Article

Edit automata: enforcement mechanisms for run-time security policies

International Journal of Information Security (Impact Factor: 0.48). 01/2005; 4(1):2-16. DOI: 10.1007/s10207-004-0046-8
Source: CiteSeer

ABSTRACT We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.

1 Bookmark
 · 
85 Views
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: Smart card technology has advanced to the point where computerized cards the size of credit cards can hold multiple interacting programs. These multi-applet cards are beginning to be exploited by business and government in security, transport and financial applications. We conduct a thorough analysis of a programmable payment card application: a smart card for making purchases which can be customized to allow or reject purchases based on various policies that are installed by users. We describe a framework for specifying, merging and analyzing modular policies. We present policy automata , a formal model of computations that grant or deny access to a resource. This model combines state machines with a voting system whereby the vote of each state machine is consolidated and resolved into a decision to accept or reject. We use defeasible logic as the primary mechanism for describing and resolving votes. This formal model effectively represents complex policies as combinations of simpler modular policies. We present Polaris, a tool which analyzes policy automata to reveal potential conflicts and compiles automata into an executable form when combined with our on-card policy manager. We show the effectiveness of our model in a case-study where actual University of Pennsylvania purchasing policies are encoded as policy automata. We demonstrate the feasibility of our framework with experiments that show that our implementation can convert formal policy automata to executable Java Card applets whose performance meets the requirements for retail credit card transactions.
    Dissertations available from ProQuest.
  • Source
    [Show abstract] [Hide abstract]
    ABSTRACT: In previous works we have developed a theory based on formal methods for enforcing security properties by defining process algebra controller operators. In this paper we continue our line of research, by describing a tool developed for synthesizing a model for a given security property that is also a control program for a given controller operator. The tool implements the partial model checking technique and the satisfiability procedure for a modal μ-calculus formula.
    Formal Aspects in Security and Trust, Fourth International Workshop, FAST 2006, Hamilton, Ontario, Canada, August 26-27, 2006, Revised Selected Papers; 01/2006
  • [Show abstract] [Hide abstract]
    ABSTRACT: In modern computer topics, such as usage control, privacy protection and regulatory compliance, it is essential to enforce that computer systems adhere to the policies governing their operation, i.e. to prevent systems from violating the policies by transitioning into an illegal state. Reference monitors are employed to enforce policies during the execution. However, the increasing demand to demonstrate correct policy enforcement and the impossibility to fully enforce some of the policy elements at runtime raise the need for audits to decide whether systems in fact obey the policies. In computer systems, an audit is the a posteriori examination of system records conducted by an independent third-party to generate evidence about policy adherence. Despite the soaring need for audits, current state-of-the-art exhibits the following shortcomings: • logging mechanisms do not completely provide for authentic system records, so that a suitable basis for audits is not guaranteed. • audits are at best semi-automated, which has a negative impact on the time and cost involved in conducting audits, as well as on the correctness and credibility of generated evidence. This thesis tackles these shortcomings by introducing a novel model for automated audits and elaborates on the design, properties and implementation of two of its components, namely the BBox and ExaMINA. Like a flight recorder, the BBox is a digital black box for systems. It employs a trusted co-processor and a secure logging mechanism to protect system records, thereby providing for authentic and tamper-evident system records. The BBox also allows the extraction of portions of the system records filtered according to some simple search criteria, which reduce the size of the system records to be audited. Using an exemplary policy language for the expression of policies, ExaMINA automatically audits selected system records against the corresponding policy and generates evidence. To conduct audits, ExaMINA uses falsification: instead of showing that the system adheres to each rule, ExaMINA searches the system records for counterexamples for the adherence to the policy, thereby trying to refute the hypothesis that the system to which the records belong obeys the policy. Since finding a single counterexample suffices for refutation, counterexampledriven audits have the potential to provide for faster evidence generation in case of policy violations. Die Durchsetzung von Richtlinien in Computersystemen ist von großer Bedeutung, um das Auftreten unzulässiger Zustände zu verhindern. Unter anderem im Zusammenhang mit der Nutzungskontrolle, dem Schutz der Privatsphäre und der Einhaltung gesetzlicher Auflagen (der sog. Compliance) ist dies unabdingbar. Bislang werden Ausführungsmonitore eingesetzt, um Richtlinien zur Laufzeit durchzusetzen. Dies reicht jedoch wegen der zunehmenden Forderung nach nachweisbarer Durchsetzung und der Unmöglichkeit, manche Elemente der Richtlinien während der Ausführung erzwingen zu können, allein nicht aus. Somit müssen nachträgliche, von unabhängigen Dritten durchgeführte Analysen der Ereignisprotokolle eines Systems herangezogen werden, um Evidenzen, also Nachweise, über die Einhaltung der Richtlinien zu erzeugen bzw. die Quelle aufgetretener Verletzungen aufzuzeigen. Derartige Analysen nennt man Audits. Trotz der Notwendigkeit von Audits weisen derzeitige Verfahren die folgenden Mängel auf: • Mechanismen zur Aufzeichnung von Ereignisprotokollen gewährleisten nur bedingt die Authentizität der erfassten und gespeicherten Ereignisse, sodass eine angemessene Basis für Audits nicht garantiert werden kann. • Audits sind bestenfalls halbautomatisiert. Dies wirkt sich nicht nur auf die Zeit und Kosten negativ aus, die zur Durchführung von Audits benötigt werden, sondern auch auf die Korrektheit und Glaubwürdigkeit erzeugter Evidenzen. Die vorliegende Arbeit führt ein neues Audit-Modell ein, das diese Mängel behebt, und beschreibt den Aufbau, die Eigenschaften und die Implementierung seiner wesentlichen Komponenten, nämlich BBox und ExaMINA. Ähnlich einem Flugschreiber ist die BBox eine digitale Black-Box zur Gewährleistung authentischer und manipulationssicherer Aufzeichnung von Ereignisprotokollen, welche auch die Erzeugung gefilterter Ereignisprotokolle ermöglicht und damit den Aufwand für Audits reduziert. Anhand einer beispielhaften Sprache zum Ausdruck von Richtlinien, führt ExaMINA automatisierte Audits durch und generiert dabei Evidenzen über die Einhaltung der Richtlinien. Zur Durchführung von Audits verwendet ExaMINA die Falsifikation: anstatt zu zeigen, dass das System die Regeln einer Richtlinie einhält, durchsucht ExaMINA die Ereignisprotokolle nach Gegenbeispielen. Da die Existenz eines Gegenbeispiels zur Falsifikation genügt, ermöglichen gegenbeispiel-orientierte Audits eine schnellere Erzeugung von Evidenzen im Falle von Verletzungen.

Full-text

View
0 Downloads
Available from