Security Monitoring of Components Using Aspects and Contracts in Wrappers

The re-usability and modularity of components reduce the cost and complexity of the software design. It is difficult to predict run-time scenarios covering all possible circumstances to ensure that the components are fully compatible with the system. Given that, monitoring run-time behaviours of components presents a close view of the component qualities. The existing monitoring approaches either implement applications with built-in monitoring features, or observe the external resources and events to predict the status of the components. In this paper, we propose an approach to monitor the runtime behaviours of components using aspect-oriented wrappers and contracts. We design monitoring wrappers to encapsulate the monitored components. We use contracts to define the mutual obligations of two interacting components. The policies implemented in contracts are woven into component wrappers as separate aspect modules. If the component contains any flaws or vulnerabilities, the wrappers can monitor some behaviours and prevent failures propagating into the wrapped components and the rest of the system. This approach assures that the system is running in a safe environment with the erroneous behaviours detected appropriately. We conducted experiments on the run-time monitoring of SQL Injection, Cross Site Scripting attacks, and access control policies. The results show that the framework is very flexible to impose separate policies as aspects on component wrappers without the modifications of the underlying components.