Edit automata: enforcement mechanisms for run-time security policies

We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.

[1]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[2]  Ramez Elmasri,et al.  Fundamentals of Database Systems , 1989 .

[3]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[4]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[5]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[6]  Thomas Colcombet,et al.  Enforcing trace properties by program transformation , 2000, POPL '00.

[7]  Jarred Adam Ligatti,et al.  More Enforceable Security Policies , 2002 .

[8]  Leslie Lamport,et al.  Proving the Correctness of Multiprocess Programs , 1977, IEEE Transactions on Software Engineering.

[9]  Bowen Alpern,et al.  Recognizing safety and liveness , 2005, Distributed Computing.

[10]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[11]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[12]  Hanêne Ben-Abdallah,et al.  Formally specified monitoring of temporal properties , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[13]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[14]  Anders Sandholm,et al.  Distributed Safety Controllers for Web Services , 1997, FASE.

[15]  Mahesh Viswanathan,et al.  Computational Analysis of Run-time Monitoring - Fundamentals of Java-MaC , 2002, Electron. Notes Theor. Comput. Sci..

[16]  Bowen Alpern,et al.  Defining Liveness , 1984, Inf. Process. Lett..

[17]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[18]  Mahesh Viswanathan,et al.  Foundations for the run-time analysis of software systems , 2000 .

[19]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.