Secure and modular access control with aspects

Abstract

Can access control be fully modularized as an aspect? Most proposals for aspect-oriented access control are limited to factoring out access control checks, still relying on a non-modular and ad hoc infrastructure for permission checking. Recently, we proposed an approach for modular access control, called ModAC. ModAC successfully modularizes both the use of and the support for access control by means of restriction aspects and scoping strategies. However, ModAC is only informally described and therefore does not provide any formal guarantee with respect to its effectiveness. In addition, like in many other proposals for aspect-oriented access control, the presence of untrusted aspects is not at all considered, thereby jeopardizing the practical applicability of such approaches. This paper demonstrates that it is possible to fully modularize aspect control, even in the presence of untrusted aspects. It does so by describing a self-protecting aspect that secures ModAC. We validate this result by describing a core calculus for AspectScript, an aspect-oriented extension of JavaScript, and using this calculus to prove effectiveness and non-interference properties of ModAC. Beyond being an important validation for AOP itself, fully modularizing access control with aspects allows access control to be added to other aspect languages, without requiring ad hoc support.