Policy ignorant caller-side inline reference monitoring

  • Dries VanoverbergheEmail author
  • Frank Piessens


Runtime security policy enforcement systems are crucial to limit the risks associated with running untrustworthy (malicious or buggy) code. The inlined reference monitor approach to policy enforcement, pioneered by Erlingsson and Schneider, implements runtime enforcement through program rewriting: security checks are inserted inside untrusted programs. Ensuring complete mediation—the guarantee that every security-relevant event is actually intercepted by the monitor—is non-trivial when the program rewriter operates on an object-oriented intermediate language with state-of-the-art features such as virtual methods and delegates. This paper proposes a caller-side rewriting algorithm for MSIL—the bytecode of the .NET virtual machine—where security checks are inserted around calls to security-relevant methods. We prove that this algorithm achieves sound and complete mediation and transparency for a simplified model of MSIL and report on our experiences with the implementation of the algorithm for full MSIL.


Security policy enforcement Inline reference monitor Policy ignorant 


  1. 1.
    Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: Jsand: complete client-side sandboxing of third-party javascript without browser modifications. In: ACSAC, pp. 1–10 (2012)Google Scholar
  2. 2.
    Basin, D.A., Klaedtke, F., Zalinescu, E.: Algorithms for monitoring real-time properties. In: RV, pp. 260–275 (2011)Google Scholar
  3. 3.
    Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: PLDI ’05, pp. 305–314. ACM Press, New York (2005)Google Scholar
  4. 4.
    Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security monitor inlining for multithreaded java. In: ECOOP, pp. 546–569 (2009)Google Scholar
  5. 5.
    Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Provably correct inline monitoring for multithreaded java-like programs. J. Comput. Secur. 18(1), 37–59 (2010)Google Scholar
  6. 6.
    Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The run time monitor: tool demonstration. Electron. Notes Theor. Comput. Sci. 253(5), 153–159 (2009)CrossRefGoogle Scholar
  7. 7.
    Desmet, Lieven, Joosen, Wouter, Massacci, Fabio, Philippaerts, Pieter, Piessens, Frank, Siahaan, Ida, Vanoverberghe, Dries: Security-by-contract on platform. Inf. Secur. Tech. Rep. 13(1), 25–32 (2008)CrossRefGoogle Scholar
  8. 8.
    Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies: a retrospective. In WNSP: New Security Paradigms Workshop. ACM Press, New York (2000)Google Scholar
  9. 9.
    Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University (2004). (Adviser-Fred B. Schneider)Google Scholar
  10. 10.
    Erlingsson, U., Schneider, F.B.: IRM enforcement of Java stack inspection. In: IEEE Symposium on Security and Privacy, pp. 246–255 (2000)Google Scholar
  11. 11.
    European Computer Machinery Association. Standard ECMA-335: Common Language Infrastructure, 4th edn. ECMA international, Geneva, Switzerland (2006)Google Scholar
  12. 12.
  13. 13.
    Evans, D., Twyman, A.: Flexible policy-directed code safety. In: IEEE Symposium on Security and Privacy, pp. 32–45 (1999)Google Scholar
  14. 14.
    Fruja, N.G.: Type Safety of C# and.NET CLR. PhD thesis, ETH Zurich (2006)Google Scholar
  15. 15.
    Jeffrey, A.S.A., Rathke, J.: Java jr.: fully abstract trace semantics for a core Java language. In: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Science, vol. 3444, pp. 423–438. Springer, Berlin (2005)Google Scholar
  16. 16.
    Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Mehmet, A., Satoshi M. (eds.) Proceedings of the European Conference on Object-Oriented Programming, vol. 1241, pp. 220–242. Springer, Berlin (1997)Google Scholar
  17. 17.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)CrossRefGoogle Scholar
  18. 18.
    Lindholm, T., Yellin, F.: The Java(TM) Virtual Machine Specification, 2nd edn. Prentice Hall PTR, New Jersey (1999)Google Scholar
  19. 19.
    Provos, N.: Improving host security with system call policies. In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley (2003)Google Scholar
  20. 20.
    S3MS. Security of software and services for mobile systems. (2007)
  21. 21.
    Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 9(63), 1278–1308 (1975)Google Scholar
  22. 22.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRefGoogle Scholar
  23. 23.
    Vanoverberghe, D., Piessens, F.: A caller-side inline reference monitor for an object-oriented intermediate language. In: Proceedings of the 10th IFIP WG 6.1 International Conference on Formal Methods for Open Object-Based Distributed Systems, FMOODS ’08, pp. 240–258. Springer, Berlin (2008)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.iMinds-DistriNetKU Leuven CelestijnenlaanLeuvenBelgium

Personalised recommendations