Composing expressive runtime security policies

Program monitors enforce security policies by interposing themselves into the control flow of untrusted software whenever that software attempts to execute security-relevant actions. At the point of interposition, a monitor has authority to permit or deny (perhaps conditionally) the untrusted software's attempted action. Program monitors are common security enforcement mechanisms and integral parts of operating systems, virtual machines, firewalls, network auditors, and antivirus and antispyware tools. Unfortunately, the runtime policies we require program monitors to enforce grow more complex, both as the monitored software is given new capabilities and as policies are refined in response to attacks and user feedback. We propose dealing with policy complexity by organizing policies in such a way as to make them composable, so that complex policies can be specified more simply as compositions of smaller subpolicy modules. We present a fully implemented language and system called Polymer that allows security engineers to specify and enforce composable policies on Java applications. We formalize the central workings of Polymer by defining an unambiguous semantics for our language. Using this formalization, we state and prove an uncircumventability theorem which guarantees that monitors will intercept all security-relevant actions of untrusted software.

[1]  Philip Wadler,et al.  Featherweight Java: a minimal core calculus for Java and GJ , 1999, OOPSLA '99.

[2]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[3]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[4]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[5]  Robin Milner,et al.  Definition of standard ML , 1990 .

[6]  Gregor Kiczales,et al.  Aspect-oriented programming , 2001, ESEC/FSE-9.

[7]  William G. Griswold,et al.  An Overview of AspectJ , 2001, ECOOP.

[8]  Gary McGraw,et al.  Securing Java: getting down to business with mobile code , 1999 .

[9]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[10]  Emil C. Lupu,et al.  The Ponder Policy Specification Language , 2001, POLICY.

[11]  Andrew W. Appel,et al.  Mechanisms for secure modular programming in Java , 2003, Softw. Pract. Exp..

[12]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[13]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[14]  LigattiJay,et al.  Composing expressive runtime security policies , 2009 .

[15]  Shriram Krishnamurthi,et al.  Pointcuts and advice in higher-order languages , 2003, AOSD '03.

[16]  Clinton L. Jeffery,et al.  A lightweight architecture for program execution monitoring , 1998, PASTE '98.

[17]  David E. Evans,et al.  Policy-directed code safety , 2000 .

[18]  David Walker,et al.  Policy enforcement via program monitoring , 2006 .

[19]  Stephen N. Freund,et al.  Adding type parameterization to the Java language , 1997, OOPSLA '97.

[20]  William N. Robinson,et al.  Monitoring software requirements using instrumented code , 2002, Proceedings of the 35th Annual Hawaii International Conference on System Sciences.

[21]  Edward W. Felten,et al.  Lessons from the Sony CD DRM Episode , 2006, USENIX Security Symposium.

[22]  Koushik Sen,et al.  Efficient decentralized monitoring of safety in distributed systems , 2004, Proceedings. 26th International Conference on Software Engineering.

[23]  Hanêne Ben-Abdallah,et al.  Formally specified monitoring of temporal properties , 1999, Proceedings of 11th Euromicro Conference on Real-Time Systems. Euromicro RTS'99.

[24]  Y. Liao,et al.  A Specificational Approach to High Level Program Monitoring and Measuring , 1992, IEEE Trans. Software Eng..

[25]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[26]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[27]  David Walker,et al.  A theory of aspects , 2003, ICFP '03.

[28]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[29]  Benjamin Hindman,et al.  Strong Atomicity for Java Without Virtual-Machine Support , 2006 .

[30]  Vipin Chaudhary,et al.  History-based access control for mobile code , 1998, CCS '98.

[31]  Lujo Bauer,et al.  Types and Effects for Non-interfering Program Monitors , 2002, ISSS.