Enforceable Security Policies Revisited

We revisit Schneider’s work on policy enforcement by execution monitoring. We overcome limitations of Schneider’s setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only observable, that is, the enforcement mechanism sees them but cannot prevent their execution. For this refined setting, we give necessary and sufficient conditions on when a security policy is enforceable. To state these conditions, we generalize the standard notion of safety properties. Our classification of system actions also allows one, for example, to reason about the enforceability of policies that involve timing constraints. Furthermore, for different specification languages, we investigate the decision problem of whether a given policy is enforceable. We provide complexity results and show how to synthesize an enforcement mechanism from an enforceable policy.

[1]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Pierre Wolper,et al.  Reasoning About Infinite Computations , 1994, Inf. Comput..

[3]  Felix Klaedtke,et al.  Monitoring Usage-Control Policies in Distributed Systems , 2011, 2011 Eighteenth International Symposium on Temporal Representation and Reasoning.

[4]  Jay Ligatti,et al.  A Theory of Runtime Enforcement, with Results , 2010, ESORICS.

[5]  Joseph Sifakis,et al.  Model checking , 1996, Handbook of Automated Reasoning.

[6]  Roger Villemaire,et al.  Runtime Enforcement of Web Service Message Contracts with Data , 2012, IEEE Transactions on Services Computing.

[7]  David S. Johnson,et al.  Computers and Intractability: A Guide to the Theory of NP-Completeness , 1978 .

[8]  Michael R. Clarkson,et al.  Hyperproperties , 2008, 2008 21st IEEE Computer Security Foundations Symposium.

[9]  Albert Benveniste,et al.  The synchronous approach to reactive and real-time systems , 1991 .

[10]  Leslie Lamport,et al.  Distributed Systems: Methods and Tools for Specification, An Advanced Course, April 3-12, 1984 and April 16-25, 1985, Munich, Germany , 1985, Advanced Course: Distributed Systems.

[11]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[12]  Edward Y. Chang,et al.  Characterization of Temporal Property Classes , 1992, ICALP.

[13]  Klaus Havelund,et al.  Using Runtime Analysis to Guide Model Checking of Java Programs , 2013, SPIN.

[14]  Dana S. Scott,et al.  Finite Automata and Their Decision Problems , 1959, IBM J. Res. Dev..

[15]  Iliano Cervesato,et al.  Preface to the special issue of selected papers from FCS/VERIFY 2002 , 2004, International Journal of Information Security.

[16]  Moshe Y. Vardi An Automata-Theoretic Approach to Linear Temporal Logic , 1996, Banff Higher Order Workshop.

[17]  Neil D. Jones,et al.  Space-Bounded Reducibility among Combinatorial Problems , 1975, J. Comput. Syst. Sci..

[18]  R. McNaughton,et al.  Counter-Free Automata , 1971 .

[19]  Ron Koymans,et al.  Specifying real-time properties with metric temporal logic , 1990, Real-Time Systems.

[20]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[21]  Christian Dax,et al.  On Regular Temporal Logics with Past, , 2009, ICALP.

[22]  Nadia Tawbi,et al.  Extending the enforcement power of truncation monitors using static analysis , 2011, Comput. Secur..

[23]  Robert McNaughton,et al.  Counter-Free Automata (M.I.T. research monograph no. 65) , 1971 .

[24]  Thomas A. Henzinger,et al.  Sooner is Safer Than Later , 1992, Inf. Process. Lett..

[25]  Bernd Finkbeiner,et al.  Reactive Safety , 2011, GandALF.

[26]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[27]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[28]  Grigore Rosu,et al.  Monitoring programs using rewriting , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[29]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[30]  Thomas A. Henzinger,et al.  A really temporal logic , 1994, JACM.

[31]  Dana Fisman,et al.  Reasoning with Temporal Logic on Truncated Paths , 2003, CAV.

[32]  Felix Klaedtke,et al.  Enforceable Security Policies Revisited , 2012, POST.

[33]  Koushik Sen,et al.  Rule-Based Runtime Verification , 2004, VMCAI.

[34]  Hanêne Ben-Abdallah,et al.  Formally specified monitoring of temporal properties , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[35]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[36]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[37]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[38]  Felix Klaedtke,et al.  Runtime Monitoring of Metric First-order Temporal Properties , 2008, FSTTCS.

[39]  Alexander Pretschner,et al.  Distributed usage control , 2006, CACM.

[40]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[41]  Ernst-Rüdiger Olderog,et al.  Specifying and analyzing security automata using CSP-OZ , 2007, ASIACCS '07.

[42]  A. Prasad Sistla,et al.  The complexity of propositional linear temporal logics , 1982, STOC '82.

[43]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[44]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[45]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[46]  Ravi Sandhu,et al.  ACM Transactions on Information and System Security: Editorial , 2005 .

[47]  Nadia Tawbi,et al.  Execution monitoring enforcement under memory-limitation constraints , 2008, Inf. Comput..

[48]  Felix Klaedtke,et al.  Monitoring security policies with metric first-order temporal logic , 2010, SACMAT '10.

[49]  John E. Hopcroft,et al.  An n log n algorithm for minimizing states in a finite automaton , 1971 .

[50]  P. Ramadge,et al.  Supervisory control of a class of discrete event processes , 1987 .

[51]  守屋 悦朗,et al.  J.E.Hopcroft, J.D. Ullman 著, "Introduction to Automata Theory, Languages, and Computation", Addison-Wesley, A5変形版, X+418, \6,670, 1979 , 1980 .

[52]  Moshe Y. Vardi Automata-Theoretic Model Checking Revisited , 2007, VMCAI.

[53]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[54]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[55]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[56]  Beatrice Gralton,et al.  Washington DC - USA , 2008 .

[57]  Mahesh Viswanathan,et al.  Foundations for the run-time analysis of software systems , 2000 .

[58]  Yliès Falcone,et al.  Runtime enforcement monitors: composition, synthesis, and enforcement abilities , 2011, Formal Methods Syst. Des..

[59]  Lujo Bauer,et al.  Edit Automata: Enforcement Mechanisms for , 2003 .