Edit automata: enforcement mechanisms for run-time security policies

International Journal of Information Security (Impact Factor: 0.48). 01/2005; 4(1):2-16. DOI: 10.1007/s10207-004-0046-8
Source: CiteSeer

ABSTRACT We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.

1 Bookmark
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Lazy controllers are a class of execution monitors that do not continuously observe the behaviour of their target. Monitors are activated and deactivated according to a scheduling strategy. When a lazy controller is activated, it checks the current security state and, in case of a violation, terminates the execution. Instead, if the current execution trace is safe, the monitor is suspended and its activation is scheduled again. The inactivity period is computed by considering the risk that, from the current state, the target can reach a faulty configuration. This behaviour is particularly interesting for systems which is difficult to monitor with standard solutions, e.g., web services. In this paper we present a prototype using existing logging API, i.e., the Commons Logging Package, for remotely watching the execution of OSGi bundles. We claim that our solution can efficiently follow the target system keeping under control the delay in detecting violations. Also, as we use standard OSGi platform and facilities, we show that our monitors can run under very realistic assumptions in the context of web services.
    Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), 2012 Sixth International Conference on; 01/2012
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Novel approaches for dynamic information flow monitoring are promis-ing since they enable permissive (accepting a large subset of executions) yet sound (rejecting all unsecure executions) enforcement of non-interference. In this paper, we present a dynamic information flow monitor for a language support-ing pointers. Our flow-sensitive monitor relies on prior static analysis in order to soundly enforce non-interference. We also propose a program transformation that preserves the behavior of initial programs and soundly inlines our security moni-tor. This program transformation enables both dynamic and static verification of non-interference.
    International Information Security and Privacy Conference; 07/2013
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these web platforms.
    IEEE Transactions on Dependable and Secure Computing 09/2014; · 1.06 Impact Factor


Available from