) on untrusted software 2. To enable programmers to organize their code with a centrally specified policy module No need to scatter security checks throughout code Provides standard policy-modularization benefits Makes centralized policy easier to create, locate, analyze, and maintain Motivations for Using Policy-specification Languages Security 3/51

Related Work Many expressive policy-specification languages and systems have been implemented Implemented as compilers that convert untrusted into trusted applications Policy Untrusted Application Program Compiler Trusted Application Program The trusted application program is equivalent to the untrusted program except that it contains inlined code that enforces the policy at runtime 4/51

Related Work Several languages and systems employ this architecture E.g., Naccio, PoET/PSLang, Polymer But it can be inconvenient to specify mobile-device policies in these languages because they lack primitives for managing location information On the other hand, some policy-specification languages do provide primitives for managing location information E.g., Policy Mapper, OpenAmbient But these languages are Turing-incomplete and limited to access- control policies 5/51

LoPSiL (Location-based Policy-specification Language) This research designs and implements a language called LoPSiL As far as we are aware, LoPSiL is the first expressive (Turing-complete) policy-specification language that targets location-based policies LoPSiL’s novelty is that it provides abstractions for conveniently accessing and manipulating location information in policies We have posted the implementation of LoPSiL and several example policies online at 6/51

Outline Introduction Motivation Related work LoPSiL Core linguistic constructs Example policies A LoPSiL Compiler Compiler architecture Experiential observations Conclusions 7/51

Language Overview Due to the popularity of Java (particularly Java ME) as an application programming language for mobile devices, we’ll talk about (and we’ve implemented) LoPSiL in the context of Java However, LoPSiL is based on six core abstractions (each implemented as a Java class) that we expect to be portable to other languages and platforms 8/51

Core Linguistic Construct 1 Location May refer to a room, chair, floor, building, campus, GPS coordinates, region of a network topology, etc. Definition of locations is not “baked in” Users can define their own (possibly abstract) locations by extending the Location class Location s have an identity (e.g., name or GPS coordinates) LoPSiL provides many built-in utility methods for manipulating GPS locations (e.g., calculate distance between two locations) Users are free to define others 9/51

Core Linguistic Construct 2 LocationDevice Is LoPSiL’s interface to real-time location information LocationDevice s must implement two methods: 1. To return the device’s current location 2. To return the device’s location granularity: with what precision/accuracy the current location is known (e.g., within 0.5m, 2km, 1 room etc.) Policies can require devices to provide location information with particular granularity thresholds 10/51

Core Linguistic Construct 3 PolicyAssumptions Encapsulates two assumptions made by policies about a LocationDevice : LocationGranularityAssumption : Policy may require location information with a particular accuracy FrequencyOfUpdatesAssumption : Policy may require that location updates arrive with a particular frequency A LoPSiL policy gets notified automatically whenever a LocationDevice violates that policy’s granularity or frequency-of-updates assumptions 11/51

Core Linguistic Construct 4 Action Encapsulates information (method signature, run-time arguments, calling object, return value, etc.) about a security-relevant method An Action object gets passed to a policy before and after every security-relevant method executes The policy can analyze an Action object passed to it to determine which security-relevant method is being invoked or has just been invoked Policies get to decide whether and how the Action s passed to it will execute 12/51

Core Linguistic Construct 5 Reaction Conveys a policy’s decision about whether and how an action is allowed to execute Policies can react to a given Action a by returning one of four Reaction s 1. OK : a is safe to execute 2. Exception : a is unsafe; exception should be raised 3. Replace : a is unsafe; a precomputed return value should be returned instead of executing a 4. Halt : a is unsafe; program should be halted 13/51

Core Linguistic Construct 6 Policy Specifies constraints on untrusted software Five parts to a LoPSiL Policy 1. PolicyAssumptions 2. void handleGranularityViolation() 3. void handleFrequencyViolation() 4. void onLocationUpdate() Invoked when any LocationDevice associated with the policy updates its Location information 5. Reaction react(Action a) Return a reaction to any security-relevant action 14/51

Example Policy: AllowAll public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } 15/51

Example Policy: AllowAll public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } 16/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 17/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 18/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 19/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 20/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 21/51

public class AllowAll extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public LocationGranularityAssumption lga = new LocationGranularityAssumption(15, Units.METERS); public FrequencyOfUpdatesAssumption foua = new FrequencyOfUpdatesAssumption(10, Units.SECONDS); public PolicyAssumptions pa = new PolicyAssumptions(this, devices, lga, foua); public void handleGranularityViolation() {System.exit(1);} public void handleFrequencyViolation() {System.exit(1);} public synchronized void onLocationUpdate() { System.out.println("new location = " + devices[0].getLocation()); } public synchronized Reaction react(Action a) { return new Reaction("ok"); } } Example Policy: AllowAll 22/51

Relationship with Existing Work Existing policy-specification languages such as Naccio, PSLang, and Polymer provide constructs similar to Actions, Reactions, and Policy with react -style methods LoPSiL’s novelty is its addition of optional location- related policy components: Locations, LocationDevices, PolicyAssumptions, and onLocationUpdate(), handleGranularityViolation(), and handleFrequencyViolation() methods 23/51

Outline Introduction Motivation Related work LoPSiL Core linguistic constructs Example policies A LoPSiL Compiler Compiler architecture Experiential observations Conclusions 24/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 25/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 26/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 27/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 28/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 29/51

Access-control Policy Prevents an application from reading GPS data outside of work hours public class NoGpsOutsideWorkTime extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized Reaction react(Action a) { if(ActionPatterns.matchesLocationRead(a) && !TimeUtils.isWorkTime()) //return a null location to the application return new Reaction("replace", null); else return new Reaction("ok"); } 30/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 31/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 32/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 33/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 34/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 35/51

Deviation-from-path Policy public class ShowNavigation extends Policy { public LocationDevice[] devices = {new LopsilGPS(LopsilGPS.GARMIN)}; public PolicyAssumptions pa =... public synchronized void onLocationUpdate() { if(devices[0].getLocation(). distance(getExpectedCurrentLocation(), Units.METERS)>10) AppGUI.displayNavigationalAid(); } Requires that navigational aid appear when the device’s current location deviates from its expected path 36/51

Safe-region Policy: Requires a robot to encrypt all outgoing communications when the robot’s location is outside a secure-region perimeter Social-networking Policy: If the policy infers that the device has completed a journey of at least 100km over the past 2 hours, then all friends in the user’s address book who are located within 20km of the new location get invited to rendezvous Other Policies 37/51

Outline Introduction Motivation Related work LoPSiL Core linguistic constructs Example policies A LoPSiL Compiler Compiler architecture Experiential observations Conclusions 38/51

Compiler Architecture A LoPSiL compiler needs to input a policy, a list of security- relevant methods, and an untrusted application A LoPSiL compiler needs to output a trusted application formed by inserting (inlining) policy code before and after every security-relevant method in the untrusted application List of security-relevant methods LoPSiL Policy LoPSiL Compiler Trusted Application Untrusted Application 39/51

Compiler Architecture We use AspectJ as a convenient tool for inlining policy code into the untrusted application LoPSiL inherits AspectJ’s limitation that it can only inline code into application files (and not standard Java libraries) So, LoPSiL monitors can’t make decisions about the execution of security-relevant methods invoked by (non- application) library classes 40/51

Compiler Architecture User specifies desired policy in a.lopsil file User creates a listing of security-relevant methods in.srm file LoPSiL policy (.lopsil) Security-relevant methods (.srm) 41/51

LoPSiL Compiler Compiler Architecture LoPSiL policy (.lopsil) Security-relevant methods (.srm) lopsil2aj converter User inputs the.lopsil and the.srm file into a lopsil2aj converter, because it converts LoPSiL files into files that can be input into an AspectJ compiler 42/51

LoPSiL Compiler Compiler Architecture AspectJ pointcut definition for security-relevant methods (.aj) Policy-enforcement code (.java) The compiler converts the.lopsil file to Java version (. java ) of the policy by inserting three lines of code to import LoPSiL-library classes The compiler converts the.srm file to an AspectJ-code file (. aj ) that has definitions indicating 1. which policy code is to be executed and 2. when should that policy code be executed LoPSiL policy (.lopsil) Security-relevant methods (.srm) lopsil2aj converter 43/51

LoPSiL Compiler Compiler Architecture AspectJ pointcut definition for security-relevant methods (.aj) Policy-enforcement code (.java) Untrusted application (.class) AspectJ compiler The compiler inputs the. java file, the. aj file, and the untrusted application (. class ) into a standard AspectJ compiler LoPSiL policy (.lopsil) Security-relevant methods (.srm) lopsil2aj converter 44/51

LoPSiL Compiler Compiler Architecture AspectJ pointcut definition for security-relevant methods (.aj) Policy-enforcement code (.java) Trusted application (.class) Untrusted application (.class) AspectJ compiler AspectJ compiler inlines policy code before and after all security- relevant methods and produces an application that is secure w.r.t. the original LoPSiL policy LoPSiL policy (.lopsil) Security-relevant methods (.srm) lopsil2aj converter 45/51

Outline Introduction Motivation Related work LoPSiL Core linguistic constructs Example policies A LoPSiL Compiler Compiler architecture Experiential observations Conclusions 46/51

Experiential Observations Our location-dependent policies consistently based policy decisions on: Absolute location of the device Geographic relationship of device’s location with another location, or with a region of locations Velocity or acceleration of the device Therefore, LoPSiL provides several utility methods for calculating distances, boundaries, velocities, and acceleration Users can access all these methods and can implement other custom operators when built-in methods are insufficient 47/51

We found that LoPSiL was sufficiently expressive to specify all the location-dependent policies we considered enforcing None of the example policies mentioned earlier took much time (more than a few hours) to design, specify, and test Therefore, we believe that the six core constructs underlying LoPSiL serve as good abstractions for specifying location-dependent policies 48/51 Experiential Observations

Outline Introduction Motivation Related work LoPSiL Core linguistic constructs Example policies A LoPSiL Compiler Compiler architecture Experiential observations Conclusions 49/51

Conclusions LoPSiL is a language for specifying location-dependent runtime security policies LoPSiL’s novelty lies in its expressive abstractions for accessing and manipulating location information in policies Given the increasing ubiquity of mobile devices, we believe the area of location-based policy-specification languages will be an important topic of research Will need involvement/collaboration of researchers in the security, programming languages, and mobile-device- applications communities 50/51

Thanks/Questions? 51/51

References [1] M. Anisetti, C. Ardagna, V. Bellandi, and E. Damiani. Openambient: a pervasive access control architecture. In A. Schmidt, M. Kreutzer, and R. Accorsi, editors, Long-Term and Dynamical Aspects of Information Security: Emerging Trends in Information and Communication Security. Nova Science Publisher, Inc., [2] C. A. Ardagna, M. Cremonini, E. Damiani, S. D. C. di Vimercati, and P. Samarati. Supporting location-based conditions in access control policies. In Symposium on Information, computer and communications security, [3] R. Bhatti, M. Damiani, D. Bettis, and E. Bertino. Policy mapper: Administering location- based access-control policies. IEEE Internet Computing, 12(2):38–45, [4] U. Erlingsson and F. B. Schneider. IRM enforcement of Java stack inspection. In IEEE Symposium on Security and Privacy, Oakland, CA, May [5] D. Evans and A. Twyman. Flexible policy-directed code safety. In IEEE Security and Privacy, Oakland, CA, May [6] J. Ligatti, L. Bauer, and D. Walker. Enforcing non-safety security policies with program monitors. In 10th European Symposium on Research in Computer Security (ESORICS), Sept

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.