Projects per year
Abstract
Enforcing security policies to IT systems, especially for a mobile distributed system,
is challenging. As society becomes more IT-savvy, our expectations about
security and privacy evolve. This is usually followed by changes in regulation
in the form of standards and legislation. In many cases, small modification of
the security requirement might lead to substantial changes in a number of modules
within a large mobile distributed system. Indeed, security is a crosscutting
concern which can spread to many business modules within a system, and is
difficult to be integrated in a modular way.
This dissertation explores the principles of adding challenging security policies to
existing systems with great flexibility and modularity. The policies concerned
cover both classical access control and explicit information flow policies. We
built our solution by combining aspect-oriented programming techniques with
static program analysis techniques. The former technique can separate security
concerns out of the main logic, and thus improves system modularity. The
latter can analyze the system behavior, and thus helps detect software bugs or
potential malicious code.
We present AspectKE, an aspect-oriented extension of the process calculus
KLAIM that excels at modeling mobile, distributed systems. A novel feature of
our approach is that advices are able to analyze the future use of data, which
is achieved by using program analysis techniques. We also present AspectK to
propose other possible aspect-oriented extensions based on KLAIM, followed by
a discussion of open joinpoints that commonly exist in coordination languages
such as KLAIM. Based on the idea of AspectKE, we design and implement
a proof-of-concept programming language AspectKE*, which enables programmers to easily specify analysis-based security policies with the help of high-level
program analysis predicates and functions. The prototype is efficiently realized
by a two-stage implementation strategy and a static-dynamic dual value
evaluation mechanism. We have performed two case studies to evaluate our
programming model and language design. One application is based on a electronic
health care workflow system. The other is a distributed chat system. We
considered a number of security policies for both primary and secondary use of
data, classical access control and predictive access control - control access based
on the future behavior of a program. Some of the above mentioned policies can
only be enforced by analysis of process continuations.
Original language | English |
---|
Place of Publication | Kgs. Lyngby, Denmark |
---|---|
Publisher | Technical University of Denmark |
Publication status | Published - 2010 |
Series | IMM-PHD-2010-239 |
---|
Fingerprint
Dive into the research topics of 'Aspects with Program Analysis for Security Policies'. Together they form a unique fingerprint.Projects
- 1 Finished
-
Aspects for security policies
Yang, F. (PhD Student), Nielson, F. (Main Supervisor), Probst, C. W. (Examiner), De Nicola, R. (Examiner), Südholt, M. (Examiner) & Nielson, H. R. (Supervisor)
01/06/2007 → 08/12/2010
Project: PhD