Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California.

Published byStanley Leonard Modified over 9 years ago

Similar presentations

Presentation on theme: "Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California."— Presentation transcript:

1 Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California

2 Kestrel Issue: How to Handle Nonfunctional and Cross-Cutting Concerns wrt Composition and Refinement? A concern is cross-cutting if its manifestation cuts across the dominant hierarchical structure of a program/system. Examples Log all errors that arise during system execution Enforce a system-wide error-handling policy Disallow unauthorized data accesses Enforce timing and resource constraints on a system design

3 Kestrel Policy Enforcement Approach System Refined System showing where the policy applies requires sound static analysis where and how does the policy apply? Policy Constraint Policy Conditions What does the policy prescribe?

4 Kestrel A Generative Approach to Aspect-Oriented Programming hypothesis: aspects are invariants to maintain

5 Kestrel Crosscutting in AspectJ aspect ObserverUpdating { pointcut moves(): calls(void Line.setP1(Point)) || calls(void Line.setP2(Point)) || calls(void Point.setX(int)) || calls(void Point.setY(int)) || calls(void FigureElement.incrXY()); after(): moves() { Display.update(); } } Point getX() getY() setX(int) setY(int) incrXY() Line getP1() getP2() setP1(Point) setP2(Point) incrXY() Display * 2 * crosscutting (one form of it) FigureElement incrXY()

6 Kestrel Issues with current approaches to Aspect-Oriented Programming What is the intention of an aspect? When is an aspect correct? Is the pointcut complete? What if the advice needs to cater for various contexts? Do two aspects conflict? How do we treat them? What if an aspect is not a pointwise action, but a behavior?

7 Kestrel Maintain an Error Log Policy: Maintain an error log in a system

8 Kestrel Expressing System Constraints Many systems constraints refer to history (events, actions, state,…) dynamic context (i.e. the call-stack) environment behavior substrate properties (e.g. instruction timing, latence, …)

9 Kestrel Virtual Variables in State S0S0 act 0 S1S1 act 1 S 3 S2S2 act 2 hist :=  S 0, act 0  hist := hist ::  S 1, act 1  hist := hist ::  S 2, act 2  key idea: extend state with a virtual history variable Virtual variables exist for purposes of specification sliced away prior to code generation

10 Kestrel Maintain an Error Log Policy: Maintain an error log in a system Assume: errlog = filter(error?, actions(hist)) Achieve: errlog ´ = filter(error?, actions(hist ´ )) spec satisfied by: errlog := errlog :: erract Invariant:  errlog = filter(error?, actions(hist)) Disruptive Actions: error?(act) Spec for Maintenance Code : for each error action erract, = filter(error?, actions(hist ::  S, erract  )) = filter(error?, actions(hist) :: erract) = filter(error?, actions(hist)) :: erract = errlog :: erract

11 Kestrel Maintaining an Error Log S0S0 act 0 S1S1 hist :=  S 0, act 0  error 1 S 3 hist := hist ::  S 1, act 1  S2S2 act 2 hist := hist ::  S 2, act 2  errlog := errlog errlog := errlog:: error 1 errlog := errlog

12 Kestrel General Case Invariant:  I(x) Disruptive Actions: any action that changes x or an alias Spec for Maintenance Code : for each such action act with specification Assume: P(x) Achieve: Q(x, x´) generate and satisfy new specification Assume: P(x)  I(x) Achieve: Q(x, x´)  I(x´) spec typically satisfied by code of the form: act || update

13 Kestrel Summary What is the intention of the aspect? expressed by an invariant Is the aspect code correct? yes, by construction Is the pointcut complete? static analysis finds all actions that disrupt the invariant Is the advice efficient in all contexts? specialized code generated for each context What if several aspects apply at a program point? attempt to satisfy the joint specification What if an aspect is not a pointwise action, but a behavior? enforcement of policy automata

14 Kestrel Enforce a Security Policy Policy: No send actions allowed after file f is read a A B C D E F read(f ) send(m) read(f ) One Two  send(*) policy automaton: Build simulation map, then generate new code for corresponding actions Inconsistent joint action spec:  send(*)  send(m) satisfied by abort action

15 Kestrel Error-Handling Policies and their Enforcement Douglas R. Smith Klaus Havelund Kestrel Technology Palo Alto, California www.kestreltechnology.com

16 Kestrel NonRobust Java Program class AddNumbersFromFile { static void doIt(String fileName) throws IOException { DataInputStream source = null; if (fileName != null) source = new DataInputStream(new FileInputStream(fileName)); int count = source.readInt(); int sum = addEm(source,count); System.out.println("Sum is " + sum); } static int addEm(DataInputStream s, int c) throws IOException { int sum = 0; for (int i = 0; i < c; i++) sum += s.readInt(); if (s.available() == 0) s.close(); return sum; }}

17 Kestrel Generic File Management Policy Open Stop openclose use FileNotFoundException / handler1 IOException / handler2 use handler3 Start Error

18 Kestrel A Java I/O Class void close() throws IOException {…} void available() throws IOException {…} FilterInputStream DataInputStream(InputStream in){…} int readInt() throws IOException {…} char readChar() throws IOException {…} … DataInputStream extends int readInt() throws IOException; char readChar() throws IOException; DataInput implements

19 Kestrel Generic/Library Policy for DataInputStream’s policy DataInputStreamPolicy { string filename; DataInputStream in; Start: { DataInputStream(FileInputStream(filename)) returns in } -> Open Start: { in.read*() } -> Error replace {throw new Error("Attempt to read from an unopen File"); } Start: { in.available() } -> Start replace {throw new Error("Attempt to invoke available on an unopen File");} Start: { in.close() } -> Start replace {print("Attempt to close an unopen File"); } … policy instance variables

20 Kestrel Library Policy (continued) Open: { in.read*() } -> Open catch (EOFException e) {throw new Error("EOF: insufficient data in file " + filename); } catch (IOException e) {throw new Error("Cannot read from File " + filename); } Open: { in.available() } -> Open catch (IOException e) {throw new Error("Unable to determine whether file " + filename + " contains more data"); } Open: { in.close() } -> Closed precondition {in.available() == 0} {System.out.println("Closed file " + filename + " when it contained extra data"); } Open : { exit } -> Closed preaction { System.out.println("Performing a missing close on file " + filename); in.close(); …

21 Kestrel Example Policy (continued) Closed: { in.read*() } -> Closed replace {throw new Error ("File " + filename + "already closed"); } Closed: { in.available() } -> Closed replace {throw new Error ("Attempt to invoke available on a closed file: " + filename); } Closed: { in.close() } -> Closed replace {throw new Error ("File " + filename + "already closed"); } }

22 Kestrel Application-Specific subPolicy for DataInputStreams policy AddNumbersPolicy extends DataInputStreamPolicy { Open0: { count = in.read*() } -> Open1 postcondition (0 <= count && count <= 1000) {System.out.println("count received an illegal value: " + Integer.toString(count) + "\nsetting count to 0"); count = 0;} catch (EOFException e) {throw new Error("File " + in.filename + " contains no data!"); } Open1: { in.read*() } -> Open1 }

23 Kestrel Policy Simulation on the Example Program DoIt entry fileName != null F source = new DataInputStreamPolicy(fileName) T {Start} {Open} {Start,Open} count = source.readInteger(); {Open} call addEm(source,count); {Open  Closed, Open  Open } sum = result {Open,Closed} System.out.println("Sum is " + sum) {Open,Closed} exit addEm entry {Open} sum = 0; i= 0; i < c sum += source.readInteger(); i++; T s.available()==0 F F s.close(); T {Open} {Closed} {Open, Closed} {Open} exit return sum {Open, Closed} ambiguous analysis

24 Kestrel Program Transformation to Reduce Policy Ambiguity if ( fileName != null ) source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); if ( fileName != null ){ source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); } else { count = source.readInt(); } distribute if-then-else over semicolon if ( fileName == null ) throw new Error("Attempt to read from an unopen File"); source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); apply the policy and simplify has ambiguous analysis has unambiguous analysis! unambiguous analysis, clear code

25 Kestrel Revised Java Program with Unambiguous Analysis class AddNumbersFromFile { static void doIt(String fileName) throws IOException { DataInputStream source = null; if ( fileName == null ) {throw new Error("Attempt to read from an unopen File");} source = new DataInputStream(new FileInputStream(fileName)); count = source.readInt(); int sum = addEm(source,count); System.out.println("Sum is " + sum); } static int addEm(DataInputStream s, int c) throws IOException { int sum = 0; for (int i = 0; i < c; i++) sum += s.readInt(); // if (s.available()==0) s.close(); return sum; }

26 Kestrel Policy-Specific Tracking Code (unambiguous case) public class DataInputStreamForAddNumbers1 extends DataInputStream { public String filename; public DataInputStreamForAddNumbers1(String filename) throws FileNotFoundException { super(new FileInputStream(filename)); // field in stores the file handle this.filename = filename; } HandlErr would generate an extension of the DataInputStream class that records the policy instance bindings for the in error-handlers.

27 Kestrel Revised Java Program with Enforced Policy class RobustlyAddNumbersFromFile1 { static void doIt(String fileName) throws IOException{ DataInputStreamForAddNumbers1 source = null; if ( fileName==null ){ throw new Error("Attempt to read from an unopen File"); } try { source = new DataInputStreamForAddNumbers1(fileName); } catch (FileNotFoundException e) { throw new Error("File " + fileName + " cannot be found"); } int count = 0; try { count = source.readInt(); } catch(EOFException e){ source.close(); throw new Error("File " + source.filename + " contains no data!"); } catch(IOException e){ source.close(); throw new Error("Bad data in file" + source.filename); } …

28 Kestrel Policy Simulation on the Example Program DoIt entry fileName != null F source = new DataInputStreamPolicy(fileName) T {Start} {Open} {Start,Open} count = source.readInteger(); {Open} call addEm(source,count); {Open  Closed, Open  Open } sum = result {Open,Closed} System.out.println("Sum is " + sum) {Open,Closed} exit addEm entry {Open} sum = 0; i= 0; i < c sum += source.readInteger(); i++; T s.available()==0 F F s.close(); T {Open} {Closed} {Open, Closed} {Open} exit return sum {Open, Closed} ambiguous analysis

29 Kestrel Ambiguous Analysis If the analysis remains ambiguous, then some form of runtime tracking of state is required, and runtime enforcement decisions. Technique: use subclassing to track state

30 Kestrel Generic File Management Policy Open Stop openclose use FileNotFoundException / handler1 IOException / handler2 use handler3 Start Error

31 Kestrel Runtime State Tracking public class DataInputStreamForAddNumbers extends DataInputStream { public static final int Start = 1; public static final int Open = 2; public static final int Closed = 3; int currentState = Start; public String filename; public DataInputStreamForAddNumbers(String filename) throws FileNotFoundException { super(new FileInputStream(filename)); // field in stores the file handle this.filename = filename; this.currentState = Open; } public boolean inState(int state){ return this.currentState == state; }

32 Kestrel Ambiguous Analysis public int readInteger() throws IOException { int x = 0; switch(currentState){ case Start: throw new Error("Attempt to read from an unopen File"); case Open: try{ x = super.readInt(); } catch (EOFException e){ throw new EOFException("File" + filename + "contains no data!"); } catch (IOException e){ throw new IOException("Cannot read from file " + filename); } break; case Closed: throw new Error("File " + filename + "already closed"); } return x; }

33 Kestrel Ambiguous Analysis public int readInteger() throws IOException, EOFException{ int x = 0; switch(currentState){ case Start: throw new Error("Attempt to read from an unopen File"); case Open: try{ x = super.readInt(); } catch (EOFException e){ throw new EOFException("File" + filename + "contains no data!"); } catch (IOException e){ throw new IOException("Cannot read from file " + filename); } break; case Closed: throw new Error("File " + filename + "already closed"); } return x; }

34 Kestrel Robustified Source – Ambiguous Case with state tracking and error-handling inside method calls public class RobustAddNumbersFromFile { static void doIt (String fileName) throws IOException { DataInputStreamForAddNumbers source = null; if ( fileName != null ) source = new DataInputStreamForAddNumbers(fileName); int count = source.readInteger(); int sum = addEm(source,count); System.out.println("Sum is " + sum); } static int addEm(DataInputStreamForAddNumbers s, int c) throws IOException { int sum = 0; for (int i = 0; i < c; i++) sum += source.readInteger(); if ( s.available() == 0 ) s.close(); return sum; }

35 Kestrel Policy Enforcement Approach System Refined System showing where the policy applies requires sound static analysis where and how does the policy apply? Policy Constraint Policy Conditions What does the policy prescribe?

36 Kestrel Conclusions? many aspects can be treated as invariant maintenance an invariant corresponds to a one-state automaton policy automaton-based policies applied by conservative static analysis error-handling policies combine normal and abnormal behaviors

Download ppt "Kestrel Policy Enforcement and Refinement Douglas R. Smith Kestrel Institute Palo Alto, California."

Similar presentations

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.

Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.

Lilian Blot VARIABLE SCOPE EXCEPTIONS FINAL WORD Final Lecture Spring 2014 TPOP 1.
Java File I/O. File I/O is important! Being able to write and read from files is necessary and is also one common practice of a programmer. Examples include.

Java File I/O. File I/O is important! Being able to write and read from files is necessary and is also one common practice of a programmer. Examples include.
Yoshi

Yoshi
A Brief Introduction to Aspect-Oriented Programming Zhenxiao Yang.

A Brief Introduction to Aspect-Oriented Programming Zhenxiao Yang.
Decorator Pattern Applied to I/O stream classes. Design Principle Classes should be open for extension, but closed for modification –Apply the principle.

Decorator Pattern Applied to I/O stream classes. Design Principle Classes should be open for extension, but closed for modification –Apply the principle.
Introduction to Exceptions in Java. 2 Runtime Errors What are syntax errors? What are runtime errors? Java differentiates between runtime errors and exceptions.

Introduction to Exceptions in Java. 2 Runtime Errors What are syntax errors? What are runtime errors? Java differentiates between runtime errors and exceptions.
 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.

 Both System.out and System.err are streams—a sequence of bytes.  System.out (the standard output stream) displays output  System.err (the standard.
COP 2800 Lake Sumter State College Mark Wilson, Instructor.

COP 2800 Lake Sumter State College Mark Wilson, Instructor.
Secure Systems Research Group - FAU Aspect Oriented Programming Carlos Oviedo Secure Systems Research Group.

Secure Systems Research Group - FAU Aspect Oriented Programming Carlos Oviedo Secure Systems Research Group.
Aspect-Oriented Programming In Eclipse ® Aspect-Oriented Programming in Eclipse with AspectJ Dr Helen Hawkins and Sian January.

Aspect-Oriented Programming In Eclipse ® Aspect-Oriented Programming in Eclipse with AspectJ Dr Helen Hawkins and Sian January.
Java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session BUS-3192 1 JavaOne 2004 What is AOP? Gregor Kiczales AspectMentor.com and University of.

Java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session BUS JavaOne 2004 What is AOP? Gregor Kiczales AspectMentor.com and University of.
Exception Handling.  What are errors?  What does exception handling allow us to do?  Where are exceptions handled?  What does exception handling facilitate?

Exception Handling.  What are errors?  What does exception handling allow us to do?  Where are exceptions handled?  What does exception handling facilitate?
EXCEPTIONS Def: An exception is a run-time error. Examples include: attempting to divide by zero, or manipulate invalid data.

EXCEPTIONS Def: An exception is a run-time error. Examples include: attempting to divide by zero, or manipulate invalid data.
1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.

1 Chapter 4 Language Fundamentals. 2 Identifiers Program parts such as packages, classes, and class members have names, which are formally known as identifiers.
Exception examples. import java.io.*; import java.util.*; class IO { private String line; private StringTokenizer tokenizer; public void newline(DataInputStream.

Exception examples. import java.io.*; import java.util.*; class IO { private String line; private StringTokenizer tokenizer; public void newline(DataInputStream.
Exceptions Used to signal errors or unexpected situations to calling code Should not be used for problems that can be dealt with reasonably within local.

Exceptions Used to signal errors or unexpected situations to calling code Should not be used for problems that can be dealt with reasonably within local.
Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.

Exceptions in Java Fawzi Emad Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
(c) Copyright 1998-2002 Palo Alto Research Center Incroporated. All rights reserved.1 AO Tools: State of the (AspectJ™) Art and Open Problems Mik Kersten.

(c) Copyright Palo Alto Research Center Incroporated. All rights reserved.1 AO Tools: State of the (AspectJ™) Art and Open Problems Mik Kersten.
Software modularity group Gregor Kiczales Professor and NSERC/Xerox/Sierra Systems Software Design Chair University of British Columbia Principal Scientist.

Software modularity group Gregor Kiczales Professor and NSERC/Xerox/Sierra Systems Software Design Chair University of British Columbia Principal Scientist.

Similar presentations

Ads by Google