Enforcing Non-safety Security Policies with Program Monitors

  • Jay Ligatti
  • Lujo Bauer
  • David Walker
Conference paper

DOI: 10.1007/11555827_21

Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)
Cite this paper as:
Ligatti J., Bauer L., Walker D. (2005) Enforcing Non-safety Security Policies with Program Monitors. In: di Vimercati S..C., Syverson P., Gollmann D. (eds) Computer Security – ESORICS 2005. ESORICS 2005. Lecture Notes in Computer Science, vol 3679. Springer, Berlin, Heidelberg

Abstract

We consider the enforcement powers of program monitors, which intercept security-sensitive actions of a target application at run time and take remedial steps whenever the target attempts to execute a potentially dangerous action. A common belief in the security community is that program monitors, regardless of the remedial steps available to them when detecting violations, can only enforce safety properties. We formally analyze the properties enforceable by various program monitors and find that although this belief is correct when considering monitors with simple remedial options, it is incorrect for more powerful monitors that can be modeled by edit automata. We define an interesting set of properties called infinite renewal properties and demonstrate how, when given any reasonable infinite renewal property, to construct an edit automaton that provably enforces that property. We analyze the set of infinite renewal properties and show that it includes every safety property, some liveness properties, and some properties that are neither safety nor liveness.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jay Ligatti
    • 1
  • Lujo Bauer
    • 2
  • David Walker
    • 1
  1. 1.Department of Computer SciencePrinceton University 
  2. 2.CyLab, Carnegie Mellon University 

Personalised recommendations