The contemporary approach to enrich the functionality of various devices is to make them programmable, and enable the users to install new features in the form of mobile code. For example, so-called smartphones are equipped with a basic set of applications, but the manufacturers and operators provide a lot of applications that can be later downloaded and installed. The expanding use of mobile code has emerged security concerns, since mobile code may also contain undesirable features. For finding the possible security weaknesses, we present our code monitoring solution in the context of J2ME (Java2 Micro Edition).

We first describe our modular policy language for expressing simple rule based security policies. The policies are translated into aspects, practically into AspectJ aspects, that together form a runtime security monitor. We use a weaver to weave the aspects into the mobile code to guarantee its safe runtime execution. If the runtime behavior of the code attempts to violate the applied security policy, the application is halted.

Later, we consider embedding a runtime monitor into J2ME applications. Since simplicity and compact policy descriptions are very beneficial properties in the contexts in which resources (e.g. memory) are limited, we believe that our solution is specifically usable for embedded mobile solutions. Compared to the other existing policy monitoring solutions, we aim at simpler policy descriptions by following the truncation automata approach, and by dismissing the approach in which automata state-chains are described into monitoring program. In fact, we consider automata states unnecessary, since the current state can be regarded as one of the remembered attribute values, if necessary.

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	Lujo Bauer , Jay Ligatti , David Walker, Composing security policies with polymer, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
	2	J. Ligatti, L. Bauer, and D. Walker. Edit Automata: Enforcement Mechanisms for Run-time Security Policies. International Journal of Information Security, 4(1--2):2--16, February 2005.
	3	George C. Necula, Proof-carrying code, Proceedings of the 24th ACM SIGPLAN-SIGACT symposium on Principles of programming languages, p.106-119, January 15-17, 1997, Paris, France  [doi>10.1145/263699.263712]
	4	Fred B. Schneider, Enforceable security policies, ACM Transactions on Information and System Security (TISSEC), v.3 n.1, p.30-50, Feb. 2000  [doi>10.1145/353323.353382]
	5	R. Sekar , C. R. Ramakrishnan , I. V. Ramakrishnan , S. A. Smolka, Model-Carrying Code (MCC): a new paradigm for mobile-code security, Proceedings of the 2001 workshop on New security paradigms, September 10-13, 2001, Cloudcroft, New Mexico  [doi>10.1145/508171.508175]
	6	R. Sekar , V.N. Venkatakrishnan , Samik Basu , Sandeep Bhatkar , Daniel C. DuVarney, Model-carrying code: a practical approach for safe execution of untrusted applications, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
	7	T. Young. Using AspectJ to Build a Software Product Line for Mobile Devices, 2005. MSc thesis, University of British Columbia, Department of Computer Science.