Computer Security – ESORICS 2005

Volume 3679 of the series Lecture Notes in Computer Science pp 355-373

Enforcing Non-safety Security Policies with Program Monitors

  • Jay LigattiAffiliated withDepartment of Computer Science, Princeton University
  • , Lujo BauerAffiliated withCyLab, Carnegie Mellon University
  • , David WalkerAffiliated withDepartment of Computer Science, Princeton University

* Final gross prices may vary according to local VAT.

Get Access


We consider the enforcement powers of program monitors, which intercept security-sensitive actions of a target application at run time and take remedial steps whenever the target attempts to execute a potentially dangerous action. A common belief in the security community is that program monitors, regardless of the remedial steps available to them when detecting violations, can only enforce safety properties. We formally analyze the properties enforceable by various program monitors and find that although this belief is correct when considering monitors with simple remedial options, it is incorrect for more powerful monitors that can be modeled by edit automata. We define an interesting set of properties called infinite renewal properties and demonstrate how, when given any reasonable infinite renewal property, to construct an edit automaton that provably enforces that property. We analyze the set of infinite renewal properties and show that it includes every safety property, some liveness properties, and some properties that are neither safety nor liveness.