Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker.

Slides:



Advertisements
Similar presentations
A Brief Introduction to Aspect-Oriented Programming Zhenxiao Yang.
Advertisements

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Aspect Oriented Programming. AOP Contents 1 Overview 2 Terminology 3 The Problem 4 The Solution 4 Join point models 5 Implementation 6 Terminology Review.
1 JAC : Aspect Oriented Programming in Java An article review by Yuval Nir and Limor Lahiani.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University 1 Modularization.
Aspect-Oriented Programming In Eclipse ® Aspect-Oriented Programming in Eclipse with AspectJ Dr Helen Hawkins and Sian January.
Information Flow, Security and Programming Languages Steve Steve Zdancewic.
ASPECT ORIENTED SOFTWARE DEVELOPMENT Prepared By: Ebru Doğan.
Good Advice for Type-directed Programming Aspect-oriented Programming and Extensible Generic Functions Geoffrey Washburn [ ] Joint.
1 Building with Assurance CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute May 10, 2004.
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
A Type System for Expressive Security Policies David Walker Cornell University.
Rigorous Fault Tolerance Using Aspects and Formal Methods Shmuel Katz Computer Science Department The Technion Haifa, Israel
Chapter 1 Principles of Programming and Software Engineering.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.
Silberschatz, Galvin and Gagne ©2009 Operating System Concepts – 8 th Edition Chapter 2: Operating-System Structures Modified from the text book.
1 Model Interface Implementation for Two-Way Obliviousness in Aspect-Oriented Modeling Presented by Wuliang Sun Department of Computer Science Baylor University.
A Formal Model of Modularity in Aspect-Oriented Programming Jonathan Aldrich : Objects and Aspects Carnegie Mellon University.
1 Aspects and Modularity: The Hope and the Challenge Jonathan Aldrich Institute for Software Research International School of Computer Science Carnegie.
Taming Obliviousness in Aspects with Data-flow Analysis and Design by Contract Tim Molderez and Dirk Janssens Ansymo Antwerp Systems and Software Modelling.
Secure Systems Research Group - FAU Aspects and mobile applications Sergio Soares Paulo Borba, “PaDA: A Pattern for Distribution Aspects” In Second Latin.
Introduction to Aspect Oriented Programming Presented By: Kotaiah Choudary. Ravipati M.Tech IInd Year. School of Info. Tech.
Aspect Oriented Programming (AOP) in.NET Brent Krueger 12/20/13.
Aspect Oriented Programming Razieh Asadi University of Science & Technology Mazandran Babol Aspect Component Based Software Engineering (ACBSE)
Aspect Oriented Programming Scott Nykl CSSE 411 Senior Seminar.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
1 Metamodel Access Protocols for Extensible Aspect-Oriented Modeling Naoyasu Ubayashi(Kyushu Institute of Technology, Japan) Shinji Sano(Kyushu Institute.
©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 32 Slide 1 Aspect-oriented Software Development 1.
Aspect Oriented Programming Sumathie Sundaresan CS590 :: Summer 2007 June 30, 2007.
Aspect Oriented Programming Gülşah KARADUMAN.
Joel Phinney March 31, ◦ Concerns  Separation of Concerns, Tangled and Scattered Concerns, Cross-Cutting Concerns, Aspects ◦ Aspect-Oriented Software.
CE Operating Systems Lecture 3 Overview of OS functions and structure.
Design Rules for Increasing Modularity with CaesarJ Carlos Eduardo Pontual Advisor: Paulo Borba 17/06/2010.
AOSD1 Aspect-Oriented Software Design Karl Lieberherr Theo Skotiniotis.
TRANSPARENT EXTENSION OF SINGLE- USER APPLICATIONS TO MULTI-USER REAL-TIME COLLABORATIVE SYSTEMS An Aspect Oriented Approach to Framework Integration ICEIS.
AOP-1 Aspect Oriented Programming. AOP-2 Aspects of AOP and Related Tools Limitation of OO Separation of Concerns Aspect Oriented programming AspectJ.
Aspect-Oriented Programming and Modular Reasoning G. KiczalesM. Mezini Presented by Alex Berendeyev.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
Demeter Aspects We study techniques for the emerging area of Aspect-Oriented Software Development and focus on the following areas:  Aspectual Collaborations.
Trip Report: DSL ‘97 October 15-17, 1997 Santa Barbara CA.
Chapter 8: Aspect Oriented Programming Omar Meqdadi SE 3860 Lecture 8 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
© 2006 Pearson Addison-Wesley. All rights reserved2-1 Chapter 2 Principles of Programming & Software Engineering.
Alloy-based Lightweight Verification for Aspect-oriented Architecture Naoyasu Ubayashi(Kyushu Institute of Technology) Yuki Sato(Kyushu Institute of Technology)
© 2006 Pearson Addison-Wesley. All rights reserved 2-1 Chapter 2 Principles of Programming & Software Engineering.
Methods of Software Development Karl Lieberherr Spring 2007.
Review of Parnas’ Criteria for Decomposing Systems into Modules Zheng Wang, Yuan Zhang Michigan State University 04/19/2002.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
问题 Code scattering Blocks of duplicated code Blocks of complementary code, and different modules implementing complementary parts of the concern Code.
AOSD'04, Lancaster, UK 1 Remote Pointcut - A Language Construct for Distributed AOP Muga Nishizawa (Tokyo Tech) Shigeru Chiba (Tokyo Tech) Michiaki Tatsubori.
R R R A Brief Introduction to Aspect-Oriented Programming.
Exception Handling in C + + Introduction Overview of C++ Exception Handling Designing With Exceptions Exception Handling Philosophies Conclusion.
1 An AOP Implementation Framework for Extending Join Point Models Naoyasu Ubayashi(Kyushu Institute of Technology, Japan) Hidehiko Masuhara(University.
1 Aspectual Caml an Aspect-Oriented Functional Language Hideaki Tatsuzawa Hidehiko Masuhara Akinori Yonezawa University of Tokyo.
1 Chapter 2: Operating-System Structures Services Interface provided to users & programmers –System calls (programmer access) –User level access to system.
Features of AOP languages AOP languages have the following main elements: –a join point model (JPM) wrt base PL –a specification language for expressing.
Principles of Programming & Software Engineering
SQL Database Management
Advanced Computer Systems
Principles of Programming and Software Engineering
Aspect-Oriented Programming with the Eclipse AspectJ plug-in
Demeter Aspects Who We Are Aspectual Collaborations
Chapter 2: System Structures
A Brief Introduction to Aspect-Oriented Programming
CSC 143 Error Handling Kinds of errors: invalid input vs programming bugs How to handle: Bugs: use assert to trap during testing Bad data: should never.
Structuring Adaptive Applications using AspectJ and AOM
Principles of Programming Languages
AspectAda Aspect-Oriented Programming for Ada95
Presentation transcript:

Harmless Advice Daniel S Dantas Princeton University with Prof. David Walker

2 Aspect-Oriented Programming Large Program Want to add a new logging feature that references many parts of the program

3 Aspect-Oriented Programming  When? (Pointcut)  What? (Advice) Added Functionality (Logging) Join Points Aspect = Pointcuts + Advice + State

4  No “Tangling” To understand original functionality, examine mainline code  No “Scattering” To understand added logging functionality, examine logging advice only  Easy Consistency Checking To audit added logging code for consistency, simply analyze pointcut that triggers logging advice AOP Advantages Logging Advice

5 But Beware!  Advice may change state & break data invariants in the mainline code  To understand mainline code behavior, must examine main program + all aspects  Aspects prevent local reasoning Advice

6 Our Goals  Want the flexibility of aspect-oriented programming  Want to preserve traditional local reasoning principles Want to be able to understand the fundamental behavior of the mainline code without having to examine all the auxiliary aspects

7 What is harmless advice? Contributions  Defined a new “harmless” form of advice Harmless advice does not interfere with main program code Harmlessness is enforced by a type system for information flow control Proved a noninterference property for the language Conducted a case study demonstrating harmless advice is useful for enforcing security invariants What does that mean?  A spectrum of “interfering” effects: Doing work of any kind (alters timing) Looping or early exit (alters termination) Writing to a file (alters observations of the file system) Writing to a mutable mainline data structure  Criteria impacting our choice: Must help AOP programmers preserve local reasoning about main program code Must be enforceable Must admit common AOP applications

8 What Are Aspects Used For?  AspectJ Users List - What do you use aspects for? “…a reusable logging aspect” “...I use tracing, profiling, and policy enforcement aspects on virtually every project I work on” “…And the standard stuff like: performance monitoring, logging, exception handling” “…for error handling, to enforce architectural standards,…and for tracing and logging” Harmless advice will be useful if it can modify termination behavior of the main program Harmless advice will be useful if it can output information about the main program Fail upon violating checkPrint main program state to file Security Checks/ Policy Enforcement Tracers/Loggers/ Profilers

9 Harmless Advice Allows I/O and altered termination behavior * original value* new value original value = new value Original Program Aspect 1 Aspect 2 Program + Harmless Advice

10 System Design Source language Core language Type-directed translation Programmers use an “oblivious” source Language Core language contains explicit labels & primitive advice [based on WZL ‘03]

11 l [e]l [v] { pc.x  e adv } Core Language Aspects [WZL] l 2 [e] l 1 [e] l 4 [e] l 3 [e] l 5 [e] l 6 [e] Join Points pc = { l 1, l 3, l 6 } What? (Advice) [v/x] e adv [v/x] ( ) → * ( ) { pc.x  e adv } l  pc When? (Pointcut)

12 Harmful Advice  Advice modifies main program’s state  Advice is not harmless!! Uses reference r main Main Program Advice { pc.x  (r main := 3) }

13 Core Language Typing  How to protect main program state from interference from advice?  Protection Domains Lattice { P,  }  P is a set of protection domains   defines a partial order on P Code is executed in a protection domain   ; p ├ e :  Code executing in a low protection domain should not interfere with code executing in a high protection domain p1p1 p2p2 p4p4 p3p3    

14  How should p adv relate to the current protection domain p curr at advice triggering? Low-protection code should not interfere with high-protection code Protection Domains: Advice  types  ::= … | advice p adv  values v ::= … | { pc.x  p adv e adv }  expressions e ::= … | { e pc.x  p adv e adv }  advice e adv is executed in protection domain p adv p adv  p curr p curr  p adv e adv [v/x] ( ) e adv [v/x] ( ) l [v] triggers { pc.x  p adv e adv } p curr l [v] triggers { pc.x  p adv e adv } p curr p adv [v/x] p adv [v/x] GOOD! ( ) - OK BAD! ( )

15 Noninterference [Pottier…’03] Core Program Core Program Representation is faithful (Completeness Lemma) Differ only in low protection code Representation is faithful (Soundness Lemma) Core Value Core Value :bool Evaluation preserves noninterference invariants (Preservation Lemma) Core 2 Value :bool Represents simultaneous execution Core 2 Program :bool Must be true or false Want to Prove: Proved Non- interference

16 Language Design Source language Core language Type-directed translation Programmers use an “oblivious” source Language Core language contains explicit labels & primitive advice [based on WZL 03]

17 Source Language ProgramTranslation from Source to Core Aspect Code < Main Program (Aspect Code is in Lower Protection Domain than Main Program Code) Using Protection Domains Main Program Aspect Code 1Aspect Code 2Aspect Code 3 Main Program * original value* new value original value = new value Original Program Program + Harmless Advice Core Noninterference By Noninterference: Aspects in Source Language are Harmless Main Program Aspect Code 1 Aspect Code 2 Aspect Code 3 Programmers divide code into Main Program + Aspects

18 File System Security  Limit File Write Location & Size  Only Modify Temp Directories  Only Overwrite Tar Files Security Case Study Network Security  Limit Network Send Speed  Only Allow Certain Hosts  Soft Limit Network Send Speed Naccio Execution Monitoring System Selected Security Policies [Evans & Twyman ‘99]  Implemented “Harmless Advice” Interpreter in Standard ML Harmless Advice Is Useful for Security

19 Related Work  Classifying advice “Assistants and Observers” [Clifton... ‘02] “Observation” Advice [Rinard… ‘04] “Almost Spectative” Advice [Katz ‘04]  Aspects and Modularity “Aspectual Collaborations” [Lieberherr… ‘03] “Open Modules” [Aldrich ‘05] Information Hiding for AOP [Sullivan… ‘05] AOP and Modular Reasoning [Kiczales… ‘05]

20 Future Work  AspectML Polymorphic functional AOPL  with G. Washburn and S. Weirich Extend AspectML to allow harmless advice  Allow polymorphic protection domains  Allow mainline code programmer to specify harm level of potential advice  Separate IO into Harmless and Harmful IO Show AspectML “Java Stack-Inspection Security” is harmless

21 Conclusion  Defined a new “harmless” form of advice Harmless advice does not interfere with main program code Harmlessness is enforced by a type system for information flow control Proved a noninterference property for the language Conducted a case study demonstrating harmless advice is useful for enforcing security invariants Interpreter and Case Study at: