Sound and Complete Runtime Security Monitor for Application Software

Conventional approaches for ensuring the security of application software at run-time, through monitoring, either produce (high rates of) false alarms (e.g. intrusion detection systems) or limit application performance (e.g. run-time verification). We present a runtime security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled in application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure (e.g. the language runtime system, libraries and operating system). This runtime security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit runtime application performance and so that it supports real-time systems. The security monitor takes as input the application specification and the application implementation, which may be expressed in different languages. The specification language of the application software is formalized based on monadic second order logic and event calculus interpreted over algebraic data structures. This language allows us to express behavior of an application at any desired (and practical) level of abstraction as well as with high degree of modularity. The security monitor detects every attack by systematically comparing the application execution and specification behaviors at runtime, even though they operate at two different levels of abstraction. We define the denotational semantics of the specification language and prove that the monitor is sound and complete. Furthermore, the monitor is efficient because of the modular application specification at appropriate level(s) of abstraction.

[1]  Howard E Shrobe,et al.  Dependency Directed Reasoning for Complex Program Understanding , 1979 .

[2]  David A. Schmidt Denotational Semantics: A Methodology for Language Development by Phil , 1987 .

[3]  Nils Klarlund,et al.  Mona: Monadic Second-Order Logic in Practice , 1995, TACAS.

[4]  Manuel Blum,et al.  Software reliability via run-time result-checking , 1997, JACM.

[5]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[6]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[7]  Alfonso Valdes,et al.  Adaptive, Model-Based Monitoring for Cyber Attack Detection , 2000, Recent Advances in Intrusion Detection.

[8]  Gail E. Kaiser,et al.  An Approach to Autonomizing Legacy Systems , 2002 .

[9]  Egon Börger,et al.  Abstract State Machines. A Method for High-Level System Design and Analysis , 2003 .

[10]  Wolfram Schulte,et al.  Runtime verification of .NET contracts , 2003, J. Syst. Softw..

[11]  C. A. R. Hoare,et al.  Proof of correctness of data representations , 1972, Acta Informatica.

[12]  Koushik Sen,et al.  Program monitoring with LTL in EAGLE , 2004, 18th International Parallel and Distributed Processing Symposium, 2004. Proceedings..

[13]  Marina Vannucci,et al.  Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data , 2004, NETWORKING.

[14]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[15]  Heather Goldsby,et al.  AMOEBA-RT: Run-Time Verification of Adaptive Software , 2008, MoDELS.

[16]  Grigore Rosu,et al.  Mop: an efficient and generic runtime verification framework , 2007, OOPSLA.

[17]  Donal Heffernan,et al.  Runtime verification and monitoring of embedded systems , 2007, IET Softw..

[18]  Alexander Egyed,et al.  AWDRAT: A Cognitive Middleware System for Information Survivability , 2007, AI Mag..

[19]  George Spanoudakis,et al.  The SERENITY Runtime Monitoring Framework , 2009, Security and Dependability for Ambient Intelligence.

[20]  Howard Barringer,et al.  Rule Systems for Run-time Monitoring: from Eagle to RuleR , 2010, J. Log. Comput..

[21]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[22]  Ralph Langner,et al.  Stuxnet: Dissecting a Cyberwarfare Weapon , 2011, IEEE Security & Privacy.

[23]  Alexander S. Kamkin,et al.  Runtime Verification Based on Executable Models: On-the-Fly Matching of Timed Traces , 2013, MBT.

[24]  Wolfgang Schreiner,et al.  Verifying the Soundness of Resource Analysis for LogicGuard Monitors Revised Version , 2014 .

[25]  Dimitrios N. Serpanos,et al.  On the Formal Semantics of the Cognitive Middleware AWDRAT , 2014, ArXiv.

[26]  W. Schreiner,et al.  Securing Device Communication by Predicate Logic Specifications * , 2015 .

[27]  A Saritha,et al.  A system for detecting network intruders in real-time , 2016 .

[28]  Adam Chlipala,et al.  Using Crash Hoare logic for certifying the FSCQ file system , 2015, USENIX Annual Technical Conference.

[29]  Executable Specifications : Language and Applications , .