Jay Ligatti
Lujo Bauer
Abstract
A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed.
This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how to construct a program monitor that provably enforces any reasonable infinite renewal property. We also show that the set of infinite renewal properties includes some nonsafety policies, that is, that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.
- <scp>Abadi, M. and Fournet, C.</scp> 2003. Access control based on execution history. In Proceedings of the 10th Annual Network and Distributed System Symposium (NDSS’03).Google Scholar
- <scp>Abadi, M. and Lamport, L.</scp> 1993. Composing specifications. ACM Trans. Program. Lang. Syst. 15, 1, 73--132. Google ScholarDigital Library
- <scp>Aktug, I., Dam, M., and Gurov, D.</scp> 2008. Provably correct runtime monitoring. In Proceedings of the 15th International Symposium on Formal Methods (FM’08). 262--277. Google ScholarDigital Library
- <scp>Alpern, B. and Schneider, F. B.</scp> 1985. Defining liveness. Inform. Process. Lett. 21, 4, 181--185.Google ScholarCross Ref
- <scp>Alpern, B. and Schneider, F. B.</scp> 1987. Recognizing safety and liveness. Distrib. Comput. 2, 117--126.Google ScholarDigital Library
- <scp>Bauer, L., Ligatti, J., and Walker, D.</scp> 2002. More enforceable security policies. In Proceedings of the Annual Symposium on Foundations of Computer Security (FOCS’02). Copenhagen, Denmark.Google Scholar
- <scp>Bauer, L., Ligatti, J., and Walker, D.</scp> 2003. Types and effects for non-interfering program monitors. In Proceedings of the Software Security---Theories and Systems. Mext-NSF-JSPS International Symposium, (ISSS’02). Tokyo, Japan, Revised Papers, M. Okada, B. Pierce, A. Scedrov, H. Tokuda, and A. Yonezawa, Eds. Lecture Notes in Computer Science, vol. 2609. Springer.Google Scholar
- <scp>Bauer, L., Ligatti, J., and Walker, D.</scp> 2005a. Composing security policies with Polymer. In Proceedings of the Conference on Programming Language Design and Implementation (PLDI’05). Google ScholarDigital Library
- <scp>Bauer, L., Ligatti, J., and Walker, D.</scp> 2005b. Polymer: A language for composing run-time security policies. http://www.cs.princeton.edu/sip/projects/polymer/.Google Scholar
- <scp>Biba, K. J.</scp> 1975. Integrity considerations for secure computer systems. Tech. rep. ESD-TR-76-372, MITRE Corporation.Google Scholar
- <scp>Bonatti, P., di Vimercati, S. D. C., and Samarati, P.</scp> 2002. An algebra for composing access control policies. ACM Trans. Inform. Syst. Secur. 5, 1, 1--35. Google ScholarDigital Library
- <scp>Brewer, D. F. C. and Nash, M. J.</scp> 1989. The Chinese Wall security policy. In Proceedings of the IEEE Symposium on Security and Privacy (SP’89). 206--214.Google Scholar
- <scp>Büchi, J. R.</scp> 1962. On a decision method in restricted second order arithmetic. In Proceedings of the 1960 International Congress on Logic, Methodology, and Philosophy of Science (CLMPS’60). 1--11.Google Scholar
- <scp>Damianou, N., Dulay, N., Lupu, E., and Sloman, M.</scp> 2001. The Ponder policy specification language. Lecture Notes in Computer Science, vol. 1995, 18--39. Google ScholarDigital Library
- <scp>Edjlali, G., Acharya, A., and Chaudhary, V.</scp> 1998. History-based access control for mobile code. In Proceedings of the 5th ACM Conference on Computer and Communications Security (CCS’98). 38--48. Google ScholarDigital Library
- <scp>Elmasri, R. and Navathe, S. B.</scp> 1994. Fundamentals of Database Systems. The Benjamin/ Cummings Publishing Company, Inc. Google ScholarDigital Library
- <scp>Erlingsson, U.</scp> 2004. The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University. Google ScholarDigital Library
- <scp>Erlingsson, U. and Schneider, F. B.</scp> 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the New Security Paradigms Workshop (NSPW’99). 87--95. Google ScholarDigital Library
- <scp>Erlingsson, U. and Schneider, F. B.</scp> 2000. IRM enforcement of Java stack inspection. In Proceedings of the 2000 IEEE Symposium on Security and Privacy (SP’00). Google ScholarDigital Library
- <scp>Evans, D.</scp> 2000. Policy-directed code safety. Ph.D. thesis, Massachusetts Institute of Technology. Google ScholarDigital Library
- <scp>Evans, D. and Twyman, A.</scp> 1999. Flexible policy-directed code safety. In Proceedings of the IEEE Symposium on Security and Privacy (SP’99).Google Scholar
- <scp>Fong, P. W. L.</scp> 2004. Access control by tracking shallow execution history. In Proceedings of the IEEE Symposium on Security and Privacy (SP’04).Google ScholarCross Ref
- <scp>Hamlen, K.</scp> 2006. Security policy enforcement by automated program-rewriting. Ph.D. thesis, Cornell University. Google ScholarDigital Library
- <scp>Hamlen, K., Morrisett, G., and Schneider, F. B.</scp> 2006a. Computability classes for enforcement mechanisms. ACM Trans. Progam. Lang. Syst. 28, 1, 175--205. Google ScholarDigital Library
- <scp>Hamlen, K. W., Morrisett, G., and Schneider, F. B.</scp> 2006b. Certified in-lined reference monitoring on .NET. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS’06). 7--16. Google ScholarDigital Library
- <scp>Harris, T., Marlow, S., Jones, S. L. P., and Herlihy, M.</scp> 2005. Composable memory transactions. In Proceedings of the ACM Symposium on Principles & Practice of Parallel Programming (PPoPP’’05). 48--60. Google ScholarDigital Library
- <scp>Havelund, K. and Roşu, G.</scp> 2004. Efficient monitoring of safety properties. Int. J. Softw. Tools Technol. Trans. 6, 2, 158--173.Google ScholarDigital Library
- <scp>Jeffery, C., Zhou, W., Templer, K., and Brazell, M.</scp> 1998. A lightweight architecture for program execution monitoring. In Proceedings of the Program Analysis for Software Tools and Engineering. ACM Press, 67--74. Google ScholarDigital Library
- <scp>Kim, M., Kannan, S., Lee, I., Sokolsky, O., and Viswantathan, M.</scp> 2002. Computational analysis of run-time monitoring---fundamentals of Java-MaC. In Proceedings of the 2nd International Workshop on Runtime Verification (RV’02).Google Scholar
- <scp>Kim, M., Viswanathan, M., Ben-Abdallah, H., Kannan, S., Lee, I., and Sokolsky, O.</scp> 1999. Formally specified monitoring of temporal properties. In Proceedings of the 11th Euromicro Conference on Real-Time Systems (ECRTS’99).Google Scholar
- <scp>Lamport, L.</scp> 1977. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Engin. 3, 2, 125--143. Google ScholarDigital Library
- <scp>Liao, Y. and Cohen, D.</scp> 1992. A specificational approach to high level program monitoring and measuring. IEEE Trans. Softw. Engin. 18, 11, 969--978. Google ScholarDigital Library
- <scp>Ligatti, J.</scp> 2006. Policy enforcement via program monitoring. Ph.D. thesis, Princeton University. Google ScholarDigital Library
- <scp>Ligatti, J., Bauer, L., and Walker, D.</scp> 2003. Edit automata: Enforcement mechanisms for run-time security policies. Tech. rep. TR-681-03, Princeton University.Google Scholar
- <scp>Ligatti, J., Bauer, L., and Walker, D.</scp> 2005a. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Inform. Secur. 4, 1--2, 2--16.Google Scholar
- <scp>Ligatti, J., Bauer, L., and Walker, D.</scp> 2005b. Enforcing non-safety security policies with program monitors. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS’05).Google Scholar
- <scp>Lynch, N. A. and Tuttle, M. R.</scp> 1987. Hierarchical correctness proofs for distributed algorithms. In Proceedings of the 6th annual ACM Symposium on Principles of Distributed Computing (PODC’87). ACM Press, 137--151. Google ScholarDigital Library
- <scp>Mantel, H.</scp> 2002. On the composition of secure systems. In Proceedings of the IEEE Symposium on Security and Privacy (SP’02). 88--101. Google ScholarDigital Library
- <scp>Martinelli, F. and Matteucci, I.</scp> 2007a. An approach for the specification, verification and synthesis of secure systems. Electron. Notes Theor. Comput. Sci. 168, 29--43. Google ScholarDigital Library
- <scp>Martinelli, F. and Matteucci, I.</scp> 2007b. Through modeling to synthesis of security automata. Electron. Notes Theor. Comput. Sci. 179, 31--46. Google ScholarDigital Library
- <scp>Martinelli, F. and Mori, P.</scp> 2007. Enhancing Java security with history based access control. In Foundations of Security Analysis and Design.Google Scholar
- <scp>Matteucci, I.</scp> 2006. A tool for the synthesis of programmable controllers. In Proceedings of the 4th International Workshop on Formal Aspects in Security and Trust (FAST’06).Google Scholar
- <scp>Matteucci, I.</scp> 2007. Automated synthesis of enforcing mechanisms for security properties in a timed setting. Electron. Notes Theor. Comput. Sci. 186, 101--120. Google ScholarDigital Library
- <scp>McLean, J.</scp> 1996. A general theory of composition for a class of possibilistic properties. IEEE Trans. Softw. Engin. 22, 1, 53--67. Google ScholarDigital Library
- <scp>Milner, R.</scp> 1978. Synthesis of communicating behaviour. In Mathematical Foundations of Computer Science. Lecture Notes in Computer Science, vol. 64. 71--83.Google ScholarCross Ref
- <scp>Paxton, W. H.</scp> 1979. A client-based transaction system to maintain data integrity. In Proceedings of the 7th ACM Symposium on Operating Systems Principles (OSP’79). ACM Press, 18--23. Google ScholarDigital Library
- <scp>Robinson, W.</scp> 2002. Monitoring software requirements using instrumented code. In Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS’02). 3967--3976. Google ScholarDigital Library
- <scp>Schneider, F. B.</scp> 1987. Decomposing properties into safety and liveness using predicate logic. Tech. rep. TR 87-874, Cornell University. Google ScholarDigital Library
- <scp>Schneider, F. B.</scp> 2000. Enforceable security policies. ACM Trans. Inform. Syst. Secur. 3, 1, 30--50. Google ScholarDigital Library
- <scp>Sen, K., Vardhan, A., Agha, G., and Rosu, G.</scp> 2004. Efficient decentralized monitoring of safety in distributed systems. In Proceedings of the 26th International Conference on Software Engineering (ICSE’04). 418--427. Google ScholarDigital Library
- <scp>Shavit, N. and Touitou, D.</scp> 1995. Software transactional memory. In Proceedings of the ACM Symposium on Principles of Distributed Computing (PODC’95). 204--213. Google ScholarDigital Library
- <scp>Viswanathan, M.</scp> 2000. Foundations for the run-time analysis of software systems. Ph.D. thesis, University of Pennsylvania. Google ScholarDigital Library
- <scp>Wahbe, R., Lucco, S., Anderson, T., and Graham, S.</scp> 1993. Efficient software-based fault isolation. In Proceedings of the 14th ACM Symposium on Operating Systems Principles (OSP’93). 203--216. Google ScholarDigital Library
- <scp>Walker, D.</scp> 2000. A type system for expressive security policies. In Proceedings of the 27th ACM Symposium on Principles of Programming Languages (POPL’00). 254--267. Google ScholarDigital Library
- <scp>Yu, D., Chander, A., Islam, N.</scp>, , <scp>and Serikov, I.</scp> 2007. JavaScript instrumentation for browser security. In Proceedings of the 34th annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (SIGACT’07). 237--249. Google ScholarDigital Library
Index Terms
- Run-Time Enforcement of Nonsafety Policies
Recommendations
Enforceable Security Policies Revisited
We revisit Schneider’s work on policy enforcement by execution monitoring. We overcome limitations of Schneider’s setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only ...
Enforceable security policies
A precise characterization is given for the class of security policies enforceable with mechanisms that work by monitoring system execution, and automata are introduced for specifying exactly that class of security policies. Techniques to enforce ...
Modeling runtime enforcement with mandatory results automata
This paper presents a theory of runtime enforcement based on mechanism models called mandatory results automata (MRAs). MRAs can monitor and transform security-relevant actions and their results. The operational semantics of MRAs is simple and enables ...
Reviews
Bernard Kuc
I have always viewed digital security and protection as more of an art than a science, the art of staying only one step behind the ingenuity of the next kid trying to break into some system or release that small bit of code that will bring the Internet to its knees. The authors look at the enforcement of security policies from a theoretical perspective. Although this is a common theme of much research, their contribution is that of looking at nonsafety policies. Safety policies ensure that nothing bad happens. After providing a few definitions of property and policy, and how security automata work, the authors detail what sorts of policies can be enforced by monitors. The authors show that while truncation automata can only enforce safety properties, edit automata-automata that can modify the actions that are to be executed-can enforce a wider set of properties, such as liveness and renewal. Each of the above terms is clearly defined and explained using simple examples. Finally, the authors look at the constraints and caveats that limit the applicability of the research, followed by a quick look at alternative ways of defining security automata and even a description of a Java-based implementation. A security system is only as secure as its weakest link, and the phrase, "under the following assumptions," is tantamount to admitting defeat. However, any formal analysis or proof is usually only valid once certain assumptions have been made. Does this mean we should abandon theoretical research__?__ No. Each step that brings more science to the art should always be welcomed. Online Computing Reviews Service
Access critical reviews of Computing literature here
Become a reviewer for Computing Reviews.
Comments