The integration of third-party aspects into applications creates security challenges. Due to the intrusive impact of aspects, one cannot guarantee that the dynamic composition of aspects does not lead to misbehavior. The newly composed aspect typically has many, if not unrestricted, rights to read and modify attributes of the base system. AspectJ, amongst other AOP systems, suffers from this limitation, which makes the composition of independently developed aspects riskful. We have defined and prototyped a run-time policy enforcement model based on execution history to protect programs from untrusted aspects. The dynamic nature of the approach has the advantage that up to date run-time information allows more accurate decision making. We have built a prototype for AspectJ and illustrate its use in a realistic example. Our evaluation shows that practical use of such a solution is feasible and that run-time overhead can be limited. Categories and Subject Descriptors K.6.5 [Security an...