Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming

402 views

Published on

Inlined Reference Monitors in Vehicle Systems

Published in: Software
  • Be the first to comment

  • Be the first to like this

Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming

  1. 1. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 1 SECAD 2008 August 01st 2008 Turku, Finland Security Policy Enforcement for the OSGi Framework using Aspect-Oriented Programming Phu H. Phung and David Sands Chalmers Univeristy of Technology Gothenburg, Sweden
  2. 2. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 2 Motivation • Life cycle mismatch between the vehicle and its software – current goal: enable truly open systems, i.e. easy to add third-party services • needs to allow potentially untrusted applications access to sensitive resources • Simple sandboxing has obviously limitations – (grants all-or-nothing approach on the basis of trust)
  3. 3. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 3 An example • “A third party service (in an on-board vehicle computer) needs to be able to send SMS messages in order to function properly” – possible problems of the application • could be malicious, e.g. send to many messages • may has bugs, e.g. repeatedly send messages • Need for more fire-grained security policy, e.g. – allow a third party application to access SMS service but restricted receipt address, with a limit on the number of messages per day, and depending on the vehicle’s location
  4. 4. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 4 Goals • Study the application of fine-grained security policy enforcement in vehicle systems – Adopting a language-based approach using aspect- oriented programming with AspectJ compiler – Considering the application in the context of vehicle telematics/infotainment systems under the OSGi standard • Concerned questions – What classes of reference monitor-style policies can be enforced using AspectJ? – How can this approach be integrated with the OSGi platform without making platform modifications? – What are the shortcomings of using AspectJ for implementing reference monitors?
  5. 5. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 5 Outline • Overview of background strands – Security Policy Enforcement by Program Transformation – Aspect-Oriented Programming and AspectJ • Security policy enforcement in AspectJ – Classes of security policies in AspectJ – Other issues related to security policy • The case study – The OSGi framework • Conclusion and future work
  6. 6. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 6 Security Policy Enforcement by Program Transformation • New code will be added in security-relevant actions or events to check the program respects the security policies – the modified program is guaranteed not to violate the policy
  7. 7. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 7 An enforcement example
  8. 8. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 8 Aspect-Oriented Programming and AspectJ • Aspect-oriented programming (AOP): a new programming paradigm – to modularise cross-cutting functionalities of complex software systems • AspectJ is a language that extends Java and implements the paradigm of AOP – Pointcut: defines the point and the condition under which the aspect modifies the behaviour of an application – Advice: defines what modifications should be applied
  9. 9. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 9 Outline • Overview of background strands – Security Policy Enforcement by Program Transformation – Aspect-Oriented Programming and AspectJ • Security policy enforcement in AspectJ – Classes of security policies in AspectJ – Other issues related to security policy • The case study – The OSGi framework • Conclusion and future work
  10. 10. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 10 Security policies based on kinds of response actions • Suppression policy: prohibiting an action by simply suppressing (ignoring) it – E.g.: “suppress the alert message when the vehicle speed is over 80mph” • Insertion policy: requires insertion of additional code before or after execution – E.g.: “store service object in policy handler after the service starts” • Truncation policy: if the application attempts to perform a prohibited action then execution will be aborted – E.g.: stop the application if it attempts to operate the brake system* • Replacement policy: action should be replaced by a safe alternative action – E.g.: replace the method call send(..) by the new method secureSend()''
  11. 11. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 11 Other issues related to security policy • Dealing with History-Dependent Policies – Use security states (variables) to store program history • System Level and Application Level Security States – Each state level is encoded in a file monitored by appropriate daemon thread • Dealing with multiple threads – common states are accessed under mutual exclusion where states are encoded and synchronized via files • Interacting among security policies – by reading and writing states in files
  12. 12. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 12 Outline • Overview of background strands – Security Policy Enforcement by Program Transformation – Aspect-Oriented Programming and AspectJ • Security policy enforcement in AspectJ – Classes of security policies in AspectJ – Other issues related to security policy • The case study – The OSGi framework • Conclusion and future work
  13. 13. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 13 The case study • J2ME/OSGi standard – a telematics client application can be downloaded and installed over the air from a control center • The study uses the architecture described in the standard – Testing on the Knopflerfish open source OSGi framework for the in-vehicle system.
  14. 14. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 14 The OSGi framework
  15. 15. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 15 The scenario • A hotel service company offers an infotainment application for in-vehicle systems that provides useful information about hotels near by the vehicle location. • as in the GST standard – a driver makes a corresponding request to the control centre – The control centre request to the third party – Install over the air the application
  16. 16. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 16 The deployment model
  17. 17. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 17 Test example • A simple application bundle simulating the hotel guide service has been implemented • Simple security policies reflecting various identified classes of policies described in AspectJ are used to weave the bundle • The woven bundle was re-deployed and run successfully on the Knopflerfish OSGi framework. • Several test cases were performed to illustrate that the defined security polices are correctly enforced for the bundle.
  18. 18. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 18 Outline • Overview of background strands – Security Policy Enforcement by Program Transformation – Aspect-Oriented Programming and AspectJ • Security policy enforcement in AspectJ – Classes of security policies in AspectJ – Other issues related to security policy • The case study – The OSGi framework • Conclusion and future work
  19. 19. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 19 Concluding remarks • How various sorts of security policies are categorised and described in AspectJ has been illustrated • Resulted in the first study of security policy enforcement using an aspect-oriented programming language in an open system like the OSGi framework – based on the more industrially well-know language without defining any new policy languages • The security assurance in the study is promising – (certainly adequate for small examples) – can be deployed in the OSGi framework
  20. 20. SECAD 2008, Aug 01st 2008, Turku – Finland, Phu H. Phung and David Sands Page 20 Further Work • The small-scale examples did not encounter problems with representing history information explicitly – larger examples remains to be seen • Temporal policies could be considered • The composition of different security policies • The integration of weaving process and a middleware to support ``online'' security policy enforcement at in-vehicle systems.

×