Aspect-oriented Information Flow Control

Department of Computer Science

University of Pretoria

Pretoria 0002

South Africa
Keshnee Padayachee J.H.P Eloff Judith Bishop

padayk@unisa.ac.za eloff@cs.up.ac.za jbishop@cs.up.ac.za

1It has become evident that the means by which software is designed and implemented can have a significant impact on software security. There is often a confusion between security software and software security: the former entails a set of add-on features such as cryptography while the latter is an ‘emergent property’ of a complete system [Mcgraw 2003]. Software security involves designing, analyzing and coding for security over the whole life cycle. Developing secure software systems requires more than protecting objects from illegal manipulation: it implies preventing illegal information flow among objects in a system [Izaki et al 2001]. This paper presents an aspect-oriented approach for detecting this illegal information flow. Emergent properties of software have been studied in other fields as well, for example in high performance computing [Subotic and Bishop 2005] .

A software system that manipulates and stores sensitive information such as employee salaries, tax information or identification numbers must prevent such information from leaking out during execution [Myers 1999]. Security controls, such as firewalls, anti-virus software and access control mechanisms, are not sufficient to protect against information leakage. For instance, determining whether a communication violates confidentiality is outside the scope of a firewall mechanism. Similarly, with encryption, there is no guarantee that once data is decrypted its confidentiality will be respected [Sabelfeld and Myers 2003]. Information is exchanged among variables in procedural programs and by messages in object-oriented systems. An illegal flow arises when information is transmitted from one object to another object in violation of the information flow security policy [Samarati et al 1997]. A transfer of information does not necessarily occur every time a message is passed. An object acquires information by changing its internal state, as a result of changing the values of some of its attributes. Thus, if no such changes occur as a result of a message invocation in response to a message then no information has been transferred [Jajodia et al 1992]. For example in the statements below (Figure 1) information from object W, is being transferred to object P, via two messages namely getHoursWorked()and Get_Hours(). The former, returns a value which is passed as argument to the latter. This value is used within the context of object P, either by assigning one of its attributes to the value obtained from getHoursWorked()or by performing some operation as a result of the value obtained from getHoursWorked(). Either way information is flowing into P via W.

WorkInfo W = new WorkInfo(new Double(5));

P.Get_Hours(W.getHoursWorked());

Figure. 1: Demonstrating Information Flow between objects
Two basic types of information flow controls have been identified within the object-oriented perspective, namely language-based information flow controls [Sabelfeld and Myers 2003] and information flow controls based on message filtering [Jajodia and Kogan 1990, Samarati et al. 1997].
2.1 Language-based Information Flow Controls

The control of information flow was not a widely used practice compared to the control of access, as it was considered to be highly impractical until the advent of security typed languages [Sabelfeld and Myers 2003]. In a security typed language, program variables and expressions are augmented with annotations that specify policies about the use of the typed data (see Figure 2 below). This type of program analysis was pioneered by Denning and Denning [1977]. These security policies are then enforced by compile-time type checking and thus have little runtime overhead [Sabelfeld and Myers 2003].

boolean {secret} b;

int x = 0;

if (b) {

}

Figure. 2. Implicit Flow Example [Myers 1999]

Jajodia and Kogan [1990] first proposed the message filtering algorithm for object-oriented systems where every object is assigned a unique classification. Messages between objects are intercepted by the message filter which decides upon examining the given message and classification of the sender and receiver, whether to permit the information flow or not. The message filtering model is relatively complex to implement within the traditional object-oriented paradigm. Consequently, Jajodia and Kogan [1990] only consider primitive operations such as read and write methods and provide no specification of how the message filtering algorithm might be implemented. The aspect-oriented paradigm allows a more generic implementation of the message filter aspect through the use of wildcards, instead of only considering primitive operations such read and write methods. Using wildcards eliminates the need for explicit naming [Kiczales et al 2000].

Aspect-oriented programming was developed to avoid redundancy in programs, hence it has the potential to improve the reliability, maintainability, reusability [Viega and Voas 2000] and the robustness of an application [Padayachee and Eloff 2006]. An aspect is a modular unit of a crosscutting implementation that is provided in terms of pointcuts and advices, specifying what (advice) and when (pointcut) its code is going to be executed. In the execution of a program, there will be certain well-defined points called join points where calls to aspect code would be inserted. The pointcut is used to find a set of join points where aspect code would be inserted. An advice declaration can be used to specify code that should run when the join points specified by the pointcut expression is reached. The advice code will be executed when a join point is reached, either before or after the execution proceeds. A before (or after) advice on a method execution defines code to be run before (after) the particular method is actually executed. Around advice defines code which is executed when the join point is reached and has control over whether the computation at the join point (i.e. an application method) is allowed to execute [Kiczales et al 2001]. The final application is generated by taking both the application functional code and its specific aspects. These two entities will be combined at compile time by invoking a special tool called a weaver.

Identifying illegal flows between objects would require an aspect based on the principle of the message filtering algorithm developed by Jajodia and Kogan [1990]. Here pointcuts would be utilized to identify flows between objects. Such an aspect will observe objects, and intercept messages flowing between them. For instance, the aspect’s advice could decide

• 
  to examine the given message and classification of the sender and receiver, or
  
• 
  to permit the information flow or not.
  
• 
  
  

Figure. 3. Aspect Flow Intercepts Information Flow between Objects.

The Flow aspect considered those actions that resulted in an attribute being assigned (set) or returned from an object. Note the set and get are constructs of AspectJ specifically and do not indicate the method names of the object. For instance, get will identify any method that returns an attribute, irrespective of whether it is actually named 'get'. This notion actually addresses all interactions between objects including those that occur when objects are being instantiated. When an attribute is returned from a message, the reference of this attribute is stored in an appropriate container. When an attribute in an object is being assigned to a particular value, this container is inspected to check if the value was obtained from another object. If this value was obtained from another object then an appropriate action may be taken if the information flowing should not be permitted according to the information flow policy (see Figure 4 below).
public aspect Flow {

pointcut getMethods(): get(* *.*);

before( )returning(Object x): getMethods() &&

(within (A || B || C //...and other objects being tracked )){

//Information flowing out of this object

//Store information about this joinpoint

//such as the reference of this object.

}

pointcut setMethods(Object x): ((set (* *.*) || call (* *(..)))

&& within( A || B || C

//...and other objects being tracked ));

before(Object x): setMethods(x) {

//if there is an illegal flow between the sender

//and receiver objects

// Respond appropriately

//else

}

}

The system was built using AspectJ (ajdt_1.2_for_eclipse_3.0) as an extension to Java (J2SDK1.4.2_05), and the Eclipse 3.0 IDE. Firstly a system containing three classes namely WorkInfo, Employee and Pay_Info was built, integrated and tested as a fully functional Java application by a single programmer. For clarity, we refer to this system as SystemX. As we wanted to demonstrate that information flow could be considered after a system was built, SystemX did not reflect any notion of information flow. The next step involved determining the specification of the final system with regard to the system’s response to information flow leaks. The simplest strategy was adopted, where warnings were issued as information leaks were detected within SystemX. The subsequent process involved ascertaining the information flow policy, where each class was given a specific classification either classified as ‘secret’ or ‘unclassified’. For example consider the code below taken from SystemX (Figure 5), where Pay_Info was classified as secret, and WorkInfo and Employee objects were classified as ‘unclassified’, then Line 5 should be acceptable information flow while Line 7 would result in an information leak and a warning issued.

("MStevens","1234","7,23rd Street Menlo Park");

public static int Employee.tag = 0; //unclassified

public static int Pay_Info.tag = 1; //secret

public static int WorkInfo.tag = 0; //unclassified

public static int FindTag(String s){

//return classification of object

}

}

Figure. 6. Intertype Declarations used supplement classes in the system with classifications

private static Vector References = new Vector();

private static Vector JoinPoint_String = new Vector();

private static Vector Tag = new Vector();

private static int Count = 0;

pointcut getMethods(): get(* *.*);

before( )returning(Object x): getMethods() &&

(within (Employee||Pay_Info||WorkInfo)){

//Store info about this joinpoint,

//the reference & classification

String Signature = thisJoinPoint.getThis().toString();

JoinPoint_String.add(Count,thisJoinPoint.toString());

References.add(Count,x);

Tag.add(Count,

new Integer(Classifications.FindTag(Signature)));

Count++;

pointcut setMethods(Object x): ((set (* *.*) || call (* *(..)))

&& args(x)

&& within(Employee||Pay_Info||WorkInfo));

before(Object x): setMethods(x) {

String Signature = thisJoinPoint.getTarget().toString();

for(int i = 0; i < Count; i++){

if (References.get(i)== x){

{

int tag = ((Integer) Tag.get(i)).intValue();

if (e < tag){

//Issue Warning

}

}

}

}

Figure. 7. Showing an Aspect to intercept information flowing between objects

Despite its appeal, information flow mechanisms have not yet been successfully applied in practice. They are difficult to apply and manage in practice and they require programmers to be security experts. The aspect-oriented paradigm can be used to add security to legacy systems and due to the separation of roles between application and security developers, and it can make the management of security polices easier. In this paper, an information flow control model for existing systems using the aspect-oriented paradigm is posited. Aspects offer several benefits in terms of compact code and increased confidence but there could be drawbacks as it is a new technology. Future research will involve a case-study approach with multiple programmers, where a larger object-oriented system will be woven with the information flow features and re-compiled under the aspect-oriented paradigm. This study will also exploit and comment on aspect-oriented features such as inter-type declarations and wildcards, and as such will provide valuable insight into the benefits of using aspect-orientation. We have shown that it is possible to add on. an albeit limited, information flow without adapting the existing. The model presented here is certainly useful for tracing purposes during software testing and it may also be used to track the propagation of software bugs as they ‘flow’ from one object to another.

DE WIN, B., VANHAUTE, B. AND DE DECKER, B. 2002.How aspect-oriented programming can help to build secure software. Informatica, 26(2), 141-149.

DE WIN, B., VANHAUTE, B. AND DECKER, B. 2001. Security Through Aspect-Oriented Programming. In Advances in Network and Distributed Systems Security, IFIP TC11 WG11.4 First Working Conference on Network Security, Leuven, Belgium, November 2001, DECKER, B. D., PIESSENS, F., SMITS, J.ANDHERREWEGHEN, E. V. (Eds.), Kluwer Academic Publishers, Boston, 125-138.

DENNING, D. E. AND DENNING, P. J. 1977.Certification of Programs for Secure Information Flow. Communications of the ACM, 20(7), 504 -513.

IZAKI, K., ANAKA, K. AND TAKIZAWA, M. 2001. Information Flow Control in Role-Based Model for Distributed Objects. In Eighth International Conference on Parallel and Distributed Systems Kyongju City, Korea, 26-29 June 2001, 363-370.

JAJODIA, S. AND KOGAN, B. 1990. Integrating an Object-Oriented Data Model with Multilevel Security. In 1990 IEEE Symposium on Security and Privacy Oakland, California, 7-9 May 1990, 76-85.

JAJODIA, S., KOGAN, B. AND SANDHU, R.1992.A multilevel-secure object-oriented data model. Technical Report. George Mason University.

KICZALES, G., HILSDALE, E., HUGUNIN, J., KERSTEN, M. AND PALM, J. 2001.Getting Started with AspectJ. Communications of the ACM, 44(10), 59-65.

KICZALES, G., HUGUNIN, J., KERSTEN, M., LAMPING, J., LOPES, C. AND W.G., G. 2000. Semantics-Based Crosscutting in AspectJ. In Workshop on Multi-Dimensional Separation of Concerns inSoftware Engineering (ICSE 2000), 1-6.

MASUHARA, H. AND KAWAUCHI, K. 2003. Dataflow Pointcut in Aspect-Oriented Programming. In Proceedings of The First Asian Symposium on Programming Languages and Systems (APLAS'03) Beijing, China, 27-29 November, OHORI, A. (Ed.), LNCS2895, 105-121.

MCGRAW, G. 2003.From the Ground Up: The DIMACS Software Security Workshop. IEEE Security and Privacy, 1(2), 59-66.

MYERS, A. C. 1999. JFlow: Practical Mostly-Static Information Flow Control. In Proceedings of the 26th ACM Symposium on Principles of Programming Languages(POPL ‘99) San Antonio,Texas, USA, 20-22 January 1999, 228-241.

PADAYACHEE, K. AND ELOFF, J. H. P. 2006. The Next Challenge: Aspect-Oriented Programming. In Proceedings of the Sixth IASTED International Conference on Modelling, Simulation and Optimization Gaborone, Botswana, 11-13 September 2006, NYONGESA, H. (Ed.), ACTA Press, 304-307.

RAMACHANDRAN, R., PEARCE, D. J. AND WELCH, I. 2006. AspectJ for Multilevel Security. In The 5th AOSD Workshop on Aspects, Components, and Patterns for Infrastructure Software (ACP4IS) Bonn, Germany, 2006, 21 March 2006, 1-5.

SABELFELD, A. AND MYERS, A. C. 2003. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 21(1), 5-9.

SAMARATI, P., BERTINO, E., CIAMPICHETTI, A. AND JAJODIA, S. 1997.Information Flow Control in Object-Oriented Systems. IEEE Transactions on Knowledge and Data Engineering, 9(4), 624-538.

SUBOTIC, S. AND BISHOP, J. 2005. Emergent Behaviour of Aspects in High Performance and Distributed Computing. In Proc. SAICSIT White River, South Africa, September 2005, 11-19.

VIEGA, J., BLOCH, J. T. AND CHANDRA, P. 2001.Applying Aspect-Oriented Programming to Security. Cutter IT Journal, 14(2), 31-39.

VIEGA, J. AND VOAS, J. 2000.Can Aspect-Oriented Programming Lead to More Reliable Software. IEEE Software, 17(6), 19 -21.

ZDANCEWIC, S. 2004. Challenges in Information-flow Security. In The First International Workshop on Programming Language Interference and Dependence (PLID) Verona, Italy, 25 Aug. 2004, 1-5.