Aspect-Oriented Programming and Aspect.NET as Security and Privacy Tool for Web and 3D Web Programming

Aspect-Oriented Programming And Its Use For Trustworthy Computing

Aspect-oriented programming (AOP) (Safonov, 2008) is a prospective approach to software development and maintenance. It is based on the concept of a cross-cutting concern. A concern in software design is an idea, consideration, or task. A cross-cutting concern is a concern that cannot be implemented as a hierarchy of modules – classes or procedures, and, therefore, whose implementation requires injection and activation of lots of new fragments of code (statements or definitions) scattered throughout the code of the target application.

Typical examples of cross-cutting concerns are logging, security and privacy (in particular, in Web and 3D Web applications), since the implementation of all of them requires injecting into the target application code of many specific API calls to implement logging (e.g., tracking method calls and returns), security (e.g., permission checks), and privacy (e.g., encoding / decoding of information).

Currently most of the AOP tools are implemented for the Java platform. The most popular of them is AspectJ (AspectJ, 2001) - an extension of the Java language by AOP constructs and features. As for .NET, most of the existing tools for that platform are at research and experimental stage.

Aspect in AOP is an implementation of a cross-cutting concern. Aspect is considered as a new kind of module with specific ways of definition and use. In our terminology (Safonov, 2008), an aspect consists of a set of actions, specified in the aspect definition, each of them accompanied by its weaving condition. The purpose of the aspect is to reuse its actions in a variety of target applications by weaving. Weaving the aspect is the process of combining the code of the target application with the code of aspect in such a way that the actions of the aspect be activated in the join points of the target program selected by the weaver (part of the AOP toolkit) using the aspect’s weaving rules. For example, a weaving rule in a security aspect can prescribe to weave a call of the security action PermissionCheck() before each call of the method ResourceUpdate(), wherever the latter call is found in the target application. Weaving is performed automatically by the specific component of the AOP toolkit, referred to as weaver.

Another example is related to privacy. Suppose that the method TransferPrivateData() of the target application is responsible for the transfer of some private data over the network, and the method UsePrivateData() implements the use of the private data by a network client. To protect the data from the attack, it is reasonable to encrypt them before the transfer, and decrypt after the transfer. If this encryption / decryption functionality is not implemented in the original version of target application (which is often the case in software practice), there is no need to change the target application’s code manually, which is error-prone. It is possible to use AOP and to develop an aspect with two actions – Encrypt() and Decrypt(), such that the weaving rules of the aspect prescribe to insert the call of Encrypt() before each call of TransferPrivateData(), and the call of Decrypt() – after each call of the UsePrivateData().

Even such simple example leads us to the conclusion that AOP could be a very powerful tool to implement security and privacy. Much more examples of using AOP for the purpose of trustworthy computing are provided in (Safonov, 2008). This chapter discusses how to implement these ideas in practice for Web and 3D Web programming, using our AOP toolkit for the .NET platform – Aspect.NET.