Toggle Main Menu Toggle Search

Open Access padlockePrints

Using reflection as a mechanism for enforcing security policies on compiled code

Lookup NU author(s): Ian Welch, Dr Robert Stroud


Full text for this publication is not currently held within this repository. Alternative links are provided below where available.


Securing application resources or defining finer-grained access control for system resources using the Java security architecture requires manual changes to source code. This is error-prone and cannot be done if only compiled code is present. We show how behavioural reflection can be used to enforce security policies on compiled code. Other authors have implemented code rewriting toolkits that achieve the same effect but they either require policies to be expressed in terms of low level abstractions or require the use of new high level policy languages. Our approach allows reuseable policies to be implemented as metaobjects in a high level object oriented language (Java), and then bound to application objects at loadtime. The binding between metaobjects and objects is implemented through bytecode rewriting under the control of a declarative binding specification. We have implemented this approach using Kava which is a portable reflective Java implementation. Kava allows customisation of a rich range of runtime behaviour, and provides a non-bypassable meta level suitable for implementing security enforcement. We discuss how we have used Kava to show how to secure a third-party application, how we prevent Kava being bypassed, and compare its performance with non-reflective security enforcement.

Publication metadata

Author(s): Welch I, Stroud RJ

Publication type: Article

Publication status: Published

Journal: Journal of Computer Security

Year: 2002

Volume: 10

Issue: 4

Pages: 399-432

Print publication date: 01/01/2002

ISSN (print): 0926-227X

ISSN (electronic): 1875-8924

Publisher: IOS Press