Skip to main content
SpringerLink
Log in

Optimized Inlining of Runtime Monitors

  • Conference paper
Information Security Technology for Applications (NordSec 2011)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7161))

Included in the following conference series:

Abstract

A previous study showed how a monitor can be inlined into a potentially untrusted program, producing an instrumented version of this program which provably respects the desired security policy. That study extended previous approaches to the same problem in that it allowed non-safety properties to be monitored, and did not incur any runtime overhead. However, the algorithm itself runs in time \(\mathcal{O}(2^{m\cdot n})\), where n is the size of the original program and m that of the property being monitored, and the resulting instrumented program is increased in the order of \(\mathcal{O}(m\cdot n)\). These algorithmic factors limit the usefulness of the approach in practice. In this paper, we suggest several optimizations which reduce the algorithm’s run time and the size of the resulting instrumented code. Using these optimizations, the monitor inlining can run in time \(\mathcal{O}(v + e)\) where v and e are respectively the size and number of transitions present in the synchronous product of the original program and the property. Furthermore, we show how the size of the instrumented program can be minimized.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 69.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Aho, A.V., Sethi, R., Ullman, J.D.: Compilers: principles, techniques, and tools. Addison-Wesley Longman Publishing Co., Inc., Boston (1986)

    Google Scholar 

  2. Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Computing 2, 117–126 (1987)

    Article  MATH  Google Scholar 

  3. Ammarguellat, Z.: A control-flow normalization algorithm and its complexity. IEEE Trans. Softw. Eng. 18, 237–251 (1992)

    Article  Google Scholar 

  4. Bauer, A., Jürjens, J.: Security protocols, properties, and their monitoring. In: Proceedings of the Fourth International Workshop on Software Engineering for Secure Systems (SESS)

    Google Scholar 

  5. Bauer, A., Jürjens, J.: Runtime verification of cryptographic protocols. Computers & Security 29(3), 315–330 (2010)

    Article  Google Scholar 

  6. Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Foundations of Computer Security, Copenhagen, Denmark (July 2002)

    Google Scholar 

  7. Büchi, J.: On a decision method in restricted second order arithmetic. In: Proceedings of the International Congress on Logic, Method, and Philosophy of Science, pp. 1–12. Stanford University Press, Stanford (1962)

    Google Scholar 

  8. Carton, O.: Mots infinis, ω-semigroupes et topologie. PhD thesis, Universite de Paris 07 (1993)

    Google Scholar 

  9. Carton, O.: Chain automata. In: IFIP World Computer Congress 1994, Hamburg, pp. 451–458. Elsevier (North-Holland) (1994)

    Google Scholar 

  10. Chabot, H., Khoury, R., Tawbi, N.: Generating In-Line Monitors for Rabin Automata. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 287–301. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  11. Chabot, H., Khoury, R., Tawbi, N.: Extending the enforcement power of truncation monitors using static analysis. In: Computers & Security (forthcoming)

    Google Scholar 

  12. Chudnov, A., Naumann, D.A.: Information flow monitor inlining. In: Proceedings of the 23rd IEEE Computer Security Foundations Symposium, CSF 2010, Edinburgh, United Kingdom, July 17-19, pp. 200–214 (2010)

    Google Scholar 

  13. Colcombet, T., Fradet, P.: Enforcing trace properties by program transformation. In: Conference record of the 27th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (January 2000)

    Google Scholar 

  14. Ehlers, R.: Minimising Deterministic Büchi Automata Precisely Using SAT Solving. In: Strichman, O., Szeider, S. (eds.) SAT 2010. LNCS, vol. 6175, pp. 326–332. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  15. Emerson, E.A., Jutla, C.S.: Tree automata, mu-calculus and determinacy. In: SFCS 1991: Proceedings of the 32nd Annual Symposium on Foundations of Computer Science, pp. 368–377. IEEE Computer Society, Washington, DC, USA (1991)

    Google Scholar 

  16. Erlingsson, U., Schneider, F.B.: Sasi enforcement of security policies: A retrospective. In: WNSP: New Security Paradigms Workshop. ACM Press (2000)

    Google Scholar 

  17. Le Guernic, G.: Automaton-based Confidentiality Monitoring of Concurrent Programs. In: Proceedings of the 20th IEEE Computer Security Foundations Symposium (CSFS20), July 6-8, pp. 218–232. IEEE Computer Society (2007)

    Google Scholar 

  18. Hecht, M.S., Ullman, J.D.: Characterizations of reducible flow graphs. J. ACM 21, 367–375 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  19. Hopcroft, J.E.: An n log n algorithm for minimizing states in a finite automaton. Technical report, Stanford, CA, USA (1971)

    Google Scholar 

  20. Janssen, J., Corporaal, H.: Making graphs reducible with controlled node splitting. ACM Trans. Programming Languages and Systems 19, 1031–1052 (1997)

    Article  Google Scholar 

  21. Morrisett, G., Hamlen, K.W., Schneider, F.B.: Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University (2003)

    Google Scholar 

  22. Kaminski, M.: A classification of omega-regular languages. Theoretical Computer Science 36, 217–229 (1985)

    Article  MathSciNet  MATH  Google Scholar 

  23. Klein, J.: Linear Time Logic and Deterministic omega-Automata. PhD thesis, The University of Bonn, Bonn, Germany (January 2005)

    Google Scholar 

  24. Krishnan, S.C., Puri, A., Brayton, R.K., Varaiya, P.P.: The Rabin Index and Chain Automata, with Applications to Automata and Games. In: Wolper, P. (ed.) CAV 1995. LNCS, vol. 939, pp. 253–266. Springer, Heidelberg (1995)

    Chapter  Google Scholar 

  25. Lamport, L.: Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3(2), 125–143 (1977)

    Article  MathSciNet  MATH  Google Scholar 

  26. Langar, M., Mejri, M.: Formal and efficient enforcement of security policies. In: Proceedings of The 2005 International Conference on Foundations of Computer Science (FCS 2005), pp. 143–149 (2005)

    Google Scholar 

  27. Langar, M., Mejri, M., Adi, K.: Formal monitor for concurrent programs. In: Workshop on Practice and Theory of IT Security (2006)

    Google Scholar 

  28. Langar, M., Mejri, M., Adi, K.: A formal approach for security policy enforcement in concurrent programs. In: Proceedings of the 2007 International Conference on Security & Management, pp. 165–171 (2007)

    Google Scholar 

  29. Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Transactions on Information and System Security 12(3), 1–41 (2009)

    Article  Google Scholar 

  30. Löding, C.: Efficient minimization of deterministic weak omega-automata. Information Processing Letters 79(3), 105–109 (2001)

    Article  MathSciNet  MATH  Google Scholar 

  31. Mechri, T., Langar, M., Mejri, M., Fujita, H., Funyu, Y.: Automatic enforcement of security in computer networks. In: New Trends in Software Methodologies, Tools and Techniques - Proceedings of the Sixth SoMeT 2007, pp. 200–222 (2007)

    Google Scholar 

  32. Muller, D.E.: Infinite sequences and finite machines. In: Switching Circuit Theory and Logical Design, pp. 3–16 (1963)

    Google Scholar 

  33. Ould-Slimane, H., Mejri, M.: Enforcing security policies by rewriting programs using automata. In: Proceedings of the Workshop on Practice and Theory of IT Security (PTITS), pp. 195–207 (2006)

    Google Scholar 

  34. Ould-Slimane, H., Mejri, M., Adi, K.: Enforcing security policies on programs. In: New Trends in Software Methodologies, Tools and Techniques - Proceedings of the Fifth SoMeT 2006, Quebec, Canada, October 25-27, pp. 195–207 (2006)

    Google Scholar 

  35. Ould-Slimane, H., Mejri, M., Adi, K.: Using Edit Automata for Rewriting-Based Security Enforcement. In: Gudes, E., Vaidya, J. (eds.) Data and Applications Security XXIII. LNCS, vol. 5645, pp. 175–190. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  36. Perrin, D., Pin, J.E.: Infinite Words. Pure and Applied Mathematics, vol. 141. Elsevier (2004)

    Google Scholar 

  37. Rabin, M.O.: Decidability of second-order theories and automata on infinite trees. Transactions of the American Mathematical Society 141, 1–37 (1969)

    MathSciNet  MATH  Google Scholar 

  38. Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000)

    Article  Google Scholar 

  39. Sen, K., Vardhan, A., Agha, G., Roşu, G.: Efficient decentralized monitoring of safety in distributed systems. In: ICSE 2004: Proceedings of the 26th International Conference on Software Engineering, pp. 418–427. IEEE Computer Society, Washington, DC, USA (2004)

    Chapter  Google Scholar 

  40. Tarjan, R.E.: Depth-first search and linear graph algorithms. SIAM J. Comput. 1(2), 146–160 (1972)

    Article  MathSciNet  MATH  Google Scholar 

  41. Wagner, K.: On omega-regular sets. Information and Control 43(2), 123–177 (1979)

    Article  MathSciNet  MATH  Google Scholar 

  42. Watson, B.W.: A taxonomy of finite automata construction and minimization algorithms. Technical report, Computing Science (1993)

    Google Scholar 

  43. Watson, B.W., Daciuk, J.: An efficient incremental dfa minimization algorithm. Nat. Lang. Eng. 9(1), 49–64 (2003)

    Article  Google Scholar 

  44. Yan, F., Fong, P.W.L.: Efficient irm enforcement of history-based access control policies. In: Proceedings of the 2009 ACM Symposium on Information, Computer and Communications Security, ASIACCS 2009, Sydney, Australia, pp. 35–46 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Software Engineering, Laval University, Pavillon Adrien-Pouliot, 1065, avenue de la Medecine, Quebec, QC, Canada, G1V 0A6

    Frédérick Lemay, Raphaël Khoury & Nadia Tawbi

  2. Canadian Department of National Defence, Defence Research and Development Canada, 2459 Pie-XI Blvd, North Quebec, QC, Canada, G3J 1X5

    Raphaël Khoury

Authors
  1. Frédérick Lemay
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raphaël Khoury
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nadia Tawbi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Cybernetica AS, Ülikooli 2, 51003, Tartu, Estonia

    Peeter Laud

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lemay, F., Khoury, R., Tawbi, N. (2012). Optimized Inlining of Runtime Monitors. In: Laud, P. (eds) Information Security Technology for Applications. NordSec 2011. Lecture Notes in Computer Science, vol 7161. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-29615-4_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-29615-4_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-29614-7

  • Online ISBN: 978-3-642-29615-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation