A compact aspect-based security monitor for J2ME applications

Quantified Score

Visualization

Abstract

The contemporary approach to enrich the functionality of various devices is to make them programmable, and enable the users to install new features in the form of mobile code. For example, so-called smartphones are equipped with a basic set of applications, but the manufacturers and operators provide a lot of applications that can be later downloaded and installed. The expanding use of mobile code has emerged security concerns, since mobile code may also contain undesirable features. For finding the possible security weaknesses, we present our code monitoring solution in the context of J2ME (Java2 Micro Edition). We first describe our modular policy language for expressing simple rule based security policies. The policies are translated into aspects, practically into AspectJ aspects, that together form a runtime security monitor. We use a weaver to weave the aspects into the mobile code to guarantee its safe runtime execution. If the runtime behavior of the code attempts to violate the applied security policy, the application is halted. Later, we consider embedding a runtime monitor into J2ME applications. Since simplicity and compact policy descriptions are very beneficial properties in the contexts in which resources (e.g. memory) are limited, we believe that our solution is specifically usable for embedded mobile solutions. Compared to the other existing policy monitoring solutions, we aim at simpler policy descriptions by following the truncation automata approach, and by dismissing the approach in which automata state-chains are described into monitoring program. In fact, we consider automata states unnecessary, since the current state can be regarded as one of the remembered attribute values, if necessary.