Formal Methods in System Design

, Volume 38, Issue 3, pp 223–262 | Cite as

Runtime enforcement monitors: composition, synthesis, and enforcement abilities

  • Yliès FalconeEmail author
  • Laurent Mounier
  • Jean-Claude Fernandez
  • Jean-Luc Richier


Runtime enforcement is a powerful technique to ensure that a program will respect a given set of properties. We extend previous work on this topic in several directions. Firstly, we propose a generic notion of enforcement monitors based on a memory device and finite sets of control states and enforcement operations. Moreover, we specify their enforcement abilities w.r.t. the general Safety-Progress classification of properties. Furthermore, we propose a systematic technique to produce a monitor from the automaton recognizing a given safety, guarantee, obligation or response property. Finally, we show that this notion of enforcement monitors is more amenable to implementation and encompasses previous runtime enforcement mechanisms.


Runtime enforcement Monitor Safety-progress classification Monitor synthesis Composition 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Havelund K, Goldberg A (2008) Verify your runs. In: Verified software: theories, tools, experiments: first IFIP TC 2/WG 2.3 conference, revised selected papers and discussions, VSTTE 2005, Zurich, Switzerland, October 10–13, 2005, pp 374–383 Google Scholar
  2. 2.
    Leucker M, Schallhart C (2009) A brief account of runtime verification. J Log Algebr Program 78:293–303 CrossRefzbMATHGoogle Scholar
  3. 3.
    Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3:30–50 CrossRefGoogle Scholar
  4. 4.
    Hamlen KW, Morrisett G, Schneider FB (2006) Computability classes for enforcement mechanisms. ACM Trans Program Lang Syst 28:175–205 CrossRefGoogle Scholar
  5. 5.
    Viswanathan M (2000) Foundations for the run-time analysis of software systems. PhD thesis, University of Pennsylvania, Philadelphia, PA, USA, Supervisor-Sampath Kannan and Supervisor-Insup Lee Google Scholar
  6. 6.
    Ligatti J, Bauer L, Walker D (2009) Run-time enforcement of nonsafety policies. ACM Trans Inf Syst Secur 12 Google Scholar
  7. 7.
    Ligatti J, Bauer L, Walker D (2005) Enforcing non-safety security policies with program monitors. In: ESORICS, pp 355–373 CrossRefGoogle Scholar
  8. 8.
    Fong PWL (2004) Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE symposium on security and privacy. IEEE Computer Society Press, Los Alamitos, pp 43–55 CrossRefGoogle Scholar
  9. 9.
    Manna Z, Pnueli A (1987) A hierarchy of temporal properties. In: PODC’87: proceedings of the sixth annual ACM symposium on principles of distributed computing. ACM, New York, pp 205–205 CrossRefGoogle Scholar
  10. 10.
    Chang EY, Manna Z, Pnueli A (1992) Characterization of temporal property classes. In: Automata, languages and programming, pp 474–486 Google Scholar
  11. 11.
    Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 3:125–143 CrossRefMathSciNetGoogle Scholar
  12. 12.
    Alpern B, Schneider FB (1985) Defining liveness. Inf Process Lett 21:181–185 CrossRefzbMATHMathSciNetGoogle Scholar
  13. 13.
    Falcone Y, Fernandez JC, Mounier L (2008) Synthesizing enforcement monitors wrt the safety-progress classification of properties. In: Sekar R, Pujari AK (eds) ICISS. Lecture notes in computer science, vol 5352, pp 41–55 Google Scholar
  14. 14.
    Chang E, Manna Z, Pnueli A (1992) The safety-progress classification. Technical report, Stanford University, Dept of Computer Science Google Scholar
  15. 15.
    Streett RS (1981) Propositional dynamic logic of looping and converse. In: STOC’81: proceedings of the thirteenth annual ACM symposium on theory of computing. ACM, New York, pp 375–383 CrossRefGoogle Scholar
  16. 16.
    Falcone Y, Fernandez JC, Mounier L (2009) Runtime verification of safety-progress properties. In: Bensalem S, Peled D (eds) RV. Lecture notes in computer science, vol 5779. Springer, Berlin, pp 40–59 Google Scholar
  17. 17.
    Hamlen KW (2006) Security policy enforcement by automated program-rewriting. PhD thesis, Cornell University Google Scholar
  18. 18.
    Ligatti JA (2006) Policy enforcement via program monitoring. PhD thesis, Princeton University Google Scholar
  19. 19.
    Bauer L, Ligatti J, Walker D (2009) Composing expressive runtime security policies. ACM Trans Softw Eng Methodol 18 Google Scholar
  20. 20.
    Martinelli F, Matteucci I (2007) Through modeling to synthesis of security automata. Electron Notes Theor Comput Sci 179:31–46 CrossRefGoogle Scholar
  21. 21.
    Matteucci I (2007) Automated synthesis of enforcing mechanisms for security properties in a timed setting. Electron Notes Theor Comput Sci 186:101–120 CrossRefMathSciNetGoogle Scholar
  22. 22.
    Erlingsson U, Schneider FB (2000) IRM enforcement of Java stack inspection. In: IEEE symposium on security and privacy, pp 246–255 Google Scholar
  23. 23.
    Erlingsson U, Schneider FB (2000) SASI enforcement of security policies: a retrospective. In: WNSP: new security paradigms workshop. ACM Press, New York Google Scholar
  24. 24.
    Kiczales G, Lamping J, Mendhekar A, Maeda C, Lopes C, Loingtier JM, Irwin J (1997) Aspect-oriented programming. Springer, Berlin Google Scholar
  25. 25.
    Falcone Y, Fernandez JC, Mounier L (2009) Enforcement monitoring wrt the safety-progress classification of properties. In: SAC’09: proceedings of the 2009 ACM symposium on applied computing. ACM, New York, pp 593–600 CrossRefGoogle Scholar
  26. 26.
    The Apache Jakarta Project: Byte Code Engineering Library (2008)
  27. 27.
    Nethercote N, Seward J (2007) Valgrind: a framework for heavyweight dynamic binary instrumentation. ACM SIGPLAN Not 42:89–100 CrossRefGoogle Scholar

Copyright information

© Springer Science+Business Media, LLC 2011

Authors and Affiliations

  • Yliès Falcone
    • 1
    Email author
  • Laurent Mounier
    • 1
  • Jean-Claude Fernandez
    • 1
  • Jean-Luc Richier
    • 2
  1. 1.Grenoble INP, CNRS VERIMAGUJF-Grenoble 1GrenobleFrance
  2. 2.Grenoble INP, CNRS LIGUJF-Grenoble 1GrenobleFrance

Personalised recommendations