A Reflection-Based Framework for Content Validation

Attacks embedded in application-level data have become one of the most successful ways to circumvent software security. Skilled hackers capitalize on misplaced trust by concealing their malicious code within a seemingly innocuous stream of application data. In systems that do not perform the most elementary data checks, even unintentional user mistakes may cause a program to behave unexpectedly or crash. Any distributed software system with potentially untrustworthy sources of input should design and implement a mechanism to inspect application-level data. Such a solution should defend against mischievous attacks, as well as be robust enough to handle user slip-ups. Important steps in creating a successful validation regime include specifying what input to accept, and translating that policy into working code. Once in production, the validation routine must be adaptable in order to accommodate continuously changing requirements. This paper describes a reflection-based framework for content validation. It separates the inspection of data from the application logic, making it more feasible to construct and maintain a meaningful set of validation rules. The framework is flexible and can be integrated into almost any distributed object-oriented software system. Deployment only requires a basic understanding of XML and expects developers to create a trust model of their own software architecture.