Abstract
Correctness and regulatory compliance of today’s software systems are crucial for our safety and security. This can be achieved with policy enforcement: the process of monitoring and possibly modifying system behavior to satisfy a given policy. The enforcer’s capabilities determine which policies are enforceable.
We study the enforceability of policies specified in metric first-order temporal logic (MFOTL) with enforcers that can cause and suppress different system actions in real time. We consider an expressive safety fragment of MFOTL and show that a policy from that fragment is enforceable if and only if it is equivalent to a policy in a simpler, syntactically defined MFOTL fragment. We then propose an enforcement algorithm for all monitorable policies from the latter fragment, and show that our EnfPoly enforcer outperforms state-of-the-art tools.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Change history
20 October 2022
The original version of this chapter was revised. The original figure-1 was loaded.
References
Abadi, M., Lamport, L., Wolper, P.: Realizable and unrealizable specifications of reactive systems. In: Ausiello, G., Dezani-Ciancaglini, M., Della Rocca, S.R. (eds.) ICALP 1989. LNCS, vol. 372, pp. 1–17. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0035748
Aceto, L., Cassar, I., Francalanza, A., Ingólfsdóttir, A.: On bidirectional runtime enforcement. In: Peters, K., Willemse, T.A.C. (eds.) FORTE 2021. LNCS, vol. 12719, pp. 3–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78089-0_1
Alur, R., Feder, T., Henzinger, T.: The benefits of relaxing punctuality. J. ACM 43(1), 116–146 (1996). https://doi.org/10.1145/227595.227602
Ames, S.R., Gasser, M., Schell, R.R.: Security kernel design and implementation: an introduction. Computer 16(7), 14–22 (1983). https://doi.org/10.1109/MC.1983.1654439
Arfelt, E., Basin, D., Debois, S.: Monitoring the GDPR. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11735, pp. 681–699. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29959-0_33
Asarin, E., Maler, O., Pnueli, A.: Symbolic controller synthesis for discrete and timed systems. In: Antsaklis, P., Kohn, W., Nerode, A., Sastry, S. (eds.) HS 1994. LNCS, vol. 999, pp. 1–20. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60472-3_1
Bartocci, Ezio, Falcone, Yliès (eds.): Lectures on Runtime Verification. LNCS, vol. 10457. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75632-5
Basin, D., et al.: A formally verified, optimized monitor for metric first-order dynamic logic. In: Peltier, N., Sofronie-Stokkermans, V. (eds.) IJCAR 2020. LNCS (LNAI), vol. 12166, pp. 432–453. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-51074-9_25
Basin, D., Debois, S., Hildebrandt, T.: In the nick of time: proactive prevention of obligation violations. In: Computer Security Foundations Symposium (CSF), pp. 120–134. IEEE (2016). https://doi.org/10.1109/CSF.2016.16
Basin, D., Debois, S., Hildebrandt, T.: Proactive enforcement of provisions and obligations. J. Comput. Secur. (to appear)
Basin, D., Jugé, V., Klaedtke, F., Zălinescu, E.: Enforceable security policies revisited. ACM Trans. Inf. Syst. Secur. 16(1), 1–26 (2013). https://doi.org/10.1007/978-3-642-28641-4_17
Basin, D., Klaedtke, F., Müller, S., Zălinescu, E.: Monitoring metric first-order temporal properties. J. ACM 62(2), 1–45 (2015). https://doi.org/10.1145/2699444
Basin, D., Klaedtke, F., Zalinescu, E.: The MonPoly monitoring tool. In: Reger, G., Havelund, K. (eds.) International Workshop on Competitions, Usability, Benchmarks, Evaluation, and Standardisation for Runtime Verification Tools (RV-CuBES), vol. 3, pp. 19–28. Kalpa (2017). https://doi.org/10.29007/89hs
Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Workshop on Foundations of Computer Security (FCS). Citeseer (2002)
Behrmann, G., Cougnard, A., David, A., Fleury, E., Larsen, K.G., Lime, D.: UPPAAL-Tiga: time for playing games! In: Damm, W., Hermanns, H. (eds.) CAV 2007. LNCS, vol. 4590, pp. 121–125. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73368-3_14
Bohy, A., Bruyère, V., Filiot, E., Jin, N., Raskin, J.-F.: Acacia+, a tool for LTL synthesis. In: Madhusudan, P., Seshia, S.A. (eds.) CAV 2012. LNCS, vol. 7358, pp. 652–657. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31424-7_45
Bouyer, P., Bozzelli, L., Chevalier, F.: Controller synthesis for MTL specifications. In: Baier, C., Hermanns, H. (eds.) CONCUR 2006. LNCS, vol. 4137, pp. 450–464. Springer, Heidelberg (2006). https://doi.org/10.1007/11817949_30
Brihaye, T., Geeraerts, G., Ho, H.-M., Monmege, B.: MightyL: a compositional translation from MITL to timed automata. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017. LNCS, vol. 10426, pp. 421–440. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63387-9_21
Bulychev, P., David, A., Larsen, K., Li, G.: Efficient controller synthesis for a fragment of MTL\({}_{{0,{\infty }}}\). Acta Inf. 51(3-4), 165–192 (2014). https://doi.org/10.1007/s00236-013-0189-z
Chomicki, J.: Efficient checking of temporal integrity constraints using bounded history encoding. ACM Trans. Database Syst. 20(2), 149–186 (1995). https://doi.org/10.1145/210197.210200
Dolzhenko, E., Ligatti, J., Reddy, S.: Modeling runtime enforcement with mandatory results automata. Int. J. Inf. Secur. 14(1), 47–60 (2014). https://doi.org/10.1007/s10207-014-0239-8
Donzé, A., Raman, V.: BluSTL: controller synthesis from signal temporal logic specifications. In: Frehse, G., Althoff, M. (eds.) International Workshop on Applied veRification for Continuous & Hybrid Systems (ARCH@CPSWeek). EPiC, vol. 34, pp. 160–168. EasyChair (2015). https://doi.org/10.29007/g39q
Ehlers, R.: Unbeast: symbolic bounded synthesis. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 272–275. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_25
Erlingsson, Ú., Schneider, F.: SASI enforcement of security policies: a retrospective. In: Kienzle, D., Zurko, M.E., Greenwald, S., Serbau, C. (eds.) Workshop on New Security Paradigms, pp. 87–95. ACM (1999). https://doi.org/10.1145/335169.335201
Falcone, Y., Jéron, T., Marchand, H., Pinisetty, S.: Runtime enforcement of regular timed properties by suppressing and delaying events. Sci. Comp. Program. 123, 2–41 (2016). https://doi.org/10.1016/j.scico.2016.02.008
Falcone, Y., Krstić, S., Reger, G., Traytel, D.: A taxonomy for classifying runtime verification tools. Int. J. Softw. Tools Technol. Transfer 23(2), 255–284 (2021). https://doi.org/10.1007/s10009-021-00609-z
Falcone, Y., Mounier, L., Fernandez, J., Richier, J.: Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Form. Methods Syst. Des. 38(3), 223–262 (2011). https://doi.org/10.1007/s10703-011-0114-4
Falcone, Y., Pinisetty, S.: On the runtime enforcement of timed properties. In: Finkbeiner, B., Mariani, L. (eds.) RV 2019. LNCS, vol. 11757, pp. 48–69. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32079-9_4
Filiot, E., Jin, N., Raskin, J.: Antichains and compositional algorithms for LTL synthesis. Form. Methods Syst. Des. 39(3), 261–296 (2011). https://doi.org/10.1007/s10703-011-0115-3
Havelund, K., Peled, D., Ulus, D.: DejaVu: a monitoring tool for first-order temporal logic. In: Workshop on Monitoring and Testing of Cyber-Physical Systems (MT-CPS), pp. 12–13. IEEE (2018). https://doi.org/10.1109/MT-CPS.2018.00013
Havelund, K., Peled, D., Ulus, D.: First-order temporal logic monitoring with BDDs. Form. Methods Syst. Des. 56(1), 1–21 (2020). https://doi.org/10.1007/s10703-018-00327-4
Hofmann, T., Schupp, S.: TACoS: a tool for MTL controller synthesis. In: Calinescu, R., Păsăreanu, C.S. (eds.) SEFM 2021. LNCS, vol. 13085, pp. 372–379. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-92124-8_21
Hublet, F.: The Databank Model. Master’s thesis, ETH Zürich (2021)
Hublet, F., Basin, D., Krstić, S.: EnfPoly’s development repository (2022). https://gitlab.ethz.ch/fhublet/mfotl-enforcement
Hublet, F., Basin, D., Krstić, S.: Real-time policy enforcement with metric first-order temporal logic. Tech. rep., ETH Zürich, Extended Report (2022). https://gitlab.ethz.ch/fhublet/mfotl-enforcement/-/blob/main/paper/extended.pdf
Jobstmann, B., Bloem, R.: Optimizations for LTL synthesis. In: International Conference Formal Methods in Computer-Aided Design (FMCAD), pp. 117–124. IEEE (2006). https://doi.org/10.1109/FMCAD.2006.22
Khoussainov, B., Nerode, A.: Automatic presentations of structures. In: Leivant, D. (ed.) LCC 1994. LNCS, vol. 960, pp. 367–392. Springer, Heidelberg (1995). https://doi.org/10.1007/3-540-60178-3_93
Krstić, S., Schneider, J.: A benchmark generator for online first-order monitoring. In: Deshmukh, J., Ničković, D. (eds.) RV 2020. LNCS, vol. 12399, pp. 482–494. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-60508-7_27
Kupferman, O., Vardi, M.Y.: Safraless decision procedures. In: Symposium on Foundations of Computer Science (FOCS), pp. 531–542. IEEE (2005). https://doi.org/10.1109/SFCS.2005.66
Li, G., Jensen, P., Larsen, K., Legay, A., Poulsen, D.: Practical controller synthesis for mtl\({}_{{0, {\infty }}}\). In: Erdogmus, H., Havelund, K. (eds.) ACM SIGSOFT International SPIN Symposium on Model Checking of Software, pp. 102–111. ACM (2017). https://doi.org/10.1145/3092282.3092303
Ligatti, J., Bauer, L., Walker, D.: Enforcing non-safety security policies with program monitors. In: di Vimercati, S.C., Syverson, P., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 355–373. Springer, Heidelberg (2005). https://doi.org/10.1007/11555827_21
Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12(3), 1–41 (2009). https://doi.org/10.1145/1455526.1455532
Maler, O., Nickovic, D., Pnueli, A.: From MITL to timed automata. In: Asarin, E., Bouyer, P. (eds.) FORMATS 2006. LNCS, vol. 4202, pp. 274–289. Springer, Heidelberg (2006). https://doi.org/10.1007/11867340_20
Peter, H.-J., Ehlers, R., Mattmüller, R.: Synthia: verification and synthesis for timed automata. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 649–655. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_52
Pinisetty, S., Falcone, Y., Jéron, T., Marchand, H.: TiPEX: a tool chain for timed property enforcement during eXecution. In: Bartocci, E., Majumdar, R. (eds.) RV 2015. LNCS, vol. 9333, pp. 306–320. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-23820-3_22
Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: ACM Symposium on Principles of Programming Languages (POPL), pp. 179–190. ACM (1989). https://doi.org/10.1145/75277.75293
Pnueli, A., Rosner, R.: On the synthesis of an asynchronous reactive module. In: Ausiello, G., Dezani-Ciancaglini, M., Della Rocca, S.R. (eds.) ICALP 1989. LNCS, vol. 372, pp. 652–671. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0035790
Raman, V., Donzé, A., Sadigh, D., Murray, R., Seshia, S.: Reactive synthesis from signal temporal logic specifications. In: Girard, A., Sankaranarayanan, S. (eds.) International Conference on Hybrid Systems: Computation & Control (HSCC), pp. 239–248. ACM (2015). https://doi.org/10.1145/2728606.2728628
Renard, M., Rollet, A., Falcone, Y.: GREP: games for the runtime enforcement of properties. In: Yevtushenko, N., Cavalli, A.R., Yenigün, H. (eds.) ICTSS 2017. LNCS, vol. 10533, pp. 259–275. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67549-7_16
Riganelli, O., Micucci, D., Mariani, L.: Policy enforcement with proactive libraries. In: International Symposium on Software Engineering for Adaptive and Self-Managing Systems (SEAMS), pp. 182–192. IEEE (2017). https://doi.org/10.1109/SEAMS.2017.9
Rushby, J.: Design and verification of secure systems. In: Howard, J., Reed, D. (eds.) Symposium on Operating System Principles (SOSP), pp. 12–21. ACM (1981). https://doi.org/10.1145/800216.806586
Rushby, J.: Kernels for safety. In: Safe and Secure Computing Systems, pp. 210–220 (1989)
Schewe, S., Finkbeiner, B.: Bounded synthesis. In: Namjoshi, K.S., Yoneda, T., Higashino, T., Okamura, Y. (eds.) ATVA 2007. LNCS, vol. 4762, pp. 474–488. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75596-8_33
Schneider, F.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000). https://doi.org/10.1145/353323.353382
Schneider, J., Basin, D., Krstić, S., Traytel, D.: A formally verified monitor for metric first-order temporal logic. In: Finkbeiner, B., Mariani, L. (eds.) RV 2019. LNCS, vol. 11757, pp. 310–328. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32079-9_18
Zhu, S., Tabajara, L.M., Li, J., Pu, G., Vardi, M.Y.: A symbolic approach to safety ltl synthesis. In: HVC 2017. LNCS, vol. 10629, pp. 147–162. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70389-3_10
Acknowledgments
We thank Dmitriy Traytel and three anonymous ESORICS reviewers for their helpful comments. François Hublet is supported by the Swiss National Science Foundation grant “Model-driven Security & Privacy” (204796).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Evaluation Data
A Evaluation Data
Table 1 shows the raw evaluation data produced by our experiments. The table on the left contains the data obtained when answering RQ1, while the data in the table on the right is obtained when answering RQ2. In the former we use three policies \(\chi _1\), \(\chi _2\), and \(\chi _3\), while in the latter we generate random enforceable and monitorable MFOTL formulae.
Parameter d is the depth of the generated random formulae, while I defines the sample space for the bounds of temporal operator intervals: \(\lbrace (i,j) \in \lbrace 0, \dots , I\rbrace ^2 \mid i \le j\rbrace \).
Random traces have length \(L\cdot n\) with timestamps \(1, 2, \dots , L\), each repeated n times. Event names are sampled uniformly from \(\mathbb {E}=\{\texttt {A},\texttt {B},\texttt {C}\}\), while their arguments are sampled uniformly from \(\lbrace 1, \dots , A\rbrace \). The number of events in a database is sampled according to the binomial distribution with n trials and success probability p.
Given parameters \(n, A, d, I \in \mathbb {N}\) and \(p \in [0,1]\), both tools are executed on pairs of independently generated random traces and enforceable and monitorable \(\textrm{MFOTL}_{{\square }}^{\mathcal {F}}\) formulae with the same combinations of parameters repeated N times.
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Hublet, F., Basin, D., Krstić, S. (2022). Real-Time Policy Enforcement with Metric First-Order Temporal Logic. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13555. Springer, Cham. https://doi.org/10.1007/978-3-031-17146-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-031-17146-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-17145-1
Online ISBN: 978-3-031-17146-8
eBook Packages: Computer ScienceComputer Science (R0)