Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University

Published byBraydon Triplett Modified over 9 years ago

Similar presentations

Presentation on theme: "An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University"— Presentation transcript:

1 An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University mhassan2@connect.carleton.ca mhassan2@connect.carleton.camhassan2@connect.carleton.ca Supervisor: Prof. Samuel A. Ajila

2 Outline Object-Oriented Modeling What is Aspect-Oriented? Aspect-Oriented Modeling Motivated Example Problem Statement Contribution AO Reference Architecture Related Works Integrated AO Access Control Implementation for Integrated Access Control Conclusion Future Works

3 Object-Oriented Modeling UK Security RMTR air_in taxi_in taxi_out air_out UK Monitoring RMTR air_in taxi_in taxi_out air_out UK Synchronize RMTR air_in taxi_in taxi_out air_out UK Real-Time RMTR air_in taxi_in taxi_out air_out Standard Model Concern requirements

4 Object-Oriented Modeling (contd.) OO Limitation: No separation of concerns Concerns are spread out. Single concern Concerns are spread out. Single concern affects multiple models. Multiple Concerns are interleaved in Multiple Concerns are interleaved in a single model. No mechanism for modeling interweaving crosscutting concerns. No mechanism for modeling interweaving crosscutting concerns.

5 What is Aspect-Oriented? “A technique that resolves crosscutting concerns where each concern is encapsulated in a modular unit called Aspect” [Elrad et. al].

6 Base Model UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Base Requirements Access Control Requirements Synchronize Requirements Real-Time Requirements Aspect-Oriented Modeling Weaver

7 Base Model UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize UKRMTR air_in taxi_in taxi_out air_out UKRMTR air_in taxi_in taxi_out air_out Base Requirements Access Control Requirements Synchronize Requirements Real-Time Requirements Aspect-Oriented Modeling (contd.) Objective: 1- Validation of modules Weaver

8 Base Model Aspect Access Control Woven Model Aspect Real-Time Aspect Synchronize Aspect Library Objective: 2- Reuse of modules Weaver Aspect-Oriented Modeling (contd.)

9 Base Model (1) Woven Models Aspect Library Aspect-Oriented Modeling (contd.) Objective: 3- Plug and reuse models Base Model (2) Base Model (3)

10 Jointpoints Security holes Aspect Authentication ? ? ? Aspect weaver Motivated Example

11 Problem Statement Access control spread across application. Access control spread across application.  Hard to understand, reusable or analyze. Security policy can very in time. Security policy can very in time.  Weaving overhead and poor performance. Aspect itself can be targeted by intrusions. Aspect itself can be targeted by intrusions.  Aspect must be secured. Aspects must be woven to the application Aspects must be woven to the application in a proper order. in a proper order.  Aspect woven procedure.

12 Contribution Apply security rules depending on the application version before establishing the connection. Apply security rules depending on the application version before establishing the connection. Dynamically apply proper login menu depending on the connection type and the user behaviors. Dynamically apply proper login menu depending on the connection type and the user behaviors. Weave history technique: Weave history technique: Weave only modified part of aspect Weave only modified part of aspect Analyze aspect for un-authorize change Analyze aspect for un-authorize change An integration aspect-oriented approach to secure the web application

13 ConcernDecomposition AdaptationKindAdaptationSubject Language «import» AO Reference Architecture [Schauerhuber et al.] General decomposition of the system into concerns Describes where to introduce the aspect’s adaptation Concepts to describe how an aspect adapts a concern Language underlying the specification of base and aspect

14 Related works

15 Integrated AO Access Control Design principles 1. Each aspect module has multiple design iterative. Step 1: Class Diagram Step 1: Class Diagram  Define class: Attributes/ methods Relationship between classes Relationship between classes Step 2: Sequence Diagram (and other diagrams) Step 2: Sequence Diagram (and other diagrams)  Specify messages between objects

16 Security policy definition: A joined abstract modules that collect the rules into organized structure. 2. Security policy definition: A joined abstract modules that collect the rules into organized structure. Collects logical definitions for security rules into a central location. Collects logical definitions for security rules into a central location. Allows elements to be reused with other central location in other applications. Allows elements to be reused with other central location in other applications. Provides basic for security Library. Provides basic for security Library. Design principles (contd.) Integrated AO Access Control

17 3. Security policy weaved only once to the base module. Design principles (contd.) Integrated AO Access Control  Aspect propagates the changes in the aspect definition refereeing to its woven state.

18 Integrated AO Access Control > BaseAspect > Replace Abstract aspects Input: requested aspect from aspect library Previous woven aspect Timestamp (last modified) Timestamp (last woven) Output: weaved aspect begin Weave history end. First activity Second activity Third activity Fourth activity Weave history Weaver

19 Integrated AO Access Control Weave history Activity 1 Weave history

20 > Weaved_rules Integrated AO Access Control New rules weaved rules Activity 2 Weave history The difference of rules > New_rules

21 > User_Auth > Weaved_rules > Session_V2 Sub-aspects weaved version Integrated AO Access Control > Modified_Aspect Copy modified aspect Activity 3 Weave history

22 Integrated AO Access Control Modified aspect Base model Activity 4 Weave history > Modified_Aspect

23 Transition from design to development Aspect Oriented Programming. Aspect Oriented Programming.  AspectJ + Eclipse Generate aspect-oriented programming codes using: Generate aspect-oriented programming codes using:  Defined models that are created using UML and security design. Prototyping effort. Prototyping effort.

24 Aspect Access control Connection() Enter_Menu() Login() Implementation for Integrated Access Control Web Application

25 Implementation for Integrated Access Control Connection_menu() New_Result() Connection Client Step (1)

26 Implementation for Integrated Access Control Connection_type() Login menu Connection Enter menu Step (2)

27 Implementation for Integrated Access Control Connection() New_Result() Check for un-authorized aspect Check aspect list Security threat Connection Client Execute aspect Yes

28 Conclusion Aspects are presented using UML modeling. Aspects are presented using UML modeling. Representation are supplied with supplementary meta-attributes to hold weaving instruction. Representation are supplied with supplementary meta-attributes to hold weaving instruction. Aspect models defined generic abstract aspects that encapsulate the pointcuts. Aspect models defined generic abstract aspects that encapsulate the pointcuts.  High degree of independent.  More reusable in different context (aspect library). An integrated aspect-oriented approach is proposed to secure web application from any violation.

29 Conclusion (contd.) Aspect module collects information from application using before joinpoint. Aspect module collects information from application using before joinpoint.  Implemented the parallel-box concept.  Traces client behaviours in two different versions of the program. First:

30 Conclusion (contd.) Aspect module defines start and end points of the login method using around joinpoint. Aspect module defines start and end points of the login method using around joinpoint.  Overrides login menu depending on connection type and client behaviours.  Required bi-direction transformation of rules between aspect and application. Second:

31 Conclusion (contd.) Weaving history module is presented. Weaving history module is presented.  Weave only modified part of the aspect.  Analyze aspect modules for any unauthorized changes before weaves them to the application. Third:

32 Future works Analyze technique that verifies the weave of access control aspects. Analyze technique that verifies the weave of access control aspects. Build a dynamic weaving history technique. Build a dynamic weaving history technique. User interface to facilitate aspect selection and apply security rules. User interface to facilitate aspect selection and apply security rules. We are interested in extending our works in three different areas:

33 Questions? Thank you for attention!

Download ppt "An Aspect-Oriented Approach For Web Application Access Control Presented by: Mohamed Hassan Carleton University Carleton University"

Similar presentations

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,

Ch:8 Design Concepts S.W Design should have following quality attribute: Functionality Usability Reliability Performance Supportability (extensibility,
©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 12Slide 1 Software Design l Objectives To explain how a software design may be represented.

©Ian Sommerville 2000 Software Engineering, 6th edition. Chapter 12Slide 1 Software Design l Objectives To explain how a software design may be represented.
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.

Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.

1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.
© 2007 ATLAS Nantes 1 Atlas Model Weaver Use Case: Aspect Oriented Modeling Marcos Didonet Del Fabro Atlas Group (INRIA & LINA), Université de Nantes,

© 2007 ATLAS Nantes 1 Atlas Model Weaver Use Case: Aspect Oriented Modeling Marcos Didonet Del Fabro Atlas Group (INRIA & LINA), Université de Nantes,
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.
Aspect Oriented Programming - AspectJ Radhika Rajput.

Aspect Oriented Programming - AspectJ Radhika Rajput.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Modularization.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Modularization.
Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.

Copyright © 2008 Accenture All Rights Reserved. Accenture, its logo, and High Performance Delivered are trademarks of Accenture. Andrew Stone Common Security.
Introduction To System Analysis and Design

Introduction To System Analysis and Design
ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.

ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.
1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.

1 Objectives To introduces the concept of software Design. To introduce the concept of Object- Oriented Design (OOD). To Define various aspects about object.
HAS. Patterns The use of patterns is essentially the reuse of well established good ideas. A pattern is a named well understood good solution to a common.

HAS. Patterns The use of patterns is essentially the reuse of well established good ideas. A pattern is a named well understood good solution to a common.
©Ian Sommerville 2006Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design.

©Ian Sommerville 2006Software Engineering, 7th edition. Chapter 14 Slide 1 Object-oriented Design.
Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix.

Copyright 2004 Prentice-Hall, Inc. Essentials of Systems Analysis and Design Second Edition Joseph S. Valacich Joey F. George Jeffrey A. Hoffer Appendix.
UML and Object Oriented Concepts

UML and Object Oriented Concepts
1 Model Interface Implementation for Two-Way Obliviousness in Aspect-Oriented Modeling Presented by Wuliang Sun Department of Computer Science Baylor University.

1 Model Interface Implementation for Two-Way Obliviousness in Aspect-Oriented Modeling Presented by Wuliang Sun Department of Computer Science Baylor University.
Deriving AO Software Architectures using the AO-ADL Tool Suite Luis Fernández, Lidia Fuentes, Mónica Pinto, Juan A. Valenzuela Universidad de Málaga

Deriving AO Software Architectures using the AO-ADL Tool Suite Luis Fernández, Lidia Fuentes, Mónica Pinto, Juan A. Valenzuela Universidad de Málaga
Software Engineering Muhammad Fahad Khan

Software Engineering Muhammad Fahad Khan
1 Introduction Chapter 1. 2 Key Ideas Many failed systems were abandoned because analysts tried to build wonderful systems without understanding the organization.

1 Introduction Chapter 1. 2 Key Ideas Many failed systems were abandoned because analysts tried to build wonderful systems without understanding the organization.

Similar presentations

Ads by Google