Edit automata: enforcement mechanisms for run-time security policies
- First Online:
- 324 Downloads
We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.
After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.
KeywordsRun-time checking and monitoring Security automata Classification of security policies Language-based security
Unable to display preview. Download preview PDF.
- 2.Bauer L, Ligatti J, Walker D (2002) More enforceable security policies. In: Foundations of Computer Security, proceedings of the FLoC’02 workshop on foundations of computer security, Copenhagen, Denmark, 25–26 July 2002, pp 95–104Google Scholar
- 3.Bauer L, Ligatti J, Walker D (2004) A language and system for enforcing run-time security policies. Technical Report TR-699-04, Princeton University, January 2004Google Scholar
- 4.Colcombet T, Fradet P (2000) Enforcing trace properties by program transformation. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000. ACM Press, New York, pp 54–66Google Scholar
- 5.Elmasri R, Navathe SB (1994) Fundamentals of database systems. Benjamin/Cummings, San FranciscoGoogle Scholar
- 6.Evans D, Twyman A (1999) Flexible policy-directed code safety. In: Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, CA, May 1999Google Scholar
- 7.Fong PWL (2004) Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE symposium on security and privacy, Oakland, CA, May 2004Google Scholar
- 8.Hamlen K, Morrisett G, Schneider F (2003) Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University, Ithaca, NYGoogle Scholar
- 9.Kiczales G, Hilsdale E, Hugunin J, Kersten M, Palm J, Griswold W (2001) An overview of AspectJ. In: Proceedings of the European conference on object-oriented programming. Springer, Berlin Heidelberg New YorkGoogle Scholar
- 10.Kim M, Kannan S, Lee I, Sokolsky O, Viswantathan M (2002) Computational analysis of run-time monitoring – fundamentals of Java-MaC. Electronic notes in theoretical computer science, vol 70. Elsevier, AmsterdamGoogle Scholar
- 11.Kim M, Viswanathan M, Ben-Abdallah H, Kannan S, Lee I, Sokolsky O (1999) Formally specified monitoring of temporal properties. In: Proceedings of the European conference on real-time systems, York, UK, June 1999Google Scholar
- 14.Sandholm A, Schwartzbach M (1998) Distributed safety controllers for web services. In: Fundamental approaches to software engineering. Lecture notes in computer science, vol 1382. Springer, Berlin Heidelberg New York, pp 270–284Google Scholar
- 15.Thiemann P (2001) Enforcing security properties by type specialization. In: Proceedings of the European symposium on programming, Genova, Italy, April 2001Google Scholar
- 16.Erlingsson Ú, Schneider FB (1999) SASI enforcement of security policies: a retrospective. In: Proceedings of the New Security Paradigms workshop, Caledon Hills, Canada, pp 87–95, September 1999Google Scholar
- 17.Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE symposium on security and privacy, Oakland, CA, May 2000, pp 246–255Google Scholar
- 18.Viswanathan M (2000) Foundations for the run-time analysis of software systems. PhD thesis, University of PennsylvaniaGoogle Scholar
- 19.Walker D (2000) A type system for expressive security policies. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000, pp 254–267Google Scholar