Ian Welch

From Dalang to Kava - The Evolution of a Reflective Java Extension

Current implementations of reflective Java extensions typically either require access to source code, or require a modified Java platform. This makes them unsuitable for applying reflection to Commercial-off-the-Shelf (COTS) systems. In order to address this we developed a prototype Java extension Dalang based on class wrapping that worked with compiled code, and was implemented using a standard Java platform. In this paper we evaluate the class wrapper approach, and discuss issues that relate to the transparent application of reflection to COTS systems. This has informed our design of a new version of Dalang called Kava that implements a metaobject protocol through the application of standard byte code transformations. Kava leverages the capabilities of byte code transformation toolkits whilst presenting a high-level abstraction for specifying behavioural changes to Java components.

Kava - A Reflective Java Based on Bytecode Rewriting

Current implementations of reflective Java typically either require access to source code, or require a modified Java platform. This makes them unsuitable for applying reflection to Commercial-off-the-Shelf (COTS) systems. The high level nature of Java bytecode makes on-the-fly rewritings of class files feasible and this has been exploited by a number of authors. However, in practice working at bytecode level is error prone and leads to fragile code. We propose using metaobject protocols in order to specify behavioural changes and use standard bytecode rewritings to implement the changes. We have developed a reflective Java called Kava that provides behavioural runtime reflection through the use of bytecode rewriting of Java classes. In this paper we discuss the binary rewriting approach, provide an overview of the Kava system and provide an example of an application of Kava.

A qualitative analysis of the intrusion-tolerance capabilities of the MAFTIA architecture

MAFTIA was a three-year European research project that explored the use of fault-tolerance techniques to build intrusion-tolerant systems. The MAFTIA architecture embodies a number of key design principles for building intrusion-tolerant systems, such as the notion of distributing trust throughout the system and limiting the extent to which individual components are trusted, and the aim of this paper is to illustrate these principles and demonstrate MAFTIA s intrusion-tolerance capabilities by showing how MAFTIA mechanisms and protocols might be deployed in a realistic context. We discuss the relationship between intrusion tolerance and fault tolerance, and then describe how the MAFTIA architecture could be used to build an intrusion-tolerant version of a hypothetical e-commerce application. Using fault trees, we analyse possible attack scenarios and show how MAFTIA mechanisms protect against them. We conclude the paper with a discussion of related work and identify areas for future research.

Using reflection as a mechanism for enforcing security policies on compiled code

Securing application resources or defining finer-gained access control for system resources using the Java security architecture requires manual changes to source code. This is error-prone and cannot be done if only compiled code is present. We show how behavioural reflection can be used to enforce security policies on compiled code. Other authors have implemented code rewriting toolkits that achieve the same effect but they either require policies to be expressed in terms of low level abstractions or require the use of new high level policy languages. Our approach allows reuseable policies to be implemented as metaobjects in a high level objecl oriented language (Java), and then bound to application objects at loadtime. The binding between metaobjects and objects is implemented through bytecode rewriting under the control of a declarative binding specification. We have implemented this approach using Kava which is a portable reflective Java implementation. Kava allows customisation of a rich range of runtime behaviour. and provides a non-bypassable meta level suitable for implementing security enforcement. We discuss how we have used Kava to show how to secure a third-party application, how we prevent Kava being bypassed, and compare its performance with non-reflective security enforcement.

Using coordinated atomic actions to design safety-critical systems: a production cell case study

Coordinated Atomic actions (CA actions) are a unified approach to structuring complex concurrent activities and supporting error recovery between multiple interacting objects in object‐oriented systems. This paper explains how we have used the CA action concept to design and implement a safety‐critical application. We have used the Production Cell model that was developed in the Forschungszentrum Informatik (FZI), Karlsruhe, Germany, to present a realistic industry‐oriented problem, where safety requirements play a significant role. Our design consists of two levels: the first level deals with the scheduling of CA actions, and the second level deals with the interactions between devices. Both the scheduling mechanism and the device interactions are enclosed by CA actions. Exception handling and error recovery are incorporated into CA actions in order to satisfy high safety and fault tolerance requirements. A controlling program based on our design was developed in the Java language and used to drive a graphical simulator provided by the FZI. Copyright

Adaptation of Connectors in Software Architectures

We want to be able to adapt the behaviour of existing software components in order to add fault-tolerance or enforcement of security properties. We believe that metaobject protocols [1] can be used to perform this transparent and reusable adaptation without recourse to source code. Unfortunately, there is currently no general formal model developed for metaobject protocols, which makes it difficult to reason about their use. However, we believe that recent work in software architectures - in particular the WRIGHT [2] architectural specification language allows us to model metaobject protocols as parameterised connectors.

Re-engineering Security as a Crosscutting Concern

We have re-engineered a third-party application using a reflective security architecture that allows security to be treated as a crosscutting concern. This has resulted in a considerable reduction in tangling between application code and security code. Prior to the re-engineering, the application was secured using a conventional approach based upon the application of inheritance and the proxy pattern, and we are thus able to compare both approaches. Our experience highlights some general points that are applicable to any attempt to engineer security using advanced separation of concerns technology and some possible improvements to Kava, used to implement the crosscutting concerns.

A structured approach to handling on-line interface upgrades

The integration of complex systems out of existing systems is an active area of research and development. There are many practical situations in which the interfaces of the component systems, for example belonging to separate organisations, are changed dynamically and without notification. In this paper we propose an approach to handling such upgrades in a structured and disciplined fashion. All interface changes are viewed as abnormal events and general fault tolerance mechanisms (exception handling, in particular) are applied to dealing with them. The paper outlines general ways of detecting such interface upgrades and recovering after them. An Internet Travel Agency is used as a case study.

Using Reflection as a Mechanism for Enforcing Security Policies in Mobile Code

Several authors have proposed using code modification as a technique for enforcing security policies such as resource limits, access controls, and network information flows. However, these approaches are typically ad hoc and are implemented without a high level abstract framework for code modification. We propose using reflection as a mechanism for implementing code modifications within an abstract framework based on the semantics of the underlying programming language. We have developed a reflective version of Java called Kava that uses byte-code rewriting techniques to insert pre-defined hooks into Java class files at load time. This makes it possible to specify and implement security policies for mobile code in a more abstract and flexible way. Our mechanism could be used as a more principled way of enforcing some of the existing security policies described in the literature. The advantages of our approach over related work (SASI , JRes , etc.) are that we can guarantee that our security mechanisms cannot be bypassed, a property we call strong non-bypassability , and that our approach provides the high level abstractions needed to build useful security policies.

Dynamic Adaptation of the Security Properties of Applications and Components

Applications and components are exposed to different security threats in different environments. We want to tailor the defence of these applications and components to the particular threats faced by them in the target execution environment. Ideally we want to be able to adapt applications and components as they are downloaded into the target execution environment.