Abstract
A previous study showed how a monitor can be inlined into a potentially untrusted program, producing an instrumented version of this program which provably respects the desired security policy. That study extended previous approaches to the same problem in that it allowed non-safety properties to be monitored, and did not incur any runtime overhead. However, the algorithm itself runs in time \(\mathcal{O}(2^{m\cdot n})\), where n is the size of the original program and m that of the property being monitored, and the resulting instrumented program is increased in the order of \(\mathcal{O}(m\cdot n)\). These algorithmic factors limit the usefulness of the approach in practice. In this paper, we suggest several optimizations which reduce the algorithm’s run time and the size of the resulting instrumented code. Using these optimizations, the monitor inlining can run in time \(\mathcal{O}(v + e)\) where v and e are respectively the size and number of transitions present in the synchronous product of the original program and the property. Furthermore, we show how the size of the instrumented program can be minimized.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: principles, techniques, and tools. Addison-Wesley Longman Publishing Co., Inc., Boston (1986)
Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Computing 2, 117–126 (1987)
Ammarguellat, Z.: A control-flow normalization algorithm and its complexity. IEEE Trans. Softw. Eng. 18, 237–251 (1992)
Bauer, A., Jürjens, J.: Security protocols, properties, and their monitoring. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (SESS)
Bauer, A., Jürjens, J.: Runtime verification of cryptographic protocols. Computers & Security 29(3), 315–330 (2010)
Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Foundations of Computer Security, Copenhagen, Denmark (July 2002)
Büchi, J.: On a decision method in restricted second order arithmetic. In: Proceedings of the International Congress on Logic, Method, and Philosophy of Science, pp. 1–12. Stanford University Press, Stanford (1962)
Carton, O.: Mots infinis, ω-semigroupes et topologie. PhD thesis, Universite de Paris 07 (1993)
Carton, O.: Chain automata. In: IFIP World Computer Congress 1994, Hamburg, pp. 451–458. Elsevier (North-Holland) (1994)
Chabot, H., Khoury, R., Tawbi, N.: Generating In-Line Monitors for Rabin Automata. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 287–301. Springer, Heidelberg (2009)
Chabot, H., Khoury, R., Tawbi, N.: Extending the enforcement power of truncation monitors using static analysis. In: Computers & Security (forthcoming)
Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, Edinburgh, United Kingdom, July 17-19, pp. 200–214 (2010)
Colcombet, T., Fradet, P.: Enforcing trace properties by program transformation. In: Conference record of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (January 2000)
Ehlers, R.: Minimising Deterministic Büchi Automata Precisely Using SAT Solving. In: Strichman, O., Szeider, S. (eds.) SAT 2010. LNCS, vol. 6175, pp. 326–332. Springer, Heidelberg (2010)
Emerson, E.A., Jutla, C.S.: Tree automata, mu-calculus and determinacy. In: SFCS 1991: Proceedings of the 32nd Annual Symposium on Foundations of Computer Science, pp. 368–377. IEEE Computer Society, Washington, DC, USA (1991)
Erlingsson, U., Schneider, F.B.: Sasi enforcement of security policies: A retrospective. In: WNSP: New Security Paradigms Workshop. ACM Press (2000)
Le Guernic, G.: Automaton-based Confidentiality Monitoring of Concurrent Programs. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSFS20), July 6-8, pp. 218–232. IEEE Computer Society (2007)
Hecht, M.S., Ullman, J.D.: Characterizations of reducible flow graphs. J. ACM 21, 367–375 (1974)
Hopcroft, J.E.: An n log n algorithm for minimizing states in a finite automaton. Technical report, Stanford, CA, USA (1971)
Janssen, J., Corporaal, H.: Making graphs reducible with controlled node splitting. ACM Trans. Programming Languages and Systems 19, 1031–1052 (1997)
Morrisett, G., Hamlen, K.W., Schneider, F.B.: Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University (2003)
Kaminski, M.: A classification of omega-regular languages. Theoretical Computer Science 36, 217–229 (1985)
Klein, J.: Linear Time Logic and Deterministic omega-Automata. PhD thesis, The University of Bonn, Bonn, Germany (January 2005)
Krishnan, S.C., Puri, A., Brayton, R.K., Varaiya, P.P.: The Rabin Index and Chain Automata, with Applications to Automata and Games. In: Wolper, P. (ed.) CAV 1995. LNCS, vol. 939, pp. 253–266. Springer, Heidelberg (1995)
Lamport, L.: Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3(2), 125–143 (1977)
Langar, M., Mejri, M.: Formal and efficient enforcement of security policies. In: Proceedings of The 2005 International Conference on Foundations of Computer Science (FCS 2005), pp. 143–149 (2005)
Langar, M., Mejri, M., Adi, K.: Formal monitor for concurrent programs. In: Workshop on Practice and Theory of IT Security (2006)
Langar, M., Mejri, M., Adi, K.: A formal approach for security policy enforcement in concurrent programs. In: Proceedings of the 2007 International Conference on Security & Management, pp. 165–171 (2007)
Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Transactions on Information and System Security 12(3), 1–41 (2009)
Löding, C.: Efficient minimization of deterministic weak omega-automata. Information Processing Letters 79(3), 105–109 (2001)
Mechri, T., Langar, M., Mejri, M., Fujita, H., Funyu, Y.: Automatic enforcement of security in computer networks. In: New Trends in Software Methodologies, Tools and Techniques - Proceedings of the Sixth SoMeT 2007, pp. 200–222 (2007)
Muller, D.E.: Infinite sequences and finite machines. In: Switching Circuit Theory and Logical Design, pp. 3–16 (1963)
Ould-Slimane, H., Mejri, M.: Enforcing security policies by rewriting programs using automata. In: Proceedings of the Workshop on Practice and Theory of IT Security (PTITS), pp. 195–207 (2006)
Ould-Slimane, H., Mejri, M., Adi, K.: Enforcing security policies on programs. In: New Trends in Software Methodologies, Tools and Techniques - Proceedings of the Fifth SoMeT 2006, Quebec, Canada, October 25-27, pp. 195–207 (2006)
Ould-Slimane, H., Mejri, M., Adi, K.: Using Edit Automata for Rewriting-Based Security Enforcement. In: Gudes, E., Vaidya, J. (eds.) Data and Applications Security XXIII. LNCS, vol. 5645, pp. 175–190. Springer, Heidelberg (2009)
Perrin, D., Pin, J.E.: Infinite Words. Pure and Applied Mathematics, vol. 141. Elsevier (2004)
Rabin, M.O.: Decidability of second-order theories and automata on infinite trees. Transactions of the American Mathematical Society 141, 1–37 (1969)
Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000)
Sen, K., Vardhan, A., Agha, G., Roşu, G.: Efficient decentralized monitoring of safety in distributed systems. In: ICSE 2004: Proceedings of the 26th International Conference on Software Engineering, pp. 418–427. IEEE Computer Society, Washington, DC, USA (2004)
Tarjan, R.E.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)
Wagner, K.: On omega-regular sets. Information and Control 43(2), 123–177 (1979)
Watson, B.W.: A taxonomy of finite automata construction and minimization algorithms. Technical report, Computing Science (1993)
Watson, B.W., Daciuk, J.: An efficient incremental dfa minimization algorithm. Nat. Lang. Eng. 9(1), 49–64 (2003)
Yan, F., Fong, P.W.L.: Efficient irm enforcement of history-based access control policies. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, pp. 35–46 (2009)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Lemay, F., Khoury, R., Tawbi, N. (2012). Optimized Inlining of Runtime Monitors. In: Laud, P. (eds) Information Security Technology for Applications. NordSec 2011. Lecture Notes in Computer Science, vol 7161. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29615-4_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-29615-4_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-29614-7
Online ISBN: 978-3-642-29615-4
eBook Packages: Computer ScienceComputer Science (R0)