Aspect-Oriented Runtime Monitor Certification

  • Kevin W. Hamlen
  • Micah M. Jones
  • Meera Sridhar
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7214)


In-lining runtime monitors into untrusted binary programs via aspect-weaving is an increasingly popular technique for efficiently and flexibly securing untrusted mobile code. However, the complexity of the monitor implementation and in-lining process in these frameworks can lead to vulnerabilities and low assurance for code-consumers. This paper presents a machine-verification technique for aspect-oriented in-lined reference monitors based on abstract interpretation and model-checking. Rather than relying upon trusted advice, the system verifies semantic properties expressed in a purely declarative policy specification language. Experiments on a variety of real-world policies and Java applications demonstrate that the approach is practical and effective.


Abstract interpretation in-lined reference monitors model-checking security 


  1. 1.
    Aktug, I., Dam, M., Gurov, D.: Provably Correct Runtime Monitoring. In: Cuellar, J., Sere, K. (eds.) FM 2008. LNCS, vol. 5014, pp. 262–277. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  2. 2.
    Aktug, I., Naliuka, K.: ConSpec - a formal language for policy specification. Science of Comput. Prog. 74, 2–12 (2008)MathSciNetzbMATHCrossRefGoogle Scholar
  3. 3.
    Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Computing 2, 117–126 (1986)CrossRefGoogle Scholar
  4. 4.
    Chen, F., Roşu, G.: Java-MOP: A Monitoring Oriented Programming Environment for Java. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 546–550. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  5. 5.
    Cousot, P., Cousot, R.: Abstract interpretation: A unified lattice model for static analysis of programs by construction or approximation of fixpoints. In: Proc. Sym. on Principles of Prog. Lang., pp. 234–252 (1977)Google Scholar
  6. 6.
    Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security Monitor Inlining for Multithreaded Java. In: Drossopoulou, S. (ed.) ECOOP 2009. LNCS, vol. 5653, pp. 546–569. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Dantas, D.S., Walker, D.: Harmless advice. In: Proc. ACM Sym. on Principles of Prog. Lang. (POPL), pp. 383–396 (2006)Google Scholar
  8. 8.
    Dantas, D.S., Walker, D., Washburn, G., Weirich, S.: AspectML: A polymorphic aspect-oriented functional programming language. ACM Trans. Prog. Lang. and Systems 30(3) (2008)Google Scholar
  9. 9.
    DeVries, B.W., Gupta, G., Hamlen, K.W., Moore, S., Sridhar, M.: ActionScript bytecode verification with co-logic programming. In: Proc. ACM Workshop on Prog. Lang. and Analysis for Security (PLAS), pp. 9–15 (2009)Google Scholar
  10. 10.
    Erlingsson, Ú.: The Inlined Reference Monitor Approach to Security Policy Enforcement. Ph.D. thesis, Cornell University, Ithaca, New York (2004)Google Scholar
  11. 11.
    Erlingsson, Ú., Schneider, F.B.: SASI enforcement of security policies: A retrospective. In: Proc. New Security Paradigms Workshop (NSPW), pp. 87–95 (1999)Google Scholar
  12. 12. Executable file types (2011),
  13. 13.
    Flatt, M., Krishnamurthi, S., Felleisen, M.: Classes and mixins. In: Proc. ACM Sym. on Principles of Prog. Lang. (POPL), pp. 171–183 (1998)Google Scholar
  14. 14.
    Hamlen, K.W., Jones, M.: Aspect-oriented in-lined reference monitors. In: Proc. ACM Workshop on Prog. Lang. and Analysis for Security (PLAS), pp. 11–20 (2008)Google Scholar
  15. 15.
    Hamlen, K.W., Jones, M.M., Sridhar, M.: Chekov: Aspect-oriented runtime monitor certification via model-checking (extended version). Tech. rep., Dept. of Comput. Science, U. Texas at Dallas (May 2011)Google Scholar
  16. 16.
    Hamlen, K.W., Mohan, V., Masud, M.M., Khan, L., Thuraisingham, B.: Exploiting an antivirus interface. Comput. Standards & Interfaces J. 31(6), 1182–1189 (2009)CrossRefGoogle Scholar
  17. 17.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Certified in-lined reference monitoring on. NET. In: Proc. ACM Workshop on Prog. Lang. and Analysis for Security (PLAS), pp. 7–16 (2006)Google Scholar
  18. 18.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Trans. Prog. Lang. and Systems 28(1), 175–205 (2006)CrossRefGoogle Scholar
  19. 19.
    Jaffar, J., Maher, M.J.: Constraint logic programming: A survey. J. Log. Program., 503–581 (1994)Google Scholar
  20. 20.
    Jones, M., Hamlen, K.W.: Enforcing IRM security policies: Two case studies. In: Proc. IEEE Intelligence and Security Informatics (ISI) Conf., pp. 214–216 (2009)Google Scholar
  21. 21.
    Jones, M., Hamlen, K.W.: Disambiguating aspect-oriented policies. In: Proc. Int. Conf. on Aspect-Oriented Software Development (AOSD), pp. 193–204 (2010)Google Scholar
  22. 22.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An Overview of AspectJ. In: Lee, S.H. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 327–353. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  23. 23.
    Li, Z., Wang, X.: FIRM: Capability-based inline mediation of Flash behaviors. In: Proc. Annual Comput. Security Applications Conf. (ACSAC), pp. 181–190 (2010)Google Scholar
  24. 24.
    Ligatti, J.A.: Policy Enforcement via Program Monitoring. Ph.D. thesis, Princeton University, Princeton, New Jersey (2006)Google Scholar
  25. 25.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Information Security 4(1-2), 2–16 (2005)CrossRefGoogle Scholar
  26. 26.
    Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Trans. Information and Systems Security 12(3) (2009)Google Scholar
  27. 27.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Information and Systems Security 3(1), 30–50 (2000)CrossRefGoogle Scholar
  28. 28.
    Shah, V., Hill, F.: An aspect-oriented security framework. In: Proc. DARPA Information Survivability Conf. and Exposition, vol. 2 (2003)Google Scholar
  29. 29.
    Sridhar, M., Hamlen, K.W.: ActionScript In-Lined Reference Monitoring in Prolog. In: Carro, M., Peña, R. (eds.) PADL 2010. LNCS, vol. 5937, pp. 149–151. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Sridhar, M., Hamlen, K.W.: Model-Checking In-Lined Reference Monitors. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 312–327. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  31. 31.
    Sridhar, M., Hamlen, K.W.: Flexible in-lined reference monitor certification: Challenges and future directions. In: Proc. ACM Workshop on Prog. Lang. meets Program Verification (PLPV), pp. 55–60 (2011)Google Scholar
  32. 32.
    Viega, J., Bloch, J.T., Chandra, P.: Applying aspect-oriented programming to security. Cutter IT J. 14(2) (2001)Google Scholar
  33. 33.
    Walker, D.: A type system for expressive security policies. In: Proc. of ACM Sym. on Principles of Prog. Lang. (POPL) (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Kevin W. Hamlen
    • 1
  • Micah M. Jones
    • 1
  • Meera Sridhar
    • 1
  1. 1.University of TexasDallasUSA

Personalised recommendations