Conference Paper

Enforcing Non-safety Security Policies with Program Monitors.

DOI: 10.1007/11555827_21 Conference: Computer Security - ESORICS 2005, 10th European Symposium on Research in Computer Security, Milan, Italy, September 12-14, 2005, Proceedings
Source: DBLP

ABSTRACT We consider the enforcement powers of program monitors, which intercept security-sensitive actions of a target application at run time and take remedial steps whenever the target attempts to execute a potentially dangerous action. A common belief in the security commu- nity is that program monitors, regardless of the remedial steps available to them when detecting violations, can only enforce safety properties. We formally analyze the properties enforceable by various program monitors and nd that although this belief is correct when considering monitors with simple remedial options, it is incorrect for more powerful monitors that can be modeled by edit automata. We dene an interesting set of properties called innite renewal properties and demonstrate how, when given any reasonable innite renewal property, to construct an edit au- tomaton that provably enforces that property. We analyze the set of innite renewal properties and show that it includes every safety prop- erty, some liveness properties, and some properties that are neither safety nor liveness.

  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: The aim of this project is to develop a feasible design for a Model Development Environment that supports the development of net-centric systems with guarantees of user-specified safety and information assurance policies. This paper focuses on (1) a policy language for expressing system safety and information assurance constraints, (2) analysis mechanisms for detecting policy applicability in a model, and (3) enforcement mechanisms and associated assurance arguments and evidence. An overarching objective is to lower the cost of producing certified software that is ready for service in a SOA. This entails lowering the cost of initial certification and the cost of recertification after modifications.
  • [Show abstract] [Hide abstract]
    ABSTRACT: Edit automata have been introduced by J.Ligatti et al. as a model for security enforcement mechanisms which work at run time. In a distributed interacting system, they play a role of a monitor that runs in parallel with a target program and transforms its execution sequence into a sequence that obeys the security property. In this paper, we characterize security properties which are enforceable by finite edit automata (i.e. edit automata with a finite set of states) and deterministic context-free edit automata (i.e. finite edit automata extended with a stack). We prove that the properties enforceable by finite edit automata are a sub-class of regular sets. Moreover, given a regular set $P$ , one can decide in time $O(n^2)$ , whether $P$ is enforceable by a finite edit automaton (where $n$ is the number of states of the finite automaton recognizing $P$ ) and we give an algorithm to synthesize the controller. Moreover, we prove that safety policies are always enforced by a deterministic context-free edit automaton. We also prove that it is possible to check if a policy is a safety policy in $O(n^4)$ . Finally, we give a topological condition on the deterministic automaton expressing a regular policy enforceable by a deterministic context-free edit automaton.
    International Journal of Information Security 08/2013; 12(4). · 0.48 Impact Factor
  • [Show abstract] [Hide abstract]
    ABSTRACT: Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes transparency and make sure that the bad ones got amended soundness. From the theory side, a number of papers Hamlen et al., Ligatti et al., Talhi et al. provide the precise characterization of good executions that can be captured by a security policy and thus enforced by mechanisms like security automata or edit automata.Unfortunately, transparency and soundness do not distinguish what happens when an execution is actually bad the practical case. They only tell that the outcome of enforcement mechanism should be “good” but not how far the bad execution should be changed. So we cannot formally distinguish between an enforcement mechanism that makes a small change and one that drops the whole execution.In this paper we explore a set of policies called iterative properties that revises the notion of good executions in terms of repeated iterations. We propose an enforcement mechanism that can deal with bad executions and not only the good ones in a more predictable way by eliminating bad iterations.
    Journal of Computer Security. 01/2012; 20(1):51-79.