Experience with statically-generated proxies for facilitating Java runtime specialisation

Issues pertaining to mechanisms which can be used to change the behaviour of Java classes at runtime are discussed. The proxy mechanism is compared to, and contrasted with other standard approaches to this problem. Some of the problems the proxy mechanism is subject to are expanded upon. The question of whether statically-developed proxies are a viable alternative to bytecode rewriting was investigated by means of the JavaCloak system, which uses statically-generated proxies to alter the runtime behaviour of externally-developed code. The issues addressed include ensuring the type safety, dealing with the self problem, object encapsulation, and issues of object identity and equality. Some performance figures are provided which demonstrate the load the JavaCloak proxy mechanism places on the system

Semantics-directed implementation of method-call interception

We describe a form of method-call interception (MCI) that allows the programmer to superimpose extra functionality onto method calls at run-time. We provide a reference semantics and a reference implementation for corresponding language constructs. The setup applies to class-based, statically typed, compiled languages such as Java. The semantics of MCI is used to direct a language implementation with a number of valuable properties: simplicity of the implementational model and run-time adaptation capabilities and static type safety and separate compilation and reasonable performance. Our implementational development employs sourcecode instrumentation. We start from a naive implementational model, which is subsequently refined to optimise program execution. The implementation is assessed via benchmarks

Dynamic Proxies for Classes: Towards Type-Safe and Decoupled Remote Object Interaction

A dynamic proxy object is a typed proxy, created at runtime, conforming to a type specified by the application. Such an object can be used wherever an expression of the type it was created for is expected, yet reifies all invocations performed on it. This simple but powerful concept has been introduced into Java at version 1.3 (and has later also appeared in the .NET platform). A dynamic proxy is created for a set of interfaces as an instance of a class, generated automatically on the fly without support from the Java compiler or virtual machine, implementing those interfaces. Unfortunately, dynamic proxies are only available ``for interfaces''. The case of creating dynamic proxies for a set of types including a class type, due to the increased complexity, has not been considered, meaning that it is currently not possible to create a dynamic proxy mimicking an instance of a class. We present a pragmatic approach to supporting dynamic proxies ``for classes'', building on the existing solution to dynamic proxies for interfaces. We discuss the costs of such an extension, in terms of safety, security, and performance, and illustrate its usefulness through a novel abstraction for decoupled remote interaction, unifying (implicit future) remote method invocations and (type-based) publish/subscribe

Using a loadtime metaobject protocol to enforce access control policies upon user-level compiled code

This thesis evaluates the use of a loadtime metaobject protocol as a practical mechanism for enforcing access control policies upon applications distributed as user-level compiled code. Enforcing access control policies upon user-level compiled code is necessary because there are many situations where users are vulnerable to security breaches because they download and run potentially untrustworthy applications provided in the form of user-level compiled code. These applications might be distributed applications so access control for both local and distributed resources is required. Examples of potentially untrustworthy applications are Browser plug-ins, software patches, new applications, or Internet computing applications such as SETI@home. Even applications from trusted sources might be malicious or simply contain bugs that can be exploited by attackers so access control policies must be imposed to prevent the misuse of resources. Additionally, system administrators might wish to enforce access control policies upon these applications to ensure that users use them in accordance with local security requirements. Unfortunately, applications developed externally may not include the necessary enforcement code to allow the specification of organisation-specific access control policies. Operating system security mechanisms are too coarse-grained to enforce security policies on applications implemented as user-level code. Mechanisms that control access to both user-level and operating system-level resources are required for access control policies but operating system mechanisms only focus on controlling access to system-level objects. Conventional object-oriented software engineering can be used to use existing security architectures to enforce access control on user-level resources as well as system-resources. Common techniques are to insert enforcement within libraries or applications, use inheritance and proxies. However, these all provide a poor separation of concerns and cannot be used with compiled code. In-lined reference monitors provide a good separation of concerns and meet criteria for good security engineering. They use object code rewriting to control access to both userlevel and system-level objects by in-lining reference monitor code into user-level compiled code. However, their focus is upon replacing existing security architectures and current implementations do not address distributed access control policies. Another approach that does provide a good separation of concerns and allows reuse of existing security architectures are metaobject protocols. These allow constrained changes to be made to the semantics of code and therefore can be used to implement access control policies for both local and distributed resources. Loadtime metaobject protocols allow metaobject protocols to be used with compiled code because they rewrite base level classes and insert meta-level interceptions. However, these have not been demonstrated to meet requirements for good security engineering such as complete mediation. Also current implementations do not provide distributed access control. This thesis implements a loadtime metaobject protocol for the Java programming language. The design of the metaobject protocol specifically addresses separation of concerns, least privilege, complete mediation and economy of mechanism. The implementation of the metaobject protocol, called Kava, has been evaluated by implementing diverse security policies in two case studies involving third-party standalone and distributed applications. These case studies are used as the basis of inferences about general suitability of using loadtime reflection for enforcing access control policies upon user-level compiled code.EThOS - Electronic Theses Online ServiceGBUnited Kingdo

Object-Centric Reflection: Unifying Reflection and Bringing It Back to Objects

Reflective applications are able to query and manipulate the structure and behavior of a running system. This is essential for highly dynamic software that needs to interact with objects whose structure and behavior are not known when the application is written. Software analysis tools, like debuggers, are a typical example. Oddly, although reflection essentially concerns run-time entities, reflective applications tend to focus on static abstractions, like classes and methods, rather than objects. This is phenomenon we call the object paradox, which makes developers less effective by drawing their attention away from run-time objects. To counteract this phenomenon, we propose a purely object-centric approach to reflection. Reflective mechanisms provide object-specific capabilities as another feature. Object-centric reflection proposes to turn this around and put object-specific capabilities as the central reflection mechanism. This change in the reflection architecture allows a unification of various reflection mechanisms and a solution to the object paradox. We introduce Bifr\"ost, an object-centric reflective system based on first-class meta-objects. Through a series of practical examples we demonstrate how object-centric reflection mitigates the object paradox by avoiding the need to reflect on static abstractions. We survey existing approaches to reflection to establish key requirements in the domain, and we show that an object-centric approach simplifies the meta-level and allows a unification of the reflection field. We demonstrate how development itself is enhanced with this new approach: talents are dynamically composable units of reuse, and object-centric debugging prevents the object paradox when debugging. We also demonstrate how software analysis is benefited by object-centric reflection with Chameleon, a framework for building object-centric analysis tools and MetaSpy, a domain-specific profile

A Generic Feedback Mechanism for Component-Based Systems

Computers have been integrated into all spheres and occupations and the need for users to easily understand how to use each computer application has become paramount. The end-user should not be expected to decipher cryptic messages or to understand the inner functioning of the computer itself. With computer-users spanning all walks of life, there is a need for a change in the mind-set of software developers in making their product more user-friendly. In addition, software systems of the future will increasingly be built from independent encapsulated software components and will often be distributed over various sites. This new paradigm brings a new realm of complexity for the end-user, especially with respect to the increased possibility of failure, so that in addition to the nontrivial task of interpreting the general functioning of an application, the user will be expected to deal with the results of perplexing errors too. The nature of component- based systems makes the provision of support for handling errors far more difficult due to the independent and diffuse nature of the creators of the individual parts making up these systems. Other factors with respect to application use also need to be addressed. For example, it is a rare user who is able to spend 100% of his or her time concentrating on interaction with the computer, without distractions of some sort interrupting. It is even rarer to find an application which is not prone to occasionally unintelligible error messages or breakdowns. Few applications are designed with these realities in mind and when problems do occur, or users are interrupted, they often find it difficult to recover and to resume their primary task. It is also difficult for applications to tailor the provided feedback according to the specific needs of different end-users or the differing roles within which they function. This dissertation will highlight the role of feedback in increasing the interpretability of an application and in alleviating the effects of interruptions, errors and breakdowns. Rather than expecting feedback to be provided by programmers, this dissertation will argue that feedback can be enhanced in a distributed component-based system by separating the feedback concern from the basic functional concern of the application and executing the application within a generic feedback enhancing framework. The feedback concept is examined in depth and the role of feedback in enhancing understanding of applications, and in alleviating the effects of disturbances in our working day, is explored. The concept of a generic framework for enhancing feedback has been developed and a prototype implemented. The design and implementation of this prototype are described, as is the evaluation of the feedback thus produced