Page 1

Edit Automata: Enforcement Mechanisms for

Run-time Security Policies∗

Jay Ligatti Lujo BauerDavid Walker

Department of Computer Science

Princeton University

Princeton, NJ 08544

Technical Report TR-681-03

May 30, 2003

Abstract

We analyze the space of security policies that can be enforced by moni-

toring and modifying programs at run time. Our program monitors, called

edit automata, are abstract machines that examine the sequence of appli-

cation program actions and transform the sequence when it deviates from

a specified policy. Edit automata have a rich set of transformational pow-

ers: They may terminate the application, thereby truncating the program

action stream; they may suppress undesired or dangerous actions without

necessarily terminating the program; and they may also insert additional

actions into the event stream.

After providing a formal definition of edit automata, we develop a rig-

orous framework for reasoning about them and their cousins: truncation

automata (which can only terminate applications), suppression automata

(which can terminate applications and suppress individual actions), and

insertion automata (which can terminate and insert).

theoretic characterization of the policies each sort of automaton can en-

force and we provide examples of policies that can be enforced by one sort

of automaton but not another.

We give a set-

1 Introduction

When designing a secure, extensible system such as an operating system that

allows applications to download code into the kernel or a database that allows

users to submit their own optimized queries, we must ask two important ques-

tions.

∗This is a revised and extended version of “More Enforceable Security Policies,” a paper

that first appeared in the Workshop on Foundations of Computer Security, June 2002 [BLW02].

1

Page 2

1. What sorts of security policies can we expect our system to enforce?

2. What sorts of mechanisms do we need to enforce these policies?

Neither of these questions can be answered effectively without understanding

the space of enforceable security policies and the power of various enforcement

mechanisms.

The first significant effort to define the class of enforceable security policies

is due to Schneider [Sch00]. He investigated the security properties that can be

enforced by a specific type of program monitor. One of Schneider’s monitors

can interpose itself between an untrusted program and the machine on which

the program runs. The monitor can examine the sequence of security-relevant

program actions one at a time and if it recognizes an action that will violate

its policy, the monitor terminates the program. This mechanism is very general

since decisions about whether or not to terminate the program can depend upon

the entire history of the program’s execution. However, since these monitors

can only terminate programs and cannot otherwise modify their behavior, it is

possible to define still more powerful enforcement mechanisms.

In this paper, we re-examine the question of which security policies can be

enforced at run time by monitoring untrusted programs. Our overall approach

differs from Schneider’s, who also used automata to model program monitors, in

that we view program monitors as transformers that edit the stream of actions

produced by an untrusted application. This new viewpoint leads us to define

a hierarchy of enforcement mechanisms, each with different transformational

capabilities:

• A truncation automaton can recognize bad sequences of actions and halt

program execution before the security policy is violated, but cannot other-

wise modify program behavior. These automata are similar to Schneider’s

original security monitors.

• A suppression automaton, in addition to being able to halt program ex-

ecution, has the ability to suppress individual program actions without

terminating the program outright.

• An insertion automaton is able to insert a sequence of actions into the

program action stream as well as terminate the program.

• An edit automaton combines the powers of suppression and insertion au-

tomata. It is able to truncate action sequences and insert or suppress

security-relevant actions at will.

We use the general term security automaton to refer to any automaton that is

used to model a program monitor, including the automata mentioned above.1

The main contribution of this article is the development of a robust theory

for reasoning about these machines under a variety of different conditions. We

1Previous authors [Sch00] have used the term to refer specifically to automata with powers

similar to our truncation automata, which we discuss in Section 3.

2

Page 3

use our theory to characterize the class of security policies that can be enforced

by each sort of automaton, and we provide examples of security policies that lie

in one class but not another.

More important than any particular result is our methodology, which gives

rise to straightforward, rigorous proofs concerning the power of security mech-

anisms and the range of enforceable security policies. This overall methodology

can be broken down into four main parts.

Step 1. Define the underlying computational framework and the range of secu-

rity policies that will be considered. In this paper, we define the software

systems and sorts of policies under consideration in Section 2.1 through

Section 2.3.

Step 2. Specify what it means to enforce a security policy. As we will see in Sec-

tion 2.4, there are several choices to be made in this definition. One must

be sure that the enforcement model accurately reflects the desires of the

system implementer and the environment in which the monitor operates.

Section 2.5 explains some of the limitations induced by our decisions in

steps 1 and 2.

Step 3. Formally specify the operational behavior of the enforcement mechanism

in question. Sections 3, 4, 5 and 6 define the operational semantics of four

different sorts of monitors and provides examples of the policies that they

can enforce.

Step 4. Prove from the previous definitions that the security mechanism in ques-

tion is able to enforce the desired properties. Sections 3, 4, 5 and 6 state

theorems concerning the security policies that each type of monitor can

enforce. The formal proofs can be found in the Appendix A.

After completing our analysis of edit automata and related machines, we

discuss related work (Section 7). Finally, Section 8 concludes the paper with

a taxonomy of security policies and a discussion of some unanswered questions

and our continuing research.

2 Security Policies and Enforcement Mechanisms

In this section, we define the overarching structure of the secure systems we

intend to explore. We also define what it means to be a security policy, and

what it means to enforce a security policy. Finally, we give a generic definition

of a security automaton as an action sequence transformer.

3

Page 4

2.1Systems, Executions, and Policies

We specify software systems at a high level of abstraction.

(A,Σ) is specified via a set of program actions A (also referred to as program

events) and a set of possible executions Σ. An execution σ is simply a finite

sequence of actions a1,a2,...,an. Previous authors have considered infinite

executions as well as finite ones [Sch00]. Some of the applications on which we

might want to enforce policies (such as web servers or operating systems) are

often considered to run infinitely, but in practice their executions will always

eventually terminate. Although we allow A and Σ to be countably infinite,

in this paper we restrict ourselves to finite but arbitrarily long executions to

simplify our analysis. We use the metavariables σ and τ to range over finite

sequences of actions.

The symbol · denotes the empty sequence. We use the notation σ[i] to

denote the ithaction in the sequence (beginning the count at 0). The notation

σ[..i] denotes the subsequence of σ involving the actions σ[0] through σ[i], and

σ[i + 1..] denotes the subsequence of σ involving all other actions. We use the

notation τ;σ to denote the concatenation of two sequences. When τ is a prefix

of σ we write τ ? σ. Given a set of executions Σ, pre(Σ) is the set of all prefixes

of all executions in Σ.

In this work, it will be important to distinguish between uniform systems

and nonuniform systems. (A,Σ) is a uniform system if Σ = A?where A?is the

set of all finite sequences of symbols from A. Conversely, (A,Σ) is a nonuni-

form system if Σ ⊂ A?. Uniform systems arise naturally when a program is

completely unconstrained; unconstrained programs may execute operations in

any order. However, an effective security system will often combine static pro-

gram analysis and preprocessing with run-time security monitoring. Such is the

case in Java virtual machines, for example, which combine type checking with

stack inspection. Program analysis, preprocessing, model checking, control- or

data-flow analysis, program instrumentation, type checking, and proof-carrying

code can also give rise to nonuniform systems.

A security policy is a predicate P on sets of executions. A set of executions

Σ satisfies a policy P if and only if P(Σ). Most common extensional program

properties fall under this definition of security policy, including the following.

A system S =

• Access Control policies specify that no execution may operate on certain

resources such as files or sockets, or invoke certain system operations.

• Availability policies specify that if a program acquires a resource during

an execution, then it must release that resource at some (arbitrary) later

point in the execution.

• Bounded Availability policies specify that if a program acquires a resource

during an execution, then it must release that resource by some fixed point

later in the execution. For example, the resource must be released in at

most ten steps or after some system invariant holds. We call the condition

that demands release of the resource the bound for the policy.

4

Page 5

• An Information Flow policy concerning inputs s1and outputs s2might

specify that if s2= f(s1) in one execution (for some function f) then there

must exist another execution in which s2?= f(s1).

2.2Security Properties

Alpern and Schneider [AS87] distinguish between properties and more general

policies as follows. A security policy P is deemed to be a (computable) property

when it has the following form.

P(Σ) = ∀σ ∈ Σ.ˆP(σ)

whereˆP is a computable predicate on A?.

Hence, a property is defined exclusively in terms of individual executions.

It may not specify a relationship between possible executions of the program.

Information flow, for example, which can only be specified as a condition on the

set of possible executions of a program, is not a property. The other example

policies provided in the previous section are all security properties.

We assume that the empty sequence is contained in any property. This

describes the idea that an untrusted program that has not started executing is

not yet in violation of any property. From a technical perspective, this decision

allows us to avoid repeatedly considering the empty sequence as a special case

of an execution sequence in future definitions of enforceable properties.

Given some set of actions A, a predicateˆP over A?induces the security

property P(Σ) = ∀σ ∈ Σ.ˆP(σ). We often use the symbolˆP interchangeably as

a predicate over execution sequences and as the induced property. Normally,

the context will make clear which meaning we intend.

(Property)

Safety Properties

are called safety properties [Lam77]. We can make this definition precise as

follows. PredicateˆP induces a safety property if and only if,

∀σ ∈ pre(Σ).¬ˆP(σ) ⇒ ∀σ?∈ Σ.(σ ? σ?⇒ ¬ˆP(σ?))

Properties that specify that “nothing bad ever happens”

(Safety)

Informally, this definition states that once a bad action has taken place, thereby

excluding the initial segment of an execution from the property, there is no

extension of that segment that can remedy the situation. For example, access-

control policies are safety properties since once a restricted resource has been

accessed, the policy is broken. There is no way to “un-access” the resource and

fix the situation afterwards.

Our definition of safety differs slightly from that of previous authors. Since

we wish to consider nonuniform systems, σ ranges over pre(Σ) rather than Σ. On

uniform systems Σ = A?and therefore pre(Σ) = Σ; consequently, the definition

we give corresponds exactly to previous work. On nonuniform systems pre(Σ)

is a superset of Σ. In our definition of safety, this implies that a sequence may

become irremediably bad at a point that does not correspond to a full execution

sequence.

5

Page 6

Liveness Properties

state that nothing exceptionally bad can happen in any finite amount of time.

Any finite sequence of actions can always be extended so that it lies within the

property. Formally, predicateˆP induces a liveness property if and only if,

∀σ ∈ pre(Σ).∃σ?∈ Σ.(σ ? σ?∧ˆP(σ?))

In contrast to safety properties, liveness properties [AS85]

(Liveness)

On uniform systems availability is a liveness property. If the program has ac-

quired a resource, we can always extend its execution so that it releases the

resource in the next step. As with safety, considering nonuniformity requires us

to use a modified definition of liveness that lets σ range over pre(Σ) rather than

Σ.

Because we are limiting ourselves to considering only finite sequences, our

definition of liveness excludes many interesting liveness properties, such as ter-

mination. We present the definition of liveness for the sake of comparison with

safety.

Other Properties

be decomposed into a combination of a safety property and a liveness property.

Bounded availability, for example, is a property that combines safety and live-

ness on uniform systems. Suppose our bounded-availability policy states that

every resource that is acquired must be released and must be released at most

ten steps after it is acquired. This property contains an element of safety be-

cause there is a bad thing that may occur (e.g., taking eleven steps without

releasing the resource). It is not purely a safety property because there are

sequences that are not in the property (e.g., we have taken eight steps with-

out releasing the resource) that may be extended to sequences that are in the

property (e.g., we release the resource on the ninth step).

Alpern and Schneider [AS87] show that any property can

2.3Security Automata

One way of enforcing security properties is with a monitor that runs in parallel

with a target program [Sch00]. Whenever the target program wishes to execute

a security-relevant operation, the monitor first checks its policy to determine

whether or not that operation is allowed. If the target program’s execution

sequence σ is not in the property, the monitor transforms it into a sequence σ?

that obeys the property.

A program monitor can be formally modeled by a security automaton A,

which is a deterministic finite or infinite state machine (Q,q0,T ) that is defined

with respect to some system (A,Σ). Q specifies the possible automaton states

and q0is the initial state. Each variety of automata will have a slightly differ-

ent sort of complete, deterministic transition function T , and these differences

account for the variations in their expressive power. The exact specification of

T is part of the definition of each kind of automaton.

We will specify the execution of each different kind of security automaton A

using a labeled operational semantics. The basic single-step judgment will have

6

Page 7

the form (σ,q)

target program wants to execute; q denotes the current state of the automaton;

σ?and q?denote the action sequence and state after the automaton takes a single

step; and τ denotes the sequence of actions produced by the automaton. The

input sequence σ is not observable to the outside world whereas the outputs,

τ, are observable. When we consider nonuniform systems, we will constrain σ

rather than τ (i.e., τ may be any element of A?).

We generalize the single-step judgment to a multi-step judgment as follows.

The basic multi-step judgment has the form (σ,q)

τ

−→A(σ?,q?) where σ denotes the sequence of actions that the

τ

=⇒A(σ?,q?).

(σ,q)

τ

=⇒A(σ?,q?)

(σ,q)

·

=⇒A(σ,q)

(A-Reflex)

(σ,q)

τ1

−→A(σ??,q??)

(σ,q)

(σ??,q??)

=⇒A(σ?,q?)

τ2

=⇒A(σ?,q?)

τ1;τ2

(A-Trans)

In this paper we consider security automata whose transition functions take

the current state and input action (the first of the actions that the target pro-

gram wants to execute) and returns a new automaton state and the sequence

of actions the automaton outputs. Our automata may or may not consume the

current input action while making a transition.

2.4Enforceable Properties

To be able to compare and contrast the power of various security mechanisms,

it is crucial to have a rigorous definition of what it means for a mechanism to

enforce a security property. We believe that enforcement mechanisms can only

accomplish their task effectively when they obey the following two abstract

principles.

(Soundness) An enforcement mechanism must ensure that all observable out-

puts obey the property in question.

(Transparency) An enforcement mechanism must preserve the semantics of

executions that already obey the property in question.

The first criterion requires that our automata transform bad program ex-

ecutions in such a way that their observable outputs obey the property. A

security mechanism that allows outsiders to observe executions that do not sat-

isfy the given policy is an unsound and inadequate mechanism. The second

criterion requires that enforcement mechanisms operate invisibly on executions

that obey the property in question. In other words, any editing operations that

they perform must not change the meaning of a valid execution.

7

Page 8

Conservative Enforcement.

obey the first criterion but not necessarily the second, we say that the mechanism

enforces the property conservatively.

When an enforcement mechanism is able to

Definition 1 (Conservative Enforcement)

An automaton A with starting state q0conservatively enforces a propertyˆP on

the system (A,Σ) if and only if ∀σ ∈ Σ ∃q?∃σ?∈ A?.

1. (σ,q0)=⇒A(·,q?), and

2.ˆP(σ?)

σ?

Conservative enforcement gives the automaton great latitude.

tionship between the automaton’s output and the output of the target is not

constrained, so the automaton may choose to enforce policies simply by always

outputting a particular stream of actions (or nothing at all), regardless of the

behavior of the target. Such an automaton is able to enforce any property, but

often not in a useful manner. The existential quantification of q?and σ?ensures

that the automaton eventually halts on all inputs.

The rela-

Precise Enforcement.

(Transparency), we must be specific about what it means to preserve the

semantics of a program execution. However, since this abstract notion may

differ substantially from one computational context to the next, we offer a couple

of different definitions. The simplest reasonable definition requires that the

automaton in question outputs program actions in lockstep with the target

program’s action stream.

In order to formalize the second enforcement criterion

Definition 2 (Precise Enforcement)

An automaton A with starting state q0precisely enforces a propertyˆP on the

system (A,Σ) if and only if ∀σ ∈ Σ ∃q?∃σ?∈ A?.

1. (σ,q0)=⇒A(·,q?),

2.ˆP(σ?), and

σ?

3.ˆP(σ) ⇒ ∀i ∃q??. (σ,q0)

An automaton precisely enforces a property if and only if it conservatively

enforces the property and outputs actions in lockstep with the target applica-

tion. The automaton must not interfere with program execution in any way

when the input obeys the property; every action in a valid input sequence must

be accepted before the next action is considered. Precise enforcement is often the

right correctness criterion for security monitors when any delay in outputting

program actions will change the semantics of the application. This is usually the

case in interactive applications that require an action to return a value before

continuing.

σ[..i]

=⇒A(σ[i + 1..],q??)

8

Page 9

Effective Enforcement.

ognize the fact that it is often the case that two syntactically different action

sequences may be semantically equivalent. This often happens in three sorts of

ways:

Our definition of precise enforcement does not rec-

1. A sequence containing unnecessary actions or a series of idempotent ac-

tions may be equivalent to a sequence in which one or more of these

actions are removed. In some systems, for example, closing a file twice in

succession is equivalent to closing it just once.

2. A sequence which replaces some action with a different action that has the

same semantics may be considered equivalent to the original sequence. It

may also be permissible to replace several actions with a single action that

subsumes their behavior. For example, an action that opens a socket fol-

lowed by an action that sends data on the socket is semantically equivalent

to a macro instruction that does both.

3. A sequence in which two or more independent actions are permuted may

be equivalent to the original sequence. For example, if we want to open

two different files, the order in which we do this may not matter.

Our final definition of enforcement uses a system-specific equivalence relation

(∼=) on executions to take these possibilities into account. We require that the

relation be reflexive, symmetric, and transitive. Moreover, any property that

we might consider should not distinguish equivalent sequences:

σ∼= σ?⇒ˆP(σ) ⇔ˆP(σ?)

(Equivalence)

With our equivalence relation in hand, we can give a concrete definition of what

it means for a security automaton to effectively enforce a security property.

Definition 3 (Effective Enforcement)

An automaton A with starting state q0effectively enforces a propertyˆP on the

system (A,Σ) if and only if ∀σ ∈ Σ ∃q?∃σ?∈ A?.

1. (σ,q0)=⇒A(·,q?),

2.ˆP(σ?), and

3.ˆP(σ) ⇒ σ∼= σ?

Informally, an automaton effectively enforces a property whenever it conser-

vatively enforces the property and obeys the principle of transparency.

σ?

2.5Limitations

As always when reasoning about security, one must be acutely aware of situa-

tions in which formal results do not apply and of attacks that can come from

outside the model. In our case, there are several realistic situations in which

security automata fail to enforce a desired policy.

9

Page 10

• The policy is not a predicate on execution sequences. If the policy depends

upon some external environmental factors, such as the value of some se-

cret that has been hidden from the monitor, the monitor may not be able

to enforce the policy properly. Moreover, because monitors only see indi-

vidual sequences of actions and cannot in general base decisions on other

executions of the target application, security automata are enforcers of

properties rather than general policies.

• The monitor is unable to effectively manipulate (insert, suppress, etc.)

certain security-relevant actions. In a real-time system, some properties

might not be enforceable because the monitor simply cannot perform the

expected computation in the necessary real-time window. Alternatively,

there may be some data (secret keys, passwords, etc.) that the monitor

cannot effectively synthesize. This might mean that the monitor is unable

to insert certain program actions and enforce certain properties.

• The monitor is unable to observe certain security-relevant actions. If the

application has direct access to some hardware device and the monitor is

unable to interpose itself between the application and the device, it may

be unable to enforce certain properties.

• The monitor is compromised by the untrusted program. If the application

is able to corrupt the monitoring code or data then the monitor will not

be able to enforce any meaningful properties. In practice, this means that

any software monitor must be isolated from the application using safe

language technology or operating system support.

3 Truncation Automata

The first and most limited sort of security automaton that we will investigate is

the truncation automaton. A truncation automaton does not change the target’s

output in any way unless the target attempts to invoke a forbidden operation.

If this occurs, the truncation automaton halts the target program. This sort

of automaton is the primary focus of Schneider’s work [Sch00]. However, he

viewed truncation automata as sequence recognizers. To fit this idea into our

framework, we recast these machines as sequence transformers.

3.1 Definition

A truncation automaton T is a finite or infinite state machine (Q,q0,δ) that is

defined with respect to some system (A,Σ). Q specifies the possible automaton

states and q0is the initial state. The partial function δ : A × Q → Q specifies

the transition function for the automaton that indicates that the automaton

10

Page 11

should accept the current input action and move to a new state. On inputs for

which δ is not defined, the automaton halts the target program.

The operational semantics of truncation automata is specified below.

(σ,q)

τ

−→T(σ?,q?)

(σ,q)

a

−→T(σ?,q?)

(T-Step)

if σ = a;σ?

and δ(a,q) = q?

(σ,q)

·

−→T(·,q)

(T-Stop)

otherwise

As described in Section 2.3, we extend the single-step relation to a multi-step

relation using reflexivity and transitivity rules.

3.2 Precisely Enforceable Properties

Erlingsson and Schneider [UES99, UES00] demonstrate that mechanisms similar

to truncation automata can precisely enforce important access-control proper-

ties including software fault isolation and Java stack inspection. Interestingly,

although the definition of truncation automata is independent of the definition

of safety, when we limit our attention to uniform systems we find that truncation

automata can precisely enforce exactly the set of safety properties.

Theorem 1 (Uniform Precise T-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by a

truncation automaton if and only if ∀σ ∈ pre(Σ). ¬ˆP(σ) ⇒ ∀σ?∈ Σ. (σ ? σ?⇒

¬ˆP(σ?)).

Proof Please see Appendix A for the proof. We omit it here due to its length.

?

As will be the case for all security automata introduced in this paper, we

can expand the set of properties that truncation automata can precisely enforce

by considering how they operate in nonuniform systems. For example, suppose

there is a policy requiring that if a program exits then all open resources must

be closed, and suppose that we are working in a system in which all programs

are instrumented by inserting resource-close actions at every exit point of the

program. Although this is not a safety property because there is an illegal se-

quence (open) that may lead to a legal sequence (open;close), the instrumenting

ensures that all illegal executions will eventually become legal. A truncation

automaton can use this fact to accept potentially illegal sequences.

This example demonstrates that on nonuniform systems truncation automata

can precisely enforce more than just safety properties. It also illustrates, how-

ever, that they can do this only when the nonuniform system rules out many

11

Page 12

illegal input sequences on which it would be impossible for truncation automata

to precisely enforce the desired property. The extent of a truncation automa-

ton’s power in nonuniform systems is captured by the following theorem.

Theorem 2 (Nonuniform Precise T-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

truncation automaton if and only if there exists a decidable predicate D such

that for all executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. D(σ) ⇒ (∀σ?∈ Σ. σ ? σ?⇒ ¬ˆP(σ?))

2. ¬D(σ) ⇒ (∀σ?∈ Σ. σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)))

Proof See Appendix A.

?

Intuitively, when encountering an illegal portion of an input sequence, a

truncation automaton has two options. It may halt if there is no way to correct

this sequence, or it may accept and continue if it can decide that this illegal

input will always be corrected by future actions.

3.3Effectively Enforceable Properties

In addition to harnessing the power of constraints placed on the set of executions

(Σ) to precisely enforce non-safety properties, truncation automata can take

advantage of a system’s equivalence relation to effectively enforce non-safety

properties, even on uniform systems.

Consider a uniform system whose only actions are to open and close a login

window. We wish to enforce the policy that the first action in any sequence must

close the login window. The policy also allows the login window to be closed and

then opened and closed any number of times, as this is considered equivalent to

closing the window once. All sequences (and only those sequences) of the form

close;(open;close)?satisfy the property, and close;(open;close)?∼= close. This is

not a safety property because there is an illegal sequence (close;open) that can

be extended into a legal sequence (close;open;close).

A truncation automaton can effectively enforce this property by checking

that the first action closes the login window. If it does then the automaton

accepts the action and halts; otherwise, it does not accept but still halts. This

effectively enforces the property because any legal sequence will be equivalent

to the accepted close action and all sequences emitted by the automaton (either

· or close) obey the property.

As with our example of precise enforcement on nonuniform systems, this

illustrates both that truncation automata can effectively enforce more than just

safety properties and that these non-safety properties are very limited. Before

we can formally characterize the properties effectively enforceable by truncation

automata, we must generalize the transformations truncation automata induce

on instruction sequences into functions that act over sequences of actions. Given

a set of actions A, a function α?: A?→A?is a truncation-rewrite function if it

satisfies the following conditions.

12

Page 13

1. α?(·) = ·

2. ∀σ ∈ A?∀a ∈ A.

α?(σ;a) = α?(σ);a, or

α?(σ;a) = α?(σ) ∧ H(α?,σ;a)

where H(ρ?,σ) is a predicate defined on a general rewrite function ρ?and a

sequence σ as follows.

H(ρ?,σ) ⇔ (∀σ?∈ A?. σ ? σ?⇒ ρ?(σ?) = ρ?(σ))

Informally, H(ρ?,σ) is true if and only if an automaton whose output matches

that of the rewrite function ρ?halts on input σ, ceasing to output any additional

actions.That is, whenever an automaton stops processing its input σ (for

example, by applying rule T-Stop), it cannot examine any extensions to σ, so

its output on any such extension must match its output on σ alone.

The restrictions placed on truncation-rewrite functions capture the opera-

tional restrictions of truncation automata. Condition (1) above ensures that

truncation-rewrite functions do not output actions without receiving any in-

put, and condition (2) stipulates that when examining the current action a,

the rewrite function must either accept and output a (after it has finished out-

putting actions corresponding to earlier input) or halt and output nothing more.

Note that when deciding how to transform an action a, the rewrite function can

base its decision on the history of the entire execution up to a. Hence the input

to the function in condition (2) is σ;a and not just a.

The following theorem specifies the properties effectively enforceable by trun-

cation automata on both uniform (where Σ = A?) and nonuniform systems.

Theorem 3 (Effective T-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

truncation automaton if and only if there exists a computable truncation-rewrite

function α?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(α?(σ))

2. IfˆP(σ) then σ∼= α?(σ)

Proof See Appendix A.

?

4Suppression Automata

Given our novel view of security automata as sequence transformers, it is a

short step to define new sorts of automata that have greater transformational

capabilities than truncation automata. In this section, we describe suppression

automata and characterize the properties they enforce precisely and effectively.

13

Page 14

4.1 Definition

A suppression automaton S is a finite or infinite state machine (Q,q0,δ,ω) that

is defined with respect to some system (A,Σ). As before, Q is the set of all

possible machine states, q0 is a distinguished starting state for the machine,

and the partial function δ specifies the transition function. The partial function

ω : A × Q → {−,+} has the same domain as δ and indicates whether or not the

action in question is to be suppressed (−) or emitted (+).

(σ,q)

τ

−→S(σ?,q?)

(σ,q)

a

−→S(σ?,q?)

(S-StepA)

if σ = a;σ?

and δ(a,q) = q?

and ω(a,q) = +

(σ,q)

·

−→S(σ?,q?)

(S-StepS)

if σ = a;σ?

and δ(a,q) = q?

and ω(a,q) = −

(σ,q)

·

−→S(·,q)

(S-Stop)

otherwise

Note that although rule S-Stop is not strictly necessary (rather than halting,

the automaton could suppress all further actions), using S-Stop simplifies the

automaton’s specification and decreases its running time.

As before, we extend the single-step semantics to a multi-step semantics

using the reflexivity and transitivity rules from Section 2.3.

4.2Precisely Enforceable Properties

Similarly to truncation automata, in uniform systems suppression automata can

precisely enforce any safety property and no other properties.

Theorem 4 (Uniform Precise S-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by

a suppression automaton if and only if ∀σ ∈ pre(Σ). ¬ˆP(σ) ⇒ ∀σ?∈ Σ. (σ ?

σ?⇒ ¬ˆP(σ?)).

Proof See Appendix A.

?

In a nonuniform system, suppression automata can precisely enforce non-

safety properties not enforceable by truncation automata. For example, consider

the following system S.

14

Page 15

A

Σ

=

=

{aq,use,rel}

{aq;rel,

aq;use;rel,

aq;use;use;rel}

The symbols aq,use, and rel denote the acquisition, use, and release of a

resource. The set of executions includes zero, one, or two uses of the resource.

Such a scenario might arise were we to publish a policy that programs must

release the resource after using it at most two times. After publishing such a

policy, we might find a bug in our implementation that makes it impossible for

us to handle the load we were predicting. Naturally we would want to tighten

the security policy as soon as possible, but we might not be able to change the

policy we have published. Fortunately, we can use a suppression automaton to

suppress extra uses and dynamically change the policy from a two-use policy to

a one-use policy. Notice that an ordinary truncation automaton is not sufficient

to make this change because it can only terminate execution, in which case the

rel symbol would be missing from the end of the sequence. After terminating a

two-use application, a truncation automation would be unable to insert the rel

necessary to satisfy the policy.

To formally characterize the properties that can be precisely enforced by

suppression automata, we again generalize our automata to functions that act

over sequences of symbols. Given a set of actions A, a function ω?: A?→A?is

a suppression-rewrite function if it satisfies the following conditions.

1. ω?(·) = ·

2. ∀σ ∈ A?∀a ∈ A.

ω?(σ;a) = ω?(σ);a, or

ω?(σ;a) = ω?(σ)

These conditions encode the restrictions placed on suppression automata that

(1) nothing can be output when no actions are input and (2) an input action

can only be accepted or suppressed. Halting is equivalent to suppressing all

additional input actions.

A suppression automaton can precisely enforce the following properties.

Theorem 5 (Nonuniform Precise S-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

suppression automaton if and only if there exists a computable suppression-

rewrite function ω?such that for all sequences σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(ω?(σ)).

2. IfˆP(σ) then ω?(σ) = σ.

Proof See Appendix A.

?

15

Page 16

4.3 Effectively Enforceable Properties

Even on uniform systems, suppression automata can effectively enforce a proper

superset of the properties enforceable by truncation automata. As in the pre-

ceding discussion of nonuniform precise enforcement, we illustrate this with an

example.

Consider an authenticated-login policy that requires users who wish to login

to use an authenticated login, on a uniform system with actions for both an

unauthenticated login (ulogin) and an authenticated login (alogin). On this sys-

tem, an unauthenticated login followed by an authenticated login is semantically

equivalent to a single authenticated login (i.e., ulogin;alogin∼= alogin); however,

logging in more than once with an authenticated login is not equivalent to a

single authenticated login (i.e., alogin;alogin ?∼= alogin).

A truncation automaton cannot effectively enforce this property because

upon seeing a ulogin it can take no valid action. It cannot accept because an

authenticated login may never occur, which violates the property. It also cannot

halt because the next action may be alogin, making the automaton’s input

(ulogin;alogin) obey the property but not be equivalent to its output (·). In

contrast, a suppression automaton can effectively enforce this property simply

by suppressing the ulogin. If the next action is alogin, then the suppression

automaton accepts this and will have correctly effectively enforced the property

since its output (alogin) is equivalent to its input (ulogin;alogin). If the alogin

does not appear (and hence the input sequence violates the property), then the

suppression automaton will not have emitted anything, thereby satisfying the

property.

The following theorem formally specifies the properties effectively enforce-

able by suppression automata.

Theorem 6 (Effective S-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

suppression automaton if and only if there exists a computable suppression-

rewrite function ω?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(ω?(σ))

2. IfˆP(σ) then σ∼= ω?(σ)

Proof See Appendix A.

?

The essence of suppression automata as effective enforcers is that they can

suppress an action if it is potentially bad and at the same time unnecessary. If

the input sequence turns out to be in the property, then because the suppressed

action was unnecessary, no harm was done.

5 Insertion Automata

This section introduces insertion automata, which have the power to insert

actions into the action stream or halt the target program but cannot suppress

16

Page 17

actions. As with truncation and suppression automata, we define them formally

and then consider what properties they can enforce precisely and effectively.

5.1 Definition

An insertion automaton I is a finite or infinite state machine (Q,q0,δ,γ) that is

defined with respect to some system (A,Σ). The partial function δ : A × Q → Q

specifies the transition function as before. The new element is a partial function

γ that specifies the insertion of a finite sequence of actions into the program’s

action sequence. We call this the insertion function and it has type A×Q→− →

Q, where the first component in the returned pair indicates the finite and non-

empty sequence of actions to be inserted. In order to maintain the determinacy

of the automaton, we require the domain of the insertion function to be disjoint

from the domain of the transition function.

We specify the execution of an insertion automaton as before. The single-

step relation is defined below.

A ×

(σ,q)

τ

−→I(σ?,q?)

(σ,q)

a

−→I(σ?,q?)

(I-Step)

if σ = a;σ?

and δ(a,q) = q?

(σ,q)

τ

−→I(σ,q?)

(I-Ins)

if σ = a;σ?

and γ(a,q) = τ,q?

(σ,q)

·

−→I(·,q)

(I-Stop)

otherwise

We also extend this single-step semantics to a multi-step semantics as before.

5.2 Precisely Enforceable Properties

Identically to truncation and suppression automata, on uniform systems inser-

tion automata precisely enforce exactly the set of safety properties. Perhaps

surprisingly, the power to suppress or insert actions does not enable security

automata to precisely enforce more properties on uniform systems. This is be-

cause every illegal sequence must be transformed into a legal sequence, but

doing so prevents any legal extension from being precisely enforced (because

the sequence has already been modified and cannot be accepted in an entirely

lockstep manner). Therefore, regardless of the transformational capabilities a

security automaton has on execution sequences, on uniform systems it can only

precisely enforce safety properties.

17

Page 18

Theorem 7 (Uniform Precise I-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by

an insertion automaton if and only if ∀σ ∈ pre(Σ). ¬ˆP(σ) ⇒ ∀σ?∈ Σ. (σ ?

σ?⇒ ¬ˆP(σ?)).

Proof See Appendix A.

?

Once again, considering nonuniform systems expands the set of precisely

enforceable properties. Let us consider the nonuniform aq;use;rel system of

Section 4.2. This time, we want to enforce the property that the resource will

be used exactly once or twice, rather than zero or one times. The only sequnces

which satisfy our property are aq;use;rel and aq;use;use;rel. A truncation au-

tomaton cannot precisely enforce this property because upon encountering an

aq it can take no action. It cannot accept because the full input sequence may

be aq;rel and the automaton has no way of inserting the required use; and it

cannot truncate because then it would give up on precisely enforcing any input

seqences that start with aq and actually do obey the property, such as aq;use;rel.

An insertion automaton precisely enforces this property by accepting aq and

use actions. When it encounters a rel, it will insert a use if one was not already

present in the input.

We formally characterize the properties that can be precisely enforced by an

insertion automaton as follows.

Theorem 8 (Nonuniform Precise I-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

insertion automaton if and only if there exists a computable function γpsuch

that for all executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. ∀σ?∈ Σ. σ ? σ?⇒ ¬ˆP(σ?), or

2. σ ?∈ Σ andˆP(σ;γp(σ))

Proof See Appendix A.

?

We can also compare the power of insertion automata with suppression au-

tomata. A suppression automaton cannot precisely enforce the one-or-two-use

policy described in this section because it cannot insert use events that are nec-

essary if the program releases the resource without using it, and it cannot simply

suppress resource acquisitions because this would modify sequences that do sat-

isfy the policy. Hence, insertion automata can precisely enforce some properties

that suppression automata cannot. On the other hand, an insertion automaton

can precisely enforce the zero-or-one-use aq;use;rel policy of Section 4.2 sim-

ply by inserting a rel event and then halting whenever a bad sequence is found

(i.e., aq;use;use would be transformed to aq;use;rel). Generalizing from this,

we see that insertion automata are strictly more powerful precise enforcers than

suppression automata.

18

Page 19

Theorem 9 (Precise S-Enforceable Subset of Precise I-Enforceable)

If there exists a suppression automaton S= (Qs,q0s,δs,ω) that precisely en-

forcesˆP on some system (A,Σ) then there exists an insertion automaton I=

(Qi,q0i,δi,γ) that precisely enforcesˆP on the same system.

Proof See Appendix A.

?

5.3Effectively Enforceable Properties

Let us now consider insertion automata operating as effective, rather than pre-

cise, enforcers. As with the other automata seen so far, insertion automata

viewed in this light can enforce a greater range of properties, even on uniform

systems. We illustrate this with a very application-specific example: the San

Francisco cable car.

The property we want to enforce is that if a person boards the car (board), she

must show her ticket either to the conductor (show conductor) or to the driver

(show driver). She may show them her ticket either before or after getting onto

the car, and it is OK, though redundant, to show the ticket twice. A person may

board the car at most once. The only sequences not in the property are getting

onto the car without ever showing a ticket and boarding more than once.

An insertion automaton can effectively enforce this property because upon

seeing a bad sequence where no ticket has been shown but a passenger boards

(board), it can insert the action show driver. If the stream turns out to al-

ready contain either show driver or show conductor, no harm has been done (be-

cause show driver;board;show driver∼= board;show driver and show driver;board;

show conductor∼= board;show conductor).

?????rd

???

??????????????????????????d

a

???

???

???????????????????or ∨

???

???

????????????????

???

???

???????????????????or ∨

???

???

???????????

a

?????

???

???

???????????????????or ∨

???

???

???????????

a

?????

?????rd

?????rd

???

???

???????????????????or ∨

???

???

???????????

a

?????

Figure 1: An insertion automaton that effectively enforces the cable-car policy

on a uniform system.

Figure 1 shows an insertion automaton that effectively enforces the cable-

19

Page 20

car policy. The nodes in the picture represent the automaton states and the

arcs represent the transitions. The action above an arc triggers the transition,

and the sequence below an arc represents the actions that are emitted. An arc

with multiple symbols below it is an insertion transition. All other transitions

are accepting transitions, and if there is no arc for the current action then the

automaton halts.

A truncation automaton cannot effectively enforce this property because it

has no way to handle an initial board action. If it accepts and there are no

further actions, then it has allowed a passenger to board without showing a

ticket; if it halts and the sequence does obey the property, then it has not

preserved the semantics of the input sequence. Either way, it cannot effectively

enforce the property.

As with precise enforcement, we can compare the powers of insertion and

suppression automata as effective enforcers. The authenticated-login policy of

Section 4.3 cannot be effectively enforced by an insertion automaton. When

confronted with the sequence ulogin, an insertion automaton cannot accept be-

cause if there is no further input, the output would not obey the property;

it cannot halt because the sequence could potentially be in the property (and

ulogin;alogin ?∼= · ); and it cannot insert an alogin because possible future alogin

actions would make the stream obey the property yet not be equivalent to the

stream with the inserted alogin.

This shows that there are properties that are effectively enforceable by sup-

pression automata that are not effectively enforceable by insertion automata.

Conversely, not all properties effectively enforceable by insertion automata can

be effectively enforced by suppression automata. The cable-car example, for

instance, cannot be effectively enforced by a suppression automaton. When

confronted with a board action, a suppression automaton cannot accept because

¬ˆP(board), and cannot halt or suppress because that could change a legal se-

quence into one that is not equivalent to it (e.g., board;show driver ?∼= show driver

and board;show driver ?∼= · ).

Before we characterize the properties that can be effectively enforced by

insertion automata, we again generalize our automata into functions that act

over sequences of symbols. Given a set of actions A, a function γ?: A?→A?is

an insertion-rewrite function if it satisfies the following conditions.

1. γ?(·) = ·

2. ∀σ ∈ A?∀a ∈ A ∃τ ∈ A?.

γ?(σ;a) = γ?(σ);τ;a, or

γ?(σ;a) = γ?(σ);τ ∧ (∀τ?∈ A?.τ ?= τ?;a) ∧ H(γ?,σ;a)

where H(γ?,σ) is the computable predicate defined in Section 3.3.

The intuition for insertion-rewrite functions is similar to that for the other

rewrite functions, except that there are more possible behaviors of the corre-

sponding automata to consider. When processing an action a, an insertion

automaton can react in any of the following ways: it may accept a, insert some

20

Page 21

number of actions (the number of inserted actions is finite in this article be-

cause we limit our analysis to finite-length sequences) before accepting a, halt

the target, or insert some number of actions before halting the target. The

first clause of condition (2) above captures the first two of these possibilities by

allowing the rewrite function to insert some number (possibly zero) of actions

before accepting. The second part of condition (2) captures the other possibil-

ities where some number (possibly zero) of actions are inserted before halting.

For the sake of determinacy—that is, to make sure that only one of the two

clauses in condition (2) applies—the case in which the automaton inserts some

sequence that ends with a and then halts is handled as if a were accepted before

halting.

The following theorem formally specifies the properties effectively enforce-

able by insertion automata.

Theorem 10 (Effective I-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

insertion automaton if and only if there exists a computable insertion-rewrite

function γ?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(γ?(σ))

2. IfˆP(σ) then σ∼= γ?(σ)

Proof See Appendix A.

?

The defining feature of insertion automata as effective enforcers is that they

allow required actions to be inserted into a sequence whenever it is OK for the

inserted actions to be repeated. If the automaton’s input actually does obey the

property, the automaton’s output remains semantically equivalent to the input.

6Edit Automata

We now turn to a far more powerful security automaton, the edit automaton.

After defining edit automata formally and considering the properties they can

enforce precisely and effectively, we present an extended example of an edit

automaton that effectively enforces a market transaction policy.

6.1 Definition

We form an edit automaton E by combining the insertion automaton with the

suppression automaton. Our machine is now described by a 5-tuple of the form

(Q,q0,δ,γ,ω). The operational semantics is derived from the composition of the

operational rules of the two previous automata. Again, the partial functions δ

and ω have the same domain while δ and γ have disjoint domains.

(σ,q)

τ

−→E(σ?,q?)

21

Page 22

(σ,q)

a

−→E(σ?,q?)

(E-StepA)

if σ = a;σ?

and δ(a,q) = q?

and ω(a,q) = +

(σ,q)

·

−→E(σ?,q?)

(E-StepS)

if σ = a;σ?

and δ(a,q) = q?

and ω(a,q) = −

(σ,q)

τ

−→E(σ,q?)

(E-Ins)

if σ = a;σ?

and γ(a,q) = τ,q?

(σ,q)

·

−→E(·,q)

(E-Stop)

otherwise

Although rule E-StepA is not strictly necessary (rather than accepting an

action a, the automaton could insert a and then suppress the original a), its

presence allows acceptance of an action in only one step. This simplifies the

specification of the automaton and in general decreases its running time. Sim-

ilarly, and as with suppression automata, the effect of rule E-Stop can be

accomplished by suppressing any further input, again at the cost of increased

running time and specification complexity.

As with the other security automata, we extend the single-step semantics

of edit automata to a multi-step semantics with the rules for reflexivity and

transitivity.

6.2Precisely Enforceable Properties

On uniform systems, edit automata precisely enforce exactly the set of safety

properties. This follows immediately from the discussion in Section 5.2—as

precise enforcers on uniform systems, edit automata have the same power as

truncation, suppression, and insertion automata.

Theorem 11 (Uniform Precise E-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by

an edit automaton if and only if ∀σ ∈ pre(Σ). ¬ˆP(σ) ⇒ ∀σ?∈ Σ. (σ ? σ?⇒

¬ˆP(σ?)).

22

Page 23

Proof See Appendix A.

?

When we consider nonuniform systems, edit automata precisely enforce ex-

actly those properties precisely enforceable by insertion automata. This result

is not particularly surprising because edit automata are just a composition of

insertion and suppression automata, and insertion automata precisely enforce a

superset of the properties precisely enforceable by suppression automata.

Theorem 12 (Nonuniform Precise E-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some edit

automaton if and only if there exists a computable function γpsuch that for all

executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. ∀σ?∈ Σ. σ ? σ?⇒ ¬ˆP(σ?), or

2. σ ?∈ Σ andˆP(σ;γp(σ))

Proof See Appendix A.

?

6.3Effectively Enforceable Properties

Similarly to truncation, suppression, and insertion automata, considering edit

automata as effective enforcers enables them to enforce a wider range of prop-

erties. In addition, edit automata can effectively enforce properties effectively

enforceable by neither suppression nor insertion automata. Section 6.4 illus-

trates this with a detailed example.

Edit automata are very powerful effective enforcers because they can insert

actions that are required and later suppress those same actions if they appear

in the original input sequence. Conversely, an edit automaton can suppress a

sequence of potentially illegal actions, and if the sequence is later determined to

be legal, just re-insert it. Interestingly, with this technique edit automata can

effectively enforce any property—the automaton simply suppresses all actions

until it can confirm that the current prefix obeys the property, at which point it

inserts all the suppressed actions. Any legal input will thus be output without

modification. If an input is illegal, an edit automaton will output its longest

valid prefix.

The following theorem formalizes this idea, and its proof shows how to con-

struct an edit automaton to effectively enforce any property. This theorem

holds on all systems S because it only uses strict equality as the equivalence

relation and places no constraints on the set of possible executions (so S may

be uniform).

Theorem 13 (Effective E-Enforcement)

Any propertyˆP on the system S = (A,Σ) can be effectively enforced by some

edit automaton.

Proof See Appendix A.

?

23

Page 24

6.4An Example: Transactions

To demonstrate the power of our edit automata, we show how to implement

the monitoring of transactions. The desired properties of atomic transactions

[EN94], commonly referred to as the ACID properties, are atomicity (either the

entire transaction is executed or no part of it is executed), consistency preser-

vation (upon completion of the transaction the system must be in a consistent

state), isolation (the effects of a transaction should not be visible to other con-

currently executing transactions until the first transaction is committed), and

durability or permanence (the effects of a committed transaction cannot be

undone by a future failed transaction).

The first property, atomicity, can be modeled using an edit automaton by

creating an intentions log. That is, the automaton suppresses input actions from

the start of the transaction and, if the transaction completes successfully, the

entire sequence of actions is emitted atomically to the output stream; otherwise

it is discarded. Consistency preservation can be enforced by simply verifying

that the sequence to be emitted leaves the system in a consistent state. The

durability or permanence of a committed transaction is ensured by the fact that

committing a transaction is modeled by emitting the corresponding sequence of

actions to the output stream. Once an action has been written to the output

stream it can no longer be touched by the automaton; furthermore, failed trans-

actions output nothing. We only model the actions of a single agent in this

example and therefore ignore issues of isolation.

?????????n)

a≠

?????????

a≠

???∧

?

?????

a

???

-n

+n

?

?????n)

?????????n

???

?

?y(n)

?????????n

???

?

?y(n)

?

?????n)

?????????n)

¬

?

?????n)

?

???ning

a≠

?????????

a≠

???∧

?

?????

a

???

??????????????k

???k≠n) ∨ a=pay(_)

Figure 2: An edit automaton that effectively enforces the market policy.

To make our example more concrete, we will model a simple market sys-

tem with two main actions, take(n) and pay(n), which represent acquisition of

n apples and the corresponding payment. We let a range over all the actions

that might occur in the system (such as take, pay, window-shop, browse, etc.).

Our policy is that every time an agent takes n apples it must pay for those ap-

ples. Payments may come before acquisition or vice versa, and take(n);pay(n)

24

Page 25

is semantically equivalent to pay(n);take(n). The automaton enforces the atom-

icity of this transaction by emitting take(n);pay(n) only when the transaction

completes. If payment is made first, the automaton allows clients to perform

other actions such as browse before paying (the take-pay transaction appears

atomically after all such intermediary actions). On the other hand, if apples are

taken and not paid for immediately, we issue a warning and abort the trans-

action. Consistency is ensured by remembering the number of apples taken or

the size of the prepayment in the state of the machine. Once acquisition and

payment occur, the sale is final and there are no refunds (durability). Figure 2

displays the infinite-state edit automaton that effectively enforces our market

policy. Arcs with no symbols beneath them represent suppression transitions.

Neither an insertion automation nor a suppression automaton can effectively

enforce the market policy. An insertion automaton, if it encounters pay(n), can

take no action: it cannot halt because the next action may be take(n), it cannot

accept because there may be no more actions, and it cannot insert take(n)

because that may disrupt a valid sequence of take(n) and pay(n) in an input

that obeys the property. A suppression automaton, upon encountering take(n),

can take no action: it cannot suppress or halt because the next action may be

pay(n), and it cannot accept because there may be no more actions.

7 Related Work

Schneider [Sch00] was the first to analyze the power of security mechanisms.

He defined the set of security properties precisely enforceable by truncation au-

tomata and observed that it was a subset of the safety properties. Schneider

also briefly mentions mechanisms more powerful than truncation automata, but

he does not give a detailed analysis of their power. Schneider’s definition pro-

vides an upper bound on the set of properties that can be precisely enforced by

security automata on a uniform input set. However, it is a loose upper bound.

Viswanathan, Kim, and others [Vis00, KKL+02] demonstrate that to obtain a

tighter bound on the power of run-time monitors, one must add computabil-

ity constraints to the definition of truncation automata. Viswanathan [Vis00]

has also demonstrated that the set of properties enforceable through run-time

monitoring is equivalent to the CoRE properties.

Concurrently with our work, Hamlin, Morrisett, and Schneider [HMS02]

have begun to investigate the power of a broader set of enforcement mecha-

nisms. They consider security mechanisms based upon static analysis, run-time

monitoring, and program rewriting and compare and contrast the power of these

mechanisms. They observe that the statically enforceable properties correspond

to the recursively decidable properties of programs. Taken with Viswanathan’s

result, this fact implies that run-time monitors (when given access to the source

program text) can enforce strictly more properties than can be enforced through

static analysis. Hamlin et al. also prove that program rewriters do not corre-

spond to any complexity class in the arithmetic hierarchy.

In contrast with these other theoretical research efforts, our work provides

25

Page 26

a detailed analysis of the power of run-time monitors. We introduce several

kinds of monitors, each with different run-time capabilities (i.e., truncation,

suppression, and insertion). We clearly specify what it means to enforce a

property and we demonstrate that the power of these monitors varies depending

upon the context in which they are used.

Implementation efforts [ET99, UES99, UES00, KVBA+99] are considerably

more advanced than the corresponding theoretical investigations. In general,

these systems allow arbitrary code to be executed in response to a potential

security violation, so edit automata provide a reasonable model for attempting

to understand their behavior. In most cases, these languages can be considered

domain-specific aspect-oriented programming languages [KHH+01], which have

been designed to facilitate the enforcement of security properties.

Other researchers have investigated optimization techniques for run-time

monitors [CF00, Thi01], and certification of programs instrumented with se-

curity checks [Wal00]. Kim et al. [KKL+02] analyze the performance cost of

run-time monitors and show that the language one uses to define monitors has

a significant impact on performance. They also define optimizations to decrease

the overhead of run-time monitoring.

Run-time monitoring and checking can also be used in settings where secu-

rity is not necessarily the primary focus. Lee et al. [KVBA+99], for example,

have developed a monitoring system specifically for improving the reliability of

real-time systems. Sandholm and Schwartzbach have used run-time monitor-

ing to ensure that concurrently executing Web scripts obey important safety

properties [SS98].

8Conclusions

In this article, we have introduced a detailed framework for reasoning about the

power of security mechanisms that are able to intercept and modify untrusted

program actions at run time.

Before we begin the analysis proper, we carefully define what it means to en-

force a property at run time. Our definitions of policy enforcement is motivated

by two main considerations:

(Soundness) The final output of a monitored system must obey the policy.

Consequently, bad programs that would otherwise violate the policy must

have their executions modified by the enforcement mechanism.

(Transparency) Whenever the untrusted program obeys the policy in ques-

tion, a run-time enforcement mechanism should preserve the semantics

of the untrusted program. In other words, the actions of the enforcement

mechanism should not be observable when monitoring good programs that

do not violate the policy.

One obtains slightly different definitions of enforcement depending upon the

interpretation of what it means for a mechanism to be “semantics-preserving.”

26

Page 27

Consequently, it is necessary to ensure that the definition of enforcement is

appropriate for the application and context at hand.

Once the definition of enforcement is set, we investigate the power of a hier-

archy of monitors, each with varying run-time capabilities, including truncation,

suppression, and insertion of security-relevant program actions. We demonstrate

that the power of these different kinds of monitors varies, and we characterize

their enforceable properties precisely. We also observe that when the monitor’s

input space is constrained (possibly by a prior program rewriting pass or other

mechanisms), a monitor may be able to enforce a larger set of properties. A

summary of our main findings is presented in Figures 3 and 4.

????? ????????????????????????????? ??????????????????????????ties

????????????????????

?????????

???????????????ng

?????????

Figure 3: A taxonomy of precisely enforceable security properties on nonuniform

systems.

This article sets some of the fundamental limits of security mechanisms that

operate by monitoring and modifying program behavior at run time. However,

there are many open questions that continue to spark our interest in this area.

In particular, we desire to understand further the impact of constraining the

resources available either to the running program or the run-time monitor. For

example, are there practical properties that can be enforced by exponential-

time but not polynomial-time monitors? What effect does bounding the space

available to edit automata have on the set of enforceable properties? What if we

limit the program’s access to random bits and therefore its ability to use strong

cryptography? Can we generalize our analyses to infinite sequences? These

unanswered questions and many similar ones suggest a variety of new research

directions in this nascent research field.

27

Page 28

???????? ??????????????????????

????????????????? ???

?????????

? ?????????? ???

?????????

Figure 4: A taxonomy of effectively enforceable security properties on both

uniform and nonuniform systems.

Acknowledgments

Enlightening discussions with Kevin Hamlin, Greg Morrisett, and Fred Schnei-

der helped to stimulate our research and improve this article. We would also

like to thank the anonymous reviewers for their helpful and thorough comments.

References

[AS85]Bowen Alpern and Fred B. Schneider. Defining liveness. Informa-

tion Processing Letters, 21(4):181–185, October 1985. 6

[AS87]Bowen Alpern and Fred Schneider. Recognizing safety and liveness.

Distributed Computing, 2:117–126, 1987. 5, 6

[BLW02] Lujo Bauer, Jarred Ligatti, and David Walker. More enforceable

security policies. In Foundations of Computer Security, Copen-

hagen, Denmark, July 2002. 1

[CF00]Thomas Colcombet and Pascal Fradet. Enforcing trace properties

by program transformation. In Twenty-Seventh ACM Symposium

on Principles of Programming Languages, pages 54–66, Boston,

January 2000. ACM Press. 26

[EN94]Ramez Elmasri and Shamkant B. Navathe.

database systems. The Benjamin/Cummings Publishing Company,

Inc., 1994. 24

Fundamentals of

28

Page 29

[ET99]David Evans and Andrew Twyman. Flexible policy-directed code

safety. In IEEE Security and Privacy, Oakland, CA, May 1999.

26

[HMS02] Kevin Hamlin, Greg Morrisett, and Fred Schneider. In pursuit of

punctuality: Computability classes for enforcement mechanisms.

Unpublished Manuscript, November 2002. 25

[KHH+01]Gregor Kiczales, Erik Hilsdale, Jim Hugunin, Mik Kersten, Jef-

frey Palm, and William Griswold. An overview of AspectJ. In

European Conference on Object-oriented Programming. Springer-

Verlag, 2001. 26

[KKL+02] Moonjoo Kim, Sampath Kannan, Insup Lee, Oleg Sokolsky,

and Mahesh Viswantathan. Computational analysis of run-time

monitoring—fundamentals of Java-MaC. In Run-time Verification,

June 2002. 25, 26

[KVBA+99] Moonjoo Kim, Mahesh Viswanathan, Hanene Ben-Abdallah, Sam-

path Kannan, Insup Lee, and Oleg Sokolsky. Formally specified

monitoring of temporal properties. In European Conference on

Real-time Systems, York, UK, June 1999. 26

[Lam77]Leslie Lamport. Proving the correctness of multiprocess programs.

IEEE Transactions of Software Engineering, 3(2):125–143, 1977.

5

[Sch00] Fred B. Schneider. Enforceable security policies. ACM Transac-

tions on Information and Systems Security, 3(1):30–50, February

2000. 2, 4, 6, 10, 25

[SS98]Anders Sandholm and Michael Schwartzbach. Distributed safety

controllers for web services. In Fundamental Approaches to Soft-

ware Engineering, volume 1382 of Lecture Notes in Computer Sci-

ence, pages 270–284. Springer-Verlag, 1998. 26

[Thi01]Peter Thiemann. Enforcing security properties by type special-

ization. In European Symposium on Programming, Genova, Italy,

April 2001. 26

[UES99]

´Ulfar Erlingsson and Fred B. Schneider. SASI enforcement of se-

curity policies: A retrospective. In Proceedings of the New Se-

curity Paradigms Workshop, pages 87–95, Caledon Hills, Canada,

September 1999. 11, 26

[UES00]

´Ulfar Erlingsson and Fred B. Schneider. IRM enforcement of Java

stack inspection. In IEEE Symposium on Security and Privacy,

pages 246–255, Oakland, California, May 2000. 11, 26

29

Page 30

[Vis00]Mahesh Viswanathan. Foundations for the Run-time Analysis of

Software Systems. PhD thesis, University of Pennsylvania, 2000.

25

[Wal00]David Walker. A type system for expressive security policies. In

Twenty-Seventh ACM Symposium on Principles of Programming

Languages, pages 254–267, Boston, January 2000. 26

A Proofs of Theorems

Theorem 1 (Uniform Precise T-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by a

truncation automaton if and only if ∀σ ∈ pre(Σ).¬ˆP(σ) ⇒ ∀σ?∈ Σ.(σ ? σ?⇒

¬ˆP(σ?)).

Proof (If Direction) We construct a truncation automaton that precisely en-

forces any suchˆP as follows.

• States: q ∈ pre(Σ)

• Start state: q0= ·

• Transition function (δ):

Consider processing the action a in state σ.

(A) IfˆP(σ;a) then emit the action a and continue in state σ;a.

(B) If ¬ˆP(σ;a) then simply stop (i.e., we leave δ is undefined in this

case).

(the sequence of actions seen so far)

(the empty sequence)

The automaton maintains the invariant Invp(q) that q = σ and σ has been

output andˆP(σ). The automaton can initially establish Invp(q0) since our

definition of a property assumesˆP(·) for all properties. A simple inductive

argument on the length of the input σ suffices to show that the invariant is

maintained for all inputs.

We now show that this automaton precisely enforcesˆP on any σ ∈ Σ (where

Σ = A?because the system is uniform). There are two cases to consider.

• CaseˆP(σ):

Consider any prefix τ of σ. If ¬ˆP(τ) then by the safety constraint stated

in the theorem and the fact that τ ? σ, we would have ¬ˆP(σ), contrary to

the assumption thatˆP(σ). Therefore,ˆP(τ) must be true for all prefixes

τ of σ, so by examination of the transition function given above, the

automaton must accept every prefix of σ without ever halting.

• Case ¬ˆP(σ):

Invpmaintains that regardless of the state of the automaton, it has always

emitted some σ such thatˆP(σ).

The automaton correctly precisely enforcesˆP in both cases.

30

Page 31

(Only-If Direction)

Σ = A?, we have σ ∈ Σ, so the truncation automaton T must edit σ when σ is

supplied as input. That is, since T precisely enforcesˆP and ¬ˆP(σ) and σ ∈ Σ,

it cannot be the case that (σ,q0)=⇒T (·,q?) for some q?. Suppose for the sake

of obtaining a contradiction that ∃σ?∈ Σ.σ ? σ?∧ˆP(σ?). Then by the definition

of precise enforcement, all actions of σ?must be accepted without any editing,

implying (since σ is later extended to σ?) that (σ,q0)

which we just showed cannot be true. Therefore, ∃σ?∈ Σ.σ ? σ?∧ˆP(σ?) is not

true, so ∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?).

Consider any σ ∈ pre(Σ) such that ¬ˆP(σ). Because

σ

σ

=⇒T (·,q?) for some q?,

?

Theorem 2 (Nonuniform Precise T-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

truncation automaton if and only if there exists a decidable predicate D such

that for all executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. D(σ) ⇒ (∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?))

2. ¬D(σ) ⇒ (∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)))

Proof (If Direction) We construct a truncation automaton that precisely en-

forces any suchˆP as follows.

• States: q ∈ pre(Σ) × {+,−}

with + (-) to indicate that this sequence is (is not) in the property)

(the sequence of actions seen so far paired

• Start state: q0= ?·,+?

• Transition function (δ):

Consider processing the action a in state q.

(the empty sequence)

(A) If q = ?σ,+? andˆP(σ;a) then emit the action a and continue in state

?σ;a,+?.

(B) If q = ?σ,+? and ¬ˆP(σ;a) and D(σ;a) then simply stop (i.e., δ is

undefined in this case).

(C) If q = ?σ,+? and ¬ˆP(σ;a) and ¬D(σ;a) then emit a and continue in

state ?σ;a,−?

(D) If q = ?σ,−? and ¬ˆP(σ;a) then emit the action a and continue in

state ?σ;a,−?.

(E) If q = ?σ,−? andˆP(σ;a) then emit the action a and continue in state

?σ;a,+?.

The automaton maintains the following invariant Invp(q) when processing

some input τ ∈ Σ.

• If q = ?σ,+? then σ is the prefix of τ input so far and σ has been emitted

andˆP(σ).

31

Page 32

• If q = ?σ,−? then σ is the prefix of τ input so far and σ has been emitted

and ¬ˆP(σ) and ∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)).

The automaton can initially establish Invp(q0) since our definition of a prop-

erty assumesˆP(·) for all properties. A simple inductive argument on the length

of the input σ suffices to show that the invariant is maintained for all inputs.

The automaton never halts in some state ?σ,−? because the precondition

for entering this state given in automaton transition (C) (¬D(σ), implying that

∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.σ;τ ? σ?∧ˆP(σ;τ)) guarantees that we will

eventually reach some prefix of the input that is in the property. When this

occurs after having input some σ;τ, the automaton will follow transition (E) to

return to state ?σ;τ,+?.

In addition, we note that all transitions of the truncation automaton have

decidable boolean guards, so the automaton must indeed halt on all inputs.

Thus, when some σ?∈ Σ is input into this automaton, the machine either

halts in state ?σ?,+? or halts by following transition (B). In the latter case,

by examination of the guard for transition (B) and Invp, the final state must

have been ?σ,+? for some σ ? σ?. In any case, Invpensures that whenever the

automaton halts, it has emitted some σ such thatˆP(σ).

Finally, we must show that this automaton accepts every action in any input

sequence σ?such thatˆP(σ?). In such a case, the predicate ∀σ?∈ Σ.σ ? σ?⇒

¬ˆP(σ?) can clearly never be true for any σ such that σ ? σ?, so by the contra-

positive of clause (1) in the theorem, ¬D(σ) for all σ such that σ ? σ?. The

only transition that could prevent the automaton from accepting all actions in

σ?is (B), but this transition cannot be followed on input σ?because it requires

D(σ) to be true for some σ ? σ?. The automaton can therefore never follow

transition (B) on input σ?, so it must accept every action in σ?, as required.

(Only-If Direction)

a decision procedure D such that for all σ ∈ pre(Σ) where ¬ˆP(σ),

1. D(σ) ⇒ (∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?))

2. ¬D(σ) ⇒ (∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)))

The decision procedure simply runs T on input σ and evaluates to true if

and only if T prematurely halts. That is, let D(σ) be true if and only if T

at some point steps via rule T-Stop on input σ. T is a precise enforcer and

as such must halt within finite time on all inputs (since ∀σ ∈ Σ.∃q?.∃σ?∈

A?.(σ,q0)

∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?) because halting on σ prevents the automaton from

precisely enforcingˆP on any σ?such that σ ? σ?andˆP(σ?). Finally, ¬D(σ)

implies that ∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)). In this case,

we have (σ,q0)=⇒T(·,q?) for some q?, so because T is a truncation automaton

precisely enforcingˆP and must therefore emit some prefix σ;τ of its input σ?

such thatˆP(σ;τ) (when T has already emitted σ on input σ and σ ? σ?), we

Given some truncation automaton T, we must construct

σ?

=⇒T (·,q?)), so D is a decidable predicate. Also, D(σ) implies that

σ

32

Page 33

conclude that ∀σ?∈ Σ.σ ? σ?⇒ ∃τ ∈ A?.(σ;τ ? σ?∧ˆP(σ;τ)).

?

Theorem 3 (Effective T-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

truncation automaton if and only if there exists a computable truncation-rewrite

function α?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(α?(σ))

2. IfˆP(σ) then σ∼= α?(σ)

Proof (If Direction) We construct a truncation automaton that effectively en-

forces any suchˆP as follows.

• States: q ∈ pre(Σ)

• Start state: q0= ·

• Transition function (δ):

Consider processing the action a in state σ.

(the sequence of actions seen so far)

(for the empty sequence)

(A) If α?(σ;a) = α?(σ);a then emit a and continue in state σ;a.

(B) If α?(σ;a) = α?(σ) and H(α?,σ;a) then halt (i.e., we leave δ unde-

fined in this case).

The automaton maintains the invariant Invp(q) that q = σ and σ is the

input so far and the automaton has emitted α?(σ). Initially, Invp(q0) because

α?(·) = ·, and a simple inductive argument on the length of the input σ suffices

to show that the invariant is maintained for all inputs.

We now show that the automaton emits α?(σ) when the input is σ. There

are two cases, derived by inspection of the truncation automaton. In the first

case, the automaton halts in state σ, so by Invp(σ), α?(σ) has been emitted.

Otherwise, the automaton must halt in some state σ?such that σ?? σ and

H(α?,σ?). Invp(σ?) then implies that α?(σ?) has been emitted when the au-

tomaton halts. However, H(α?,σ?) and σ?? σ imply that α?(σ?) = α?(σ), so

the automaton has in fact emitted α?(σ) when it halts in this case as well.

Consider any execution σ ∈ Σ. By clause (1) in the theorem statement,

if ¬ˆP(σ) thenˆP(α?(σ)). Because α?(σ) is actually what the automaton out-

puts on input σ, it correctly effectively enforces any σ ∈ Σ such that ¬ˆP(σ).

Similarly, clause (2) of the theorem states that ifˆP(σ) then σ∼= α?(σ), so

the automaton’s output is equivalent to its input whenˆP(σ). The automaton

therefore effectively enforcesˆP.

33

Page 34

(Only-If Direction)

truncation automaton on input σ. By this definition, α?(σ) is a computable

function because the automaton is an effective enforcer and as such acts deter-

ministically and halts on all inputs in the set of executions (Σ). We first show

that this is a truncation-rewrite function. Clearly, α?(·) = ·. When processing

some action a after having already processed any sequence σ, the automaton

may step via T-Step or T-Stop.

Define α?(σ) to be whatever sequence is emitted by the

• Case T-Step: The automaton emits whatever has been emitted in pro-

cessing σ (by definition, this is α?(σ)), followed by a.

• Case T-Stop: The automaton emits only what has already been emitted,

so α?(σ;a) = α?(σ). Because the automaton halts, it may not examine

any remaining input, implying that H(α?,σ;a) is true.

In any case, the truncation automaton’s output adheres to the definition of a

truncation-rewrite function.

Now consider any arbitrary σ ∈ Σ. By the definition of effective enforcement

and that α?(σ) is defined to be whatever sequence is emitted by the truncation

automaton on input σ,ˆP(α?(σ)) andˆP(σ) ⇒ σ∼= α?(σ).

?

Theorem 4 (Uniform Precise S-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by a

suppression automaton if and only if ∀σ ∈ pre(Σ).¬ˆP(σ) ⇒ ∀σ?∈ Σ.(σ ? σ?⇒

¬ˆP(σ?)).

Proof Both directions proceed completely analogously to the proof of Uniform

Precise T-Enforcement.

?

Theorem 5 (Nonuniform Precise S-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

suppression automaton if and only if there exists a computable suppression-

rewrite function ω?such that for all sequences σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(ω?(σ)).

2. IfˆP(σ) then ω?(σ) = σ.

Proof (If Direction) We construct a suppression automaton that precisely en-

forces any suchˆP as follows.

• States: q ∈ pre(Σ)

• Start state: q0= ·

• Transition and suppression functions (combined for simplicity):

Consider processing the action a in state q = σ.

(the sequence of actions seen so far)

(the empty sequence)

34

Page 35

(A) If ω?(σ;a) = ω?(σ);a then emit a and continue in state σ;a.

(B) If ω?(σ;a) = ω?(σ) then suppress a and continue in state σ;a.

This suppression automaton maintains the invariant Invp(q) that q = σ and

σ is the input seen so far and ω?(σ) has been output. Initially, Invp(q0) because

ω?(·) = ·, and a simple inductive argument on the length of the input σ suffices

to show that the invariant is maintained for all inputs.

By inspection of the automaton, we note that when processing some input

σ ∈ Σ, the automaton always halts in state σ because there is no more input

to process. Thus, Invp(σ) ensures that the automaton always emits ω?(σ)

whenever the input to the automaton is σ.

Consider any execution σ ∈ Σ. By clause (1) in the theorem statement, if

¬ˆP(σ) thenˆP(ω?(σ)). Because ω?(σ) is actually what the automaton outputs

on input σ, it correctly precisely enforces any σ ∈ Σ such that ¬ˆP(σ). Similarly,

by clause (2), the automaton never suppresses any action (i.e., it accepts every

action) in its input σ whenˆP(σ). The automaton therefore precisely enforces

ˆP.

(Only-If Direction)

suppression automaton on input σ. By this definition, ω?(σ) is a computable

function because the automaton is a precise enforcer and as such acts deter-

ministically and halts on all inputs in the set of executions (Σ). We first show

that this is indeed a suppression-rewrite function. Clearly, ω?(·) = ·. When

processing some action a after having already processed any sequence σ, the

automaton may step via S-StepA, S-StepS, or S-Stop. In the S-StepA case,

the automaton emits whatever has been emitted in processing σ (by definition,

this is ω?(σ)), followed by a. In the other cases, the automaton emits only

ω?(σ). Hence, ω?is a valid suppression function.

Now consider any arbitrary σ ∈ Σ. By the definition of precise enforcement

and that ω?(σ) is defined to be whatever sequence is emitted by the suppression

automaton on input σ,ˆP(ω?(σ)) (because all final outputs must be in the

property) andˆP(σ) ⇒ σ = ω?(σ) (because no suppressions or halting may

occur on inputs that are in the property).

Define ω?(σ) to be whatever sequence is emitted by the

?

Theorem 6 (Effective S-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

suppression automaton if and only if there exists a computable suppression-

rewrite function ω?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(ω?(σ))

2. IfˆP(σ) then σ∼= ω?(σ)

Proof(If Direction) We construct a suppression automaton that effectively

enforces any suchˆP as follows.

35

Page 36

• States: q ∈ pre(Σ)

• Start state: q0= ·

• Transition and suppression functions (combined for simplicity):

Consider processing the action a in state q = σ.

(the sequence of actions seen so far)

(the empty sequence)

(A) If ω?(σ;a) = ω?(σ);a then emit a and continue in state σ;a.

(B) If ω?(σ;a) = ω?(σ) then suppress a and continue in state σ;a.

This is the same automaton constructed in the proof of Nonuniform Precise

S-Enforcement, so by the same reasoning given there, this automaton always

emits ω?(σ) whenever the input to the automaton is σ.

Analogously to the argument given in the Effective T-Enforcement theorem,

because the automaton always outputs ω?(σ) on input σ, clauses (1) and (2) in

the theorem statement ensure that the automaton effectively enforcesˆP.

(Only-If Direction)

suppression automaton on input σ. This is a computable suppression-rewrite

function by the same argument given in the Only-If Direction of the proof of

Nonuniform Precise S-Enforcement. Moreover, given that the automaton is an

effective enforcer ofˆP and ω?(σ) always matches the output of the automaton

on input σ, both requirements ofˆP stated in the theorem are clearly met.

Define ω?(σ) to be whatever sequence is emitted by the

?

Theorem 7 (Uniform Precise I-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by

an insertion automaton if and only if ∀σ ∈ pre(Σ).¬ˆP(σ) ⇒ ∀σ?∈ Σ.(σ ? σ?⇒

¬ˆP(σ?)).

Proof Both directions proceed completely analogously to the proof of Uniform

Precise T-Enforcement.

?

Theorem 8 (Nonuniform Precise I-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some

insertion automaton if and only if there exists a computable function γpsuch

that for all executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. ∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?), or

2. σ ?∈ Σ andˆP(σ;γp(σ))

Proof(If Direction) We construct an insertion automaton that precisely en-

forces any suchˆP as follows.

• States: q ∈ pre(Σ) ∪ {end}

if the automaton will stop on the next step)

(the sequence of actions seen so far, or end

36

Page 37

• Start state: q0= ·

• Transition and insertion functions (for simplicity, we combine δ and γ):

Consider processing the action a in state q.

(the empty sequence)

(A) If q=end then stop (i.e., δ and γ are undefined, so rule I-Stop ap-

plies).

(B) Else if q = σ andˆP(σ;a) then emit a and continue in state σ;a.

(C) Else if q = σ and ¬ˆP(σ;a) and σ;a ?∈ Σ andˆP(σ;a;γp(σ;a)) then

emit a and continue in state σ;a

(D) Else if q = σ and ¬ˆP(σ;a) and ∀σ?∈ Σ.σ;a ? σ?⇒ ¬ˆP(σ?) and

ˆP(σ) then stop.

(E) Else if q = σ and ¬ˆP(σ;a) and ∀σ?∈ Σ.σ;a ? σ?⇒ ¬ˆP(σ?) and

¬ˆP(σ) then insert γp(σ) and continue in state end.

This automaton halts on all inputs σ ∈ Σ because only decidable boolean

predicates need to be evaluated during execution. Note that if transitions (A),

(B), and (C) are not followed, then by clauses (1) and (2) given in the statement

of this theorem, it must be the case that ∀σ?∈ Σ.σ;a ? σ?⇒ ¬ˆP(σ?). Therefore,

after eliminating transitions (A), (B), and (C), the only test that needs to be

performed in order to determine which of transitions (D) and (E) to apply is

whetherˆP(σ), which is assumed to be a decidable predicate (possibly in contrast

to the predicate ∀σ?∈ Σ.σ;a ? σ?⇒ ¬ˆP(σ?)).

If σ is the input so far, the automaton maintains the following invariant

Invp(q).

• If q = σ then σ has been emitted and eitherˆP(σ) or (¬ˆP(σ) and σ ?∈ Σ

andˆP(σ;γp(σ))).

• Otherwise, q = end and the automaton has emitted σ;γp(σ) andˆP(σ;γp(σ)).

Initially, Invp(q0) since our definition of a property assumesˆP(·) for all

properties. A simple inductive argument on the length of the input σ suffices

to show that the invariant is maintained for all inputs.

Given this invariant, it is straightforward to show that the automaton pro-

cesses every input σ ∈ Σ properly and precisely enforcesˆP. There are two

cases.

• CaseˆP(σ):

Consider any prefix σ[..i]. By induction on i, we show that the automaton

accepts σ[..i] without stopping, inserting any actions, or moving to the

state end.

– IfˆP(σ[..i]) then the automaton accepts this prefix using transition

(B) and continues.

37

Page 38

– If ¬ˆP(σ[..i]) then since σ[..i] ? σ andˆP(σ), clause (1) in the theorem

statement cannot be true of σ[..i], so σ[..i] ?∈ Σ andˆP(σ[..i];γp(σ[..i])).

Hence, the automaton accepts this prefix using transition (C) and

continues.

• Case ¬ˆP(σ):

The automaton may halt by applying transitions (A) or (D), or by running

out of input actions to process. Thus, the final state prior to halting must

be one of the following.

– end, if transition (A) is applied

– σ?such that σ?? σ andˆP(σ?), if transition (D) is applied

– σ, if the automaton ran out of input actions

In the first case, Invp(end) ensures that the automaton’s output is in the

property. The second case dictates thatˆP(σ?), and Invp(σ?) implies that

σ?is the automaton’s output. The third case cannot occur because ¬ˆP(σ)

and σ ∈ Σ contradict Invp(σ). Therefore, the automaton always outputs

some sequence that is in the property.

(Only-If Direction)

insertion automaton I conforms to the constraints outlined in the theorem, we

define a decidable algorithm for computing γp(σ) for all σ ∈ pre(Σ). This

definition follows.

To show that any propertyˆP precisely enforced by an

1. Run insertion automaton I on input σ to completion.

2. If I does not output exactly σ on input σ then let γp(σ) = ·.

3. Otherwise, begin searching for a τ ∈ A?such thatˆP(σ;τ). Once the first

such τ is found, let γp(σ) = τ.

Steps (1) and (2) require only finite time because I is a precise enforcer and

as such must halt within finite time on all inputs (since ∀σ ∈ Σ.∃q?.∃σ?∈

A?.(σ,q0)

exactly σ on input σ. Because σ ∈ pre(Σ), there must be some τ?∈ Σ such

that σ ? τ?. Moreover, since I enforcesˆP, I must output some sequence σ?on

input τ?such thatˆP(σ?), but because (σ,q0)

and σ ? τ?, we have σ?= σ;τ for some τ ∈ A?. Thus guaranteed that at least

one τ exists such thatˆP(σ;τ), we can search A?for this τ in finite time because

A?is countable (though possibly countably infinite). This algorithm therefore

halts on all inputs σ ∈ pre(Σ), meeting the constraint that γpbe a computable

function.

Next, we consider any arbitrary σ ∈ pre(Σ) such that ¬ˆP(σ) and show that

one of the following must hold.

σ?

=⇒I (·,q?)). Now consider step (3), which occurs when I outputs

σ

=⇒I (·,q?), (τ?,q0)

σ?

=⇒I (·,q??),

1. ∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?), or

38

Page 39

2. σ ?∈ Σ andˆP(σ;γp(σ))

Consider any case in which (1) does not hold. Then, ∃σ?∈ Σ.σ ? σ?∧ˆP(σ?),

so I must output exactly σ on input σ (because σ may later be extended to σ?,

which must be precisely enforced by accepting every action in σ?). By the defi-

nition of γp(σ), then,ˆP(σ;γp(σ)). Also, since (σ,q0)

case that σ ?∈ Σ (if σ ∈ Σ thenˆP(σ) because I is a precise enforcer, contrary

to the assumption that ¬ˆP(σ)). Thus, (2) must hold whenever (1) does not.

σ

=⇒I(·,q?), it must be that

?

Theorem 9 (Precise S-Enforceable Subset of Precise I-Enforceable)

If there exists a suppression automaton S= (Qs,q0s,δs,ω) that precisely en-

forcesˆP on some system (A,Σ) then there exists an insertion automaton I=

(Qi,q0i,δi,γ) that precisely enforcesˆP on the same system.

Proof We construct I as follows and then show that it precisely enforcesˆP.

• States: Qi= pre(Σ) ∪ {end}

actions seen so far, or end if the automaton will stop on the next step)

(a state q ∈ Qirepresents the sequence of

• Start state: q0i= ·

• Transition and insertion functions (we combine δiand γifor simplicity):

Consider processing the action a in state q.

(the empty sequence)

(A) If q = end then halt.

(B) If q = σ and (σ;a,q0s)

continue in state σ;a.

(C) If q = σ and (σ;a,q0s)

τ ∈ A?found such thatˆP(σ;τ) and continue in state end.

We show that I precisely enforcesˆP by considering two cases of σ ∈ Σ. If

ˆP(σ) then because S precisely enforcesˆP, S must accept every action in σ.

Therefore, the boolean guard on transition (B) in insertion automaton I will

always evaluate to true (in finite time because S is a precise enforcer and as

such must halt on all inputs in finite time), so I will also accept every action in

σ, thereby correctly precisely enforcingˆP on any σ ∈ Σ such thatˆP(σ).

In the other case, ¬ˆP(σ), implying that S must somehow edit σ so that its

output is in the property. Let σ[j] be the first action in σ that is not accepted

by S, implying that S (and therefore I) accepts and emits σ[..j − 1]. Since S

precisely enforcesˆP, there must exist some τ ∈ A?such thatˆP(σ[..j − 1];τ),

so that S can emit σ[..j − 1];τ on input σ (in the case of S halting at σ[j], we

have τ = ·). Because S’s first suppression or halting occurs at σ[j], insertion

automaton I must follow transition (C) when it reaches σ[j], and because there

must exist some τ ∈ A?such thatˆP(σ[..j − 1];τ), automaton I will find and

insert the requisite τ in finite time (since A?must be countable, though possibly

countably infinite). Therefore, the final output of I on input σ (i.e., σ[..j−1];τ)

σ;a

=⇒S (·,q?) for some q?then accept a and

σ

=⇒S (·,q?) for some q?then insert the first

39

Page 40

is in the property, as required to precisely enforceˆP.

?

Theorem 10 (Effective I-Enforcement)

A propertyˆP on the system S = (A,Σ) can be effectively enforced by some

insertion automaton if and only if there exists a computable insertion-rewrite

function γ?such that for all executions σ ∈ Σ,

1. If ¬ˆP(σ) thenˆP(γ?(σ))

2. IfˆP(σ) then σ∼= γ?(σ)

Proof (If Direction) We construct an insertion automaton that effectively en-

forces any suchˆP as follows.

• States: q ∈ (pre(Σ) × {+,−}) ∪ {end}

far paired with + (-) to indicate that the automaton did not (did) most

recently step via rule I-Ins, or end if the automaton will stop on the next

step)

(the sequence of actions seen so

• Start state: q0= ?·,+?

• Transition and insertion functions (for simplicity, we combine δ and γ):

Consider processing the action a in state q.

(for the empty sequence)

(A) If q = end then stop.

(B) If q = ?σ;a,−? then emit the action a and continue in state ?σ;a,+?.

(C) If q = ?σ,+? and γ?(σ;a) = γ?(σ);τ;a then insert τ and continue in

state ?σ;a,−?.

(D) If q = ?σ,+? and γ?(σ;a) = γ?(σ);τ and ∀τ?∈ A?.τ ?= τ?;a and

H(γ?,σ;a) then insert τ and continue in state end.

The automaton maintains the following invariant Invp(q).

• If q = ?σ,+? then σ is the input so far and the automaton has emitted

γ?(σ).

• If q = end then σ is the input so far and the automaton has emitted γ?(σ)

and H(γ?,σ).

• Otherwise, q = ?σ;a,−? and σ;a is the input so far and γ?(σ;a) =

γ?(σ);τ;a and the automaton has emitted γ?(σ);τ.

Initially, Invp(q0) because γ?(·) = ·, and a simple inductive argument on

the length of the input σ suffices to show that the invariant is maintained for

all inputs.

We now show that the automaton emits γ?(σ) when the input is σ. There are

two cases, derived by inspection of the insertion automaton. In the first case,

the automaton halts in state ?σ,+?, so by Invp(σ), γ?(σ) has been emitted.

40

Page 41

Otherwise, the automaton must halt in state end, having only seen input σ?

such that σ?? σ. In this case, Invp(end) implies that γ?(σ?) has been emitted

when the automaton halts and H(γ?,σ?). However, H(γ?,σ?) and σ?? σ imply

that γ?(σ?) = γ?(σ), so the automaton has in fact emitted γ?(σ) when it halts

in this case as well. Note that the automaton cannot halt in state ?σ;a,−?

because the next step will always be to emit a and continue in state ?σ;a,+?

(using transition (B)).

Analogously to the argument given in the Effective T-Enforcement theorem,

because the automaton always outputs γ?(σ) on input σ, clauses (1) and (2) in

the theorem statement ensure that the automaton effectively enforcesˆP.

(Only-If Direction)

the insertion automaton on input σ. By this definition, γ?(σ) is a computable

function because the automaton is an effective enforcer and as such acts deter-

ministically and halts on all inputs in the set of executions (Σ). We first show

that this is an insertion-rewrite function. Clearly, γ?(·) = ·. When processing

some action a after having already processed any sequence σ, the automaton

may step via I-Step, I-Ins, or I-Stop.

Define γ?(σ) to be whatever sequence is emitted by

• Case I-Step: Here the automaton emits whatever has been emitted in

processing σ (by definition, this is γ?(σ)), followed by a. Thus, γ?(σ;a) =

γ?(σ);τ;a, where τ = ·.

• Case I-Stop: Here the automaton emits only what has already been

emitted, so γ?(σ;a) = γ?(σ);τ, where τ = · and ∀τ?∈ A?.τ ?= τ?;a.

Because the automaton halts, it may not examine any remaining input,

implying that H(γ?,σ;a).

• Case I-Ins: Because the automaton effectively enforcesˆP, it may only

insert a finite sequence of symbols before either accepting or halting on

the current action. That is, although the automaton may apply rule I-Ins

multiple times in succession, the end result must be the insertion of only

a finite sequence of actions, followed by acceptance or termination. In the

case of ultimate acceptance, the net output of the automaton, γ?(σ;a),

is γ?(σ);τ;a. In the case of ultimate termination, no more input may be

examined, so H(γ?,σ;a) and either γ?(σ;a) = γ?(σ);τ;a (if a was the

last inserted action), or γ?(σ;a) = γ?(σ);τ and ∀τ?∈ A?.τ ?= τ?;a (if a

was not the last inserted action).

In any case, the insertion automaton’s output adheres to the definition of an

insertion-rewrite function.

Now consider an arbitrary σ ∈ Σ. By the definition of effective enforcement

and that γ?(σ) is defined to be whatever sequence is emitted by the insertion

automaton on input σ,ˆP(γ?(σ)) andˆP(σ) ⇒ σ∼= γ?(σ).

?

41

Page 42

Theorem 11 (Uniform Precise E-Enforcement)

A propertyˆP on the uniform system S = (A,Σ) can be precisely enforced by

an edit automaton if and only if ∀σ ∈ pre(Σ).¬ˆP(σ) ⇒ ∀σ?∈ Σ.(σ ? σ?⇒

¬ˆP(σ?)).

Proof Both directions proceed completely analogously to the proof of Uniform

Precise T-Enforcement.

?

Theorem 12 (Nonuniform Precise E-Enforcement)

A propertyˆP on the system S = (A,Σ) can be precisely enforced by some edit

automaton if and only if there exists a computable function γpsuch that for all

executions σ ∈ pre(Σ), if ¬ˆP(σ) then

1. ∀σ?∈ Σ.σ ? σ?⇒ ¬ˆP(σ?), or

2. σ ?∈ Σ andˆP(σ;γp(σ))

Proof (If Direction) By the Nonuniform Precise I-Enforcement theorem, given

a function γp and a propertyˆP satisfying the requirements stated above, we

may build an insertion automaton I = (Q,q0,δ,γ) to enforceˆP. Then, we can

construct an edit automaton E = (Q,q0,δ,γ,ω), where ω is defined to be + over

all of its domain (the same domain as δ). Clearly, E and I enforce the same

property because whenever I steps via I-Step, I-Ins, or I-Stop, E respectively

steps via E-StepA, E-Ins, or E-Stop, while emitting exactly the same actions

as I. Because I precisely enforcesˆP, so too must E.

(Only-If Direction)

Only-If Direction of the proof of Nonuniform Precise I-Enforcement.

This direction proceeds completely analogously to the

?

Theorem 13 (Effective E-Enforcement)

Any propertyˆP on the system S = (A,Σ) can be effectively enforced by some

edit automaton.

Proof We construct an edit automaton that effectively enforces anyˆP as follows.

• States: q ∈ pre(Σ) × A?× {+,−}

the actions seen but not emitted, and + (-) to indicate that the automaton

must not (must) suppress the current action)

(the sequence of actions seen so far,

• Start state: q0= ?·,·,+?

• Transition, insertion, and suppression functions (for simplicity, we com-

bine δ, γ, and ω):

Consider processing the action a in state q.

(for the empty sequence)

(A) If q = ?σ,τ,+? and ¬ˆP(σ;a) then suppress a and continue in state

?σ;a,τ;a,+?.

42

Page 43

(B) If q = ?σ,τ,+? andˆP(σ;a) then insert τ;a and continue in state

?σ;a,·,−?.

(C) If q = ?σ;a,·,−? then suppress a and continue in state ?σ;a,·,+?.

The automaton maintains the following invariant Invp(q).

• If q = ?σ,τ,+? then σ is the input so far and σ = σ?;τ (for some σ?∈ A?)

and the automaton has emitted σ?and σ?is the longest prefix of σ such

thatˆP(σ?).

• Otherwise, q = ?σ;a,·,−? and σ;a is the input so far and σ;a has been

emitted andˆP(σ;a).

Initially, Invp(q0) becauseˆP(·), and a simple inductive argument on the

length of the input σ suffices to show that the invariant is maintained for all

inputs.

By inspection, we note that the edit automaton cannot halt in state ?σ;a,·,−?

because the next step will always be to suppress a and continue in state ?σ;a,·,+?

(using transition (C)). Therefore, the automaton always halts in some state

?σ,τ,+? on input σ, so Invp(?σ,τ,+?) ensures that the automaton emits some

σ?such thatˆP(σ?) on all inputs. In addition, Invp(?σ,τ,+?) implies that if

ˆP(σ) then σ = σ?, so the automaton must emit exactly σ on input σ whenever

ˆP(σ). This edit automaton thus effectively enforcesˆP.

?

43