Abstract
Runtime monitoring is an established technique for enforcing a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has an instance of the given monitor embedded into it, which yields state changes at prescribed points according to the monitor’s transition function. As our main application of these results we describe a concrete inliner, and use the annotation scheme to characterize its correctness. For this inliner, correctness of the level II annotations can be decided efficiently by a weakest precondition annotation checker, thus allowing on-device checking of inlining correctness in a proof-carrying code setting.
This work was partially funded by the S3MS project, IST-STREP-27004. The second author was partially supported by the Swedish Research Council grant 2003-6108.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aktug, I., Dam, M., Gurov, D.: Provably correct runtime monitoring. Technical Report TRITA-CSC-TCS 2008:1, CSC KTH (2007), http://www.csc.kth.se/~irem/S3MS/TechRep07.pdf
Aktug, I., Linde, J.: An inliner tool for mobile platforms., http://www.csc.kth.se/~irem/S3MS/Inliner/
Aktug, I., Naliuka, K.: ConSpec – a formal language for policy specification. In: Piessens, F., Massacci, F. (eds.) Proc. of The First Int. Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM 2007). Electronic Notes in Theoretical Computer Science, vol. 197-1, pp. 45–58 (2007)
Bannwart, F.Y., Müller, P.: A logic for bytecode. In: Proc. of BYTECODE 2005. ENTCS, vol. 141-1, pp. 255–273 (2005)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with Polymer. In: Proc. of the ACM SIGPLAN Conf. on Prog. Lang. Design and Implementation, pp. 305–314 (2005)
Erlingsson, Ú., Schneider, F.B.: IRM enforcement of Java stack inspection. In: IEEE Symp. on Security and Privacy, p. 246. IEEE Computer Society Press, Los Alamitos (2000)
Freund, S.N., Mitchell, J.C.: A type system for object initialization in the Java bytecode language. ACM Trans. Program. Lang. Syst. 21(6), 1196–1250 (1999)
Hamlen, K.W., Morrisett, G., Schneider, F.B.: Certified in-lined reference monitoring on.NET. In: Proc. of the ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (PLAS 2006), June 2006, pp. 7–16 (2006)
Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Program. Lang. Syst. 28(1), 175–205 (2006)
Havelund, K., Rosu, G.: Synthesizing monitors for safety properties. In: Katoen, J.-P., Stevens, P. (eds.) ETAPS 2002 and TACAS 2002. LNCS, vol. 2280, pp. 342–356. Springer, Heidelberg (2002)
Schneider, F.B.: Enforceable security policies. ACM Trans. Infinite Systems Security 3(1), 30–50 (2000)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Aktug, I., Dam, M., Gurov, D. (2008). Provably Correct Runtime Monitoring. In: Cuellar, J., Maibaum, T., Sere, K. (eds) FM 2008: Formal Methods. FM 2008. Lecture Notes in Computer Science, vol 5014. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-68237-0_19
Download citation
DOI: https://doi.org/10.1007/978-3-540-68237-0_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-68235-6
Online ISBN: 978-3-540-68237-0
eBook Packages: Computer ScienceComputer Science (R0)