Types and Effects for Non-interfering Program Monitors

A run-time monitor is a program that runs in parallel with an untrusted application and examines actions from the application's instruction stream. If the sequence of program actions deviates from a specified security policy, the monitor transforms the sequence or terminates the program. We present the design and formal specification of a language for defining the policies enforced by program monitors. Our language provides a number of facilities for composing complex policies from simpler ones. We allow policies to be parameterized by values or other policies, and we define operators for forming the conjunction and disjunction of policies. Since the computations that implement these policies modify program behavior, naive composition of computations does not necessarily produce the conjunction (or disjunction) of the policies that the computations implement separately. We use a type and effect system to ensure that computations do not interfere with one another when they are composed.

[1]  Peter Deutsch,et al.  A Flexible Measurement Tool for Software Systems , 1971, IFIP Congress.

[2]  Lujo Bauer,et al.  A Calculus for Composing Security Policies , 2002 .

[3]  Raju Pandey,et al.  Providing fine-grained access control for Java programs via binary editing , 2000, Concurr. Pract. Exp..

[4]  Andrew D. Gordon,et al.  Typing a multi-language intermediate code , 2001, POPL '01.

[5]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[6]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[7]  Robert Grimm,et al.  Separating access control policy, enforcement, and functionality in extensible systems , 2001, TOCS.

[8]  Michael J. Nash,et al.  The Chinese Wall security policy , 1989, Proceedings. 1989 IEEE Symposium on Security and Privacy.

[9]  John John Gough,et al.  Compiling for the .NET Common Language Runtime , 2001 .

[10]  Jarred Adam Ligatti,et al.  More Enforceable Security Policies , 2002 .

[11]  Anders Sandholm,et al.  Distributed Safety Controllers for Web Services , 1997, FASE.

[12]  Eugenio Moggi,et al.  Notions of Computation and Monads , 1991, Inf. Comput..

[13]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[14]  Hanêne Ben-Abdallah,et al.  Formally specified monitoring of temporal properties , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[15]  Larry L. Peterson,et al.  Defensive programming , 2002, OSDI.

[16]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[17]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[18]  Mitchell Wand A Semantics for Advice and Dynamic Join Points in Aspect-Oriented Programming , 2001, SAIG.

[19]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[20]  Mahesh Viswanathan,et al.  Runtime Assurance Based On Formal Specifications , 1999, PDPTA.

[21]  Raju Pandey,et al.  Providing Fine-grained Access Control for Java Programs , 1999, ECOOP.