Towards Practical Enforcement Theories

Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes and make sure that the bad ones got amended. From the theory side, a number of papers [6,10,12] provide the precise characterization of good executions that can be captured by a security policy and thus enforced by a specific mechanism. Unfortunately, those theories do not distinguish what happens when an execution is actually bad (the practical case). The theory only says that the outcome of enforcement mechanism should be "good" but not how far should the bad execution be changed. If we consider a real-life example of a drug dispensation process in a hospital the notion of security automata or even edit automata would stop all requests by all doctors on all drugs and all dispensation protocols, as soon as a doctor forgot to insert the research protocol number. In this paper we explore a set of policies called iterative properties that revises the notion of good traces in terms of repeated iterations. We start discussing how an enforcement mechanism can actually deal with bad executions (and not just only the good ones).

[1]  Mark Ryan,et al.  Synthesising Monitors from High-Level Policies for the Safe Execution of Untrusted Software , 2008, ISPEC.

[2]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[3]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[4]  Nadia Tawbi,et al.  Execution monitoring enforcement under memory-limitation constraints , 2008, Inf. Comput..

[5]  Ilaria Matteucci,et al.  Automated Synthesis of Enforcing Mechanisms for Security Properties in a Timed Setting , 2007, ICS@SYNASC.

[6]  Fabio Martinelli,et al.  Through Modeling to Synthesis of Security Automata , 2007, STM.

[7]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[8]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[9]  Edward Y. Chang,et al.  Characterization of Temporal Property Classes , 1992, ICALP.

[10]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[11]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[12]  Nadia Tawbi,et al.  Generating In-Line Monitors for Rabin Automata , 2009, NordSec.

[13]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[14]  David Walker,et al.  Policy enforcement via program monitoring , 2006 .

[15]  Nadia Tawbi,et al.  Using Equivalence Relations for Corrective Enforcement of Security Policies , 2010, MMM-ACNS.

[16]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[17]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[18]  Fabio Massacci,et al.  Do you really mean what you actually enforced? , 2011, International Journal of Information Security.

[19]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .