Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement

  • Matthew Fredrikson
  • Richard Joiner
  • Somesh Jha
  • Thomas Reps
  • Phillip Porras
  • Hassen Saïdi
  • Vinod Yegneswaran
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7358)


Stateful security policies—which specify restrictions on behavior in terms of temporal safety properties—are a powerful tool for administrators to control the behavior of untrusted programs. However, the runtime overhead required to enforce them on real programs can be high. This paper describes a technique for rewriting programs to incorporate runtime checks so that all executions of the resulting program either satisfy the policy, or halt before violating it. By introducing a rewriting step before runtime enforcement, we are able to perform static analysis to optimize the code introduced to track the policy state. We developed a novel analysis, which builds on abstraction-refinement techniques, to derive a set of runtime policy checks to enforce a given policy—as well as their placement in the code. Furthermore, the abstraction refinement is tunable by the user, so that additional time spent in analysis results in fewer dynamic checks, and therefore more efficient code. We report experimental results on an implementation of the algorithm that supports policy checking for JavaScript programs.


Model Check Security Policy Symbolic Execution Runtime Overhead Predicate Abstraction 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aktug, I., Naliuka, K.: Conspec – a formal language for policy specification. ENTCS 197 (February 2008)Google Scholar
  2. 2.
    Alur, R., Madhusudan, P.: Adding nesting structure to words. JACM 56(3) (2009)Google Scholar
  3. 3.
    Ball, T., Rajamani, S.K.: The SLAM project: debugging system software via static analysis. In: POPL (2002)Google Scholar
  4. 4.
    Bodden, E., Lam, P., Hendren, L.: Clara: A Framework for Partially Evaluating Finite-State Runtime Monitors Ahead of Time. In: Barringer, H., Falcone, Y., Finkbeiner, B., Havelund, K., Lee, I., Pace, G., Roşu, G., Sokolsky, O., Tillmann, N. (eds.) RV 2010. LNCS, vol. 6418, pp. 183–197. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  5. 5.
    Chen, F., Roşu, G.: Java-MOP: A Monitoring Oriented Programming Environment for Java. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 546–550. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  6. 6.
    Clarke, E., Grumberg, O., Jha, S., Lu, Y., Veith, H.: Counterexample-guided abstraction refinement for symbolic model checking. JACM 50(5) (2003)Google Scholar
  7. 7.
    Crockford, D.: Adsafe: Making JavaScript safe for advertising, http://www.adsafe.org
  8. 8.
    Erlingsson, Ú., Schneider, F.B.: SASI enforcement of security policies: a retrospective. In: NSPW (2000)Google Scholar
  9. 9.
    Evans, D., Twyman, A.: Flexible policy-directed code safety. In: SP (1999)Google Scholar
  10. 10.
  11. 11.
    Google inc. The Caja project, http://code.google.com/p/google-caja/
  12. 12.
    Graf, S., Saïdi, H.: Construction of Abstract State Graphs with PVS. In: Grumberg, O. (ed.) CAV 1997. LNCS, vol. 1254, pp. 72–83. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  13. 13.
    Guarnieri, S., Livshits, B.: Gatekeeper: Mostly static enforcement of security and reliability policies for JavaScript code. In: Security (August 2009)Google Scholar
  14. 14.
    Hamlen, K.W., Jones, M.: Aspect-oriented in-lined reference monitors. In: PLAS (2008)Google Scholar
  15. 15.
    Hamlen, K.W., Morrisett, G., Schneider, F.B.: Certified in-lined reference monitoring on .NET. In: PLAS (2006)Google Scholar
  16. 16.
    Henzinger, T.A., Jhala, R., Majumdar, R., Sutre, G.: Lazy abstraction. In: POPL (2002)Google Scholar
  17. 17.
    G. Inc. Closure Compiler, http://code.google.com/closure/compiler/
  18. 18.
    Kiczales, G., Hilsdale, E., Hugunin, J., Kersten, M., Palm, J., Griswold, W.G.: An Overview of AspectJ. In: Lindskov Knudsen, J. (ed.) ECOOP 2001. LNCS, vol. 2072, pp. 327–353. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Kiczales, G., Lamping, J., Mendhekar, A., Maeda, C., Lopes, C., Marc Loingtier, J., Irwin, J.: Aspect-Oriented Programming. In: Aksit, M., Auletta, V. (eds.) ECOOP 1997. LNCS, vol. 1241, pp. 220–242. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  20. 20.
    Kiefer, S., Schwoon, S., Suwimonteerabuth, D.: Moped: A model checker for pushdown systems, http://www.fmi.uni-stuttgart.de/szs/tools/moped/
  21. 21.
    Maffeis, S., Mitchell, J.C., Taly, A.: An Operational Semantics for JavaScript. In: Ramalingam, G. (ed.) APLAS 2008. LNCS, vol. 5356, pp. 307–325. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Maffeis, S., Taly, A.: Language-based isolation of untrusted Javascript. In: CSF (2009)Google Scholar
  23. 23.
    Maffeis, S., Taly, J.M.A.: Language-based isolation of untrusted JavaScript. In: SP (2010)Google Scholar
  24. 24.
    Martignoni, L., Stinson, E., Fredrikson, M., Jha, S., Mitchell, J.C.: A Layered Architecture for Detecting Malicious Behaviors. In: Lippmann, R., Kirda, E., Trachtenberg, A. (eds.) RAID 2008. LNCS, vol. 5230, pp. 78–97. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    McMillan, K.L.: Applications of Craig Interpolants in Model Checking. In: Halbwachs, N., Zuck, L.D. (eds.) TACAS 2005. LNCS, vol. 3440, pp. 1–12. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  26. 26.
    Meyerovich, L., Livshits, B.: Conscript: Specifying and enforcing fine-grained security policies for javascript in the browser. In: SP (2010)Google Scholar
  27. 27.
    Saxena, P., Akhawe, D., Hanna, S., McCamant, S., Mao, F., Song, D.: A symbolic execution framework for JavaScript. In: SP (2010)Google Scholar
  28. 28.
    Schneider, F.B.: Enforceable security policies. TISSEC 3 (February 2000)Google Scholar
  29. 29.
    Sridhar, M., Hamlen, K.W.: Model-Checking In-Lined Reference Monitors. In: Barthe, G., Hermenegildo, M. (eds.) VMCAI 2010. LNCS, vol. 5944, pp. 312–327. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  30. 30.
    Yu, D., Chander, A., Islam, N., Serikov, I.: JavaScript instrumentation for browser security. In: POPL (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matthew Fredrikson
    • 1
  • Richard Joiner
    • 1
  • Somesh Jha
    • 1
  • Thomas Reps
    • 1
    • 2
  • Phillip Porras
    • 3
  • Hassen Saïdi
    • 3
  • Vinod Yegneswaran
    • 3
  1. 1.University of WisconsinMadisonUSA
  2. 2.Grammatech, Inc.IthacaUSA
  3. 3.SRI InternationalMenlo ParkUSA

Personalised recommendations