Edit automata: enforcement mechanisms for run-time security policies

Regular contribution


We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.

After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.


Run-time checking and monitoring Security automata Classification of security policies Language-based security 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alpern B, Schneider F (1987) Recognizing safety and liveness. Distrib Comput 2:117–126CrossRefGoogle Scholar
  2. 2.
    Bauer L, Ligatti J, Walker D (2002) More enforceable security policies. In: Foundations of Computer Security, proceedings of the FLoC’02 workshop on foundations of computer security, Copenhagen, Denmark, 25–26 July 2002, pp 95–104Google Scholar
  3. 3.
    Bauer L, Ligatti J, Walker D (2004) A language and system for enforcing run-time security policies. Technical Report TR-699-04, Princeton University, January 2004Google Scholar
  4. 4.
    Colcombet T, Fradet P (2000) Enforcing trace properties by program transformation. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000. ACM Press, New York, pp 54–66Google Scholar
  5. 5.
    Elmasri R, Navathe SB (1994) Fundamentals of database systems. Benjamin/Cummings, San FranciscoGoogle Scholar
  6. 6.
    Evans D, Twyman A (1999) Flexible policy-directed code safety. In: Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, CA, May 1999Google Scholar
  7. 7.
    Fong PWL (2004) Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE symposium on security and privacy, Oakland, CA, May 2004Google Scholar
  8. 8.
    Hamlen K, Morrisett G, Schneider F (2003) Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University, Ithaca, NYGoogle Scholar
  9. 9.
    Kiczales G, Hilsdale E, Hugunin J, Kersten M, Palm J, Griswold W (2001) An overview of AspectJ. In: Proceedings of the European conference on object-oriented programming. Springer, Berlin Heidelberg New YorkGoogle Scholar
  10. 10.
    Kim M, Kannan S, Lee I, Sokolsky O, Viswantathan M (2002) Computational analysis of run-time monitoring – fundamentals of Java-MaC. Electronic notes in theoretical computer science, vol 70. Elsevier, AmsterdamGoogle Scholar
  11. 11.
    Kim M, Viswanathan M, Ben-Abdallah H, Kannan S, Lee I, Sokolsky O (1999) Formally specified monitoring of temporal properties. In: Proceedings of the European conference on real-time systems, York, UK, June 1999Google Scholar
  12. 12.
    Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 3(2):125–143MathSciNetCrossRefGoogle Scholar
  13. 13.
    Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50CrossRefGoogle Scholar
  14. 14.
    Sandholm A, Schwartzbach M (1998) Distributed safety controllers for web services. In: Fundamental approaches to software engineering. Lecture notes in computer science, vol 1382. Springer, Berlin Heidelberg New York, pp 270–284Google Scholar
  15. 15.
    Thiemann P (2001) Enforcing security properties by type specialization. In: Proceedings of the European symposium on programming, Genova, Italy, April 2001Google Scholar
  16. 16.
    Erlingsson Ú, Schneider FB (1999) SASI enforcement of security policies: a retrospective. In: Proceedings of the New Security Paradigms workshop, Caledon Hills, Canada, pp 87–95, September 1999Google Scholar
  17. 17.
    Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE symposium on security and privacy, Oakland, CA, May 2000, pp 246–255Google Scholar
  18. 18.
    Viswanathan M (2000) Foundations for the run-time analysis of software systems. PhD thesis, University of PennsylvaniaGoogle Scholar
  19. 19.
    Walker D (2000) A type system for expressive security policies. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000, pp 254–267Google Scholar

Copyright information

© Springer-Verlag 2004

Authors and Affiliations

  1. 1.Princeton UniversityPrincetonUSA
  2. 2.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations