Do you really mean what you actually enforced?

In the landmark paper on the theoretical side of Polymer, Ligatti and his co-authors have identified a new class of enforcement mechanisms based on the notion of edit automata, that can transform sequences and enforce more than simple safety properties. We show that there is a gap between the edit automata that one can possibly write (e.g. by Ligatti himself in his running example) and the edit automata that are actually constructed according the theorems from Ligatii's IJIS paper and IC follow-up papers by Talhi et al. "Ligatti's automata" are just a particular kind of edit automata. Thus, we re-open a question which seemed to have received a definitive answer: you have written your security enforcement mechanism (aka your edit automata); does it really enforce the security policy you wanted?

[1]  Fabio Massacci,et al.  Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code , 2007, EuroPKI.

[2]  F. Massacci,et al.  Matching Midlet’s Security Claims with a Platform Security Policy using Automata Modulo Theory∗ , 2007 .

[3]  Fabio Martinelli,et al.  Through Modeling to Synthesis of Security Automata , 2007, STM.

[4]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[5]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[6]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[7]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[8]  Philip W. L. Fong Access control by tracking shallow execution history , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[9]  Fabio Massacci,et al.  Simulating midlet's security claims with automata modulo theory , 2008, PLAS '08.

[10]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[11]  Vladimiro Sassone,et al.  A Framework for Concrete Reputation-Systems , 2005 .

[12]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[13]  David Walker,et al.  Policy enforcement via program monitoring , 2006 .

[14]  Nadia Tawbi,et al.  Execution monitoring enforcement under memory-limitation constraints , 2008, Inf. Comput..

[15]  J. Hartmanis Algebraic structure theory of sequential machines (Prentice-Hall international series in applied mathematics) , 1966 .

[16]  J. Hartmanis,et al.  Algebraic Structure Theory Of Sequential Machines , 1966 .

[17]  Fabio Massacci,et al.  Towards Practical Enforcement Theories , 2009, NordSec.

[18]  Fabio Massacci,et al.  Matching in security-by-contract for mobile code , 2009, J. Log. Algebraic Methods Program..

[19]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[20]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[21]  Alessandra Cherubini,et al.  QRT FIFO Automata, Breath-First Grammars and Their Relations , 1991, Theor. Comput. Sci..

[22]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[23]  Li Gong,et al.  Inside Java 2 Platform Security: Architecture, API Design, and Implementation , 1999 .