Access control is a central issue among the overall security goals of information systems. Despite the existence of a vast literature on the subject, it is still very hard to assure the compliance of a large system to a given dynamic access control policy. Based on our previous work on formal islands, we provide in this paper a systematic methodology to weave dynamic, formally specified policies on existing applications using aspect-oriented programming. To that end, access control policies are

more »

... formalized using term rewriting systems, allowing us to have an agile, modular, and precise way to specify and to ensure their formal properties. These high-level descriptions are then weaved into the existing code, such that the resulting program implements a safe reference monitor for the specified policy. For developers, this provides a systematic process to enforce dynamic policies in a modular and flexible way. The level of reuse is improved because policies are independently specified and checked, to be later weaved into various different applications. We implemented the approach on test cases with quite encouraging results.