This document summarizes a study on using aspect-oriented programming with AspectJ to enforce security policies in OSGi frameworks. It discusses categorizing security policies, implementing examples in AspectJ, and testing on the Knopflerfish OSGi framework. The goal is to study fine-grained security policy enforcement in vehicle systems using a language-based approach without platform modifications.

1. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 1
SECAD 2008
August 01st
2008 Turku, Finland
Security Policy Enforcement for
the OSGi Framework using
Aspect-Oriented Programming
Phu H. Phung and David Sands
Chalmers Univeristy of Technology
Gothenburg, Sweden

2. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 2
Motivation
• Life cycle mismatch between the vehicle and its
software
– current goal: enable truly open systems, i.e. easy to
add third-party services
• needs to allow potentially untrusted applications access to
sensitive resources
• Simple sandboxing has obviously limitations
– (grants all-or-nothing approach on the basis of trust)

3. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 3
An example
• “A third party service (in an on-board vehicle
computer) needs to be able to send SMS
messages in order to function properly”
– possible problems of the application
• could be malicious, e.g. send to many messages
• may has bugs, e.g. repeatedly send messages
• Need for more fire-grained security policy, e.g.
– allow a third party application to access SMS service but
restricted receipt address, with a limit on the number of
messages per day, and depending on the vehicle’s
location

4. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 4
Goals
• Study the application of fine-grained security
policy enforcement in vehicle systems
– Adopting a language-based approach using aspect-
oriented programming with AspectJ compiler
– Considering the application in the context of vehicle
telematics/infotainment systems under the OSGi standard
• Concerned questions
– What classes of reference monitor-style policies can be enforced using
AspectJ?
– How can this approach be integrated with the OSGi platform without making
platform modifications?
– What are the shortcomings of using AspectJ for implementing reference
monitors?

5. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 5
Outline
• Overview of background strands
– Security Policy Enforcement by Program Transformation
– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ
– Classes of security policies in AspectJ
– Other issues related to security policy
• The case study
– The OSGi framework
• Conclusion and future work

6. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 6
Security Policy Enforcement by
Program Transformation
• New code will be added in security-relevant
actions or events to check the program respects
the security policies
– the modified program is guaranteed not to violate the
policy

7. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 7
An enforcement example

8. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 8
Aspect-Oriented Programming and
AspectJ
• Aspect-oriented programming (AOP): a new
programming paradigm
– to modularise cross-cutting functionalities of complex
software systems
• AspectJ is a language that extends Java and
implements the paradigm of AOP
– Pointcut: defines the point and the condition under
which the aspect modifies the behaviour of an
application
– Advice: defines what modifications should be applied

9. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 9
Outline
• Overview of background strands
– Security Policy Enforcement by Program Transformation
– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ
– Classes of security policies in AspectJ
– Other issues related to security policy
• The case study
– The OSGi framework
• Conclusion and future work

10. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 10
Security policies based on
kinds of response actions
• Suppression policy: prohibiting an action by simply suppressing
(ignoring) it
– E.g.: “suppress the alert message when the vehicle speed is over 80mph”
• Insertion policy: requires insertion of additional code before or
after execution
– E.g.: “store service object in policy handler after the service starts”
• Truncation policy: if the application attempts to perform a
prohibited action then execution will be aborted
– E.g.: stop the application if it attempts to operate the brake system*
• Replacement policy: action should be replaced by a safe
alternative action
– E.g.: replace the method call send(..) by the new method secureSend()''

11. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 11
Other issues related to security
policy
• Dealing with History-Dependent Policies
– Use security states (variables) to store program history
• System Level and Application Level Security
States
– Each state level is encoded in a file monitored by
appropriate daemon thread
• Dealing with multiple threads
– common states are accessed under mutual exclusion
where states are encoded and synchronized via files
• Interacting among security policies
– by reading and writing states in files

12. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 12
Outline
• Overview of background strands
– Security Policy Enforcement by Program Transformation
– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ
– Classes of security policies in AspectJ
– Other issues related to security policy
• The case study
– The OSGi framework
• Conclusion and future work

13. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 13
The case study
• J2ME/OSGi standard
– a telematics client application can be downloaded
and installed over the air from a control center
• The study uses the architecture described in the
standard
– Testing on the Knopflerfish open source OSGi
framework for the in-vehicle system.

14. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 14
The OSGi framework

15. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 15
The scenario
• A hotel service company offers an infotainment
application for in-vehicle systems that provides
useful information about hotels near by the
vehicle location.
• as in the GST standard
– a driver makes a corresponding request to the
control centre
– The control centre request to the third party
– Install over the air the application

16. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 16
The deployment model

17. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 17
Test example
• A simple application bundle simulating the hotel guide
service has been implemented
• Simple security policies reflecting various identified
classes of policies described in AspectJ are used to
weave the bundle
• The woven bundle was re-deployed and run
successfully on the Knopflerfish OSGi framework.
• Several test cases were performed to illustrate that the
defined security polices are correctly enforced for the
bundle.

18. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 18
Outline
• Overview of background strands
– Security Policy Enforcement by Program Transformation
– Aspect-Oriented Programming and AspectJ
• Security policy enforcement in AspectJ
– Classes of security policies in AspectJ
– Other issues related to security policy
• The case study
– The OSGi framework
• Conclusion and future work

19. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 19
Concluding remarks
• How various sorts of security policies are
categorised and described in AspectJ has been
illustrated
• Resulted in the first study of security policy
enforcement using an aspect-oriented
programming language in an open system like the
OSGi framework
– based on the more industrially well-know language
without defining any new policy languages
• The security assurance in the study is promising
– (certainly adequate for small examples)
– can be deployed in the OSGi framework

20. SECAD 2008, Aug 01st
2008, Turku – Finland, Phu H. Phung and David Sands Page 20
Further Work
• The small-scale examples did not encounter
problems with representing history information
explicitly
– larger examples remains to be seen
• Temporal policies could be considered
• The composition of different security policies
• The integration of weaving process and a
middleware to support ``online'' security policy
enforcement at in-vehicle systems.