Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement

  • Matthew Fredrikson
  • Richard Joiner
  • Somesh Jha
  • Thomas Reps
  • Phillip Porras
  • Hassen Saïdi
  • Vinod Yegneswaran
Conference paper

DOI: 10.1007/978-3-642-31424-7_39

Part of the Lecture Notes in Computer Science book series (LNCS, volume 7358)
Cite this paper as:
Fredrikson M. et al. (2012) Efficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement. In: Madhusudan P., Seshia S.A. (eds) Computer Aided Verification. CAV 2012. Lecture Notes in Computer Science, vol 7358. Springer, Berlin, Heidelberg

Abstract

Stateful security policies—which specify restrictions on behavior in terms of temporal safety properties—are a powerful tool for administrators to control the behavior of untrusted programs. However, the runtime overhead required to enforce them on real programs can be high. This paper describes a technique for rewriting programs to incorporate runtime checks so that all executions of the resulting program either satisfy the policy, or halt before violating it. By introducing a rewriting step before runtime enforcement, we are able to perform static analysis to optimize the code introduced to track the policy state. We developed a novel analysis, which builds on abstraction-refinement techniques, to derive a set of runtime policy checks to enforce a given policy—as well as their placement in the code. Furthermore, the abstraction refinement is tunable by the user, so that additional time spent in analysis results in fewer dynamic checks, and therefore more efficient code. We report experimental results on an implementation of the algorithm that supports policy checking for JavaScript programs.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matthew Fredrikson
    • 1
  • Richard Joiner
    • 1
  • Somesh Jha
    • 1
  • Thomas Reps
    • 1
    • 2
  • Phillip Porras
    • 3
  • Hassen Saïdi
    • 3
  • Vinod Yegneswaran
    • 3
  1. 1.University of WisconsinMadisonUSA
  2. 2.Grammatech, Inc.IthacaUSA
  3. 3.SRI InternationalMenlo ParkUSA

Personalised recommendations