Runtime monitoring for mobile code security


Ville Leppänen
Home page
MSc student
Jari-Matti Mäkelä
Home page
(Tuohimaa) PhD student
Sanna Mäkelä

Sami Mäkelä

Tomi Karlsted

Lauri Taimila

Mikael Laine


There exists three kinds of approaches for mobile code security: (a) providing a proof of security properties along with the code, (b) establishing an authority for certifying the safety of mobile code, (c) running mobile code under some runtime monitoring system in the target platform. We follow approach (c) and have developed a rule-based language (Modular Policy Language, MPL) for expressing runtime monitors and a compiler for translating descriptions to AspectJ based monitors. We use a weaver to weave the aspects into the mobile code to guarantee its safe runtime execution. If the runtime behavior of the code attempts to violate the applied security policy, the application is halted. We aim at simple and compact policy descriptions. We also focus on representing the meaning of a policy description by an invariant over the saved attribute values, and how such invariants and the rule descriptions can be used to prove that the rules preserve the invariant condition.


We develop tools and software analysis methods for ensuring secure execution of mobile code. Future emphasis will be in MPL development, especially attaching invariants to MPL monitor descriptions and developing a method to prove that descriptions preserve their invariant. The scope of applicability of MPL descriptions also needs to be studied. We also plan to develop MPL compilers for other languages besides Java.


Compiler for the MPL language

A compiler exists for AspectJ and there is also a preliminary version for Aspect++. See also the examples.

Publications (not a complete list)

Refereed Articles (1)

[1]Security Monitors for Java Programs with MPL (, ), In International Journal on Information Technologies and Security, Technical University of Sofia, volume 4, . [bibtex]

Refereed Conference Papers (5)

[5]Experiences with Embedding MPL Security Monitors into Java Programs (, ), In Proceedings of International Conference on Computer Systems and Technologies, CompSysTech'09, . [bibtex]
[4]Embedding Rule-Based Security Monitors into Java Programs (, , ), In The 32nd Annual International Computer Software and Applications Conference, IEEE Computer Society, . [bibtex]
[3]Rule-Based Monitors and Policy Invariants for Guaranteeing Mobile Code Security (, , ), . (manuscript) [bibtex]
[2]A Compact Aspect-Based Security Monitor for J2ME Applications (, ), In Proceedings of International Conference on Computer Systems and Technologies, CompSysTech'07, . [bibtex]
[1]Dynamic Rights in Model-Carrying Code (, , ), In Proceedings of the International Conference on Computer Systems and Technologies, CompSysTech'06, . [bibtex]

Refereed Workshop Papers (1)

[1]A Rule-Based Security Policy Language for the Runtime Monitoring of Applications (, ), In NODES'07 – Nordic workshop and doctoral symposium on dependability and security, Abstracts, . [bibtex]

Other Publications (2)

[2]Running Mobile Code Safely and Modular Policy Language (), Master's thesis, University of Turku, . [bibtex]
[1]Dynamic security mechanisms and their applicability to mobile phones (), Master's thesis, University of Turku, . [bibtex]

© Turun yliopisto