Security enforcement aware software development

In the domain of security policy enforcement, the concerns of application developers are almost completely ignored. As a consequence, it is hard to develop useful and reliable applications that will function properly under a variety of policies. This paper addresses this issue for application security policies specified as security automata, and enforced through run-time monitoring. Our solution consists of three elements: the definition of an abstract interface to the policy that is being enforced, a sound construct to query that policy, and a static verification algorithm that guarantees absence of security policy violations in critical blocks of code.

[1]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[2]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[3]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[4]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[5]  Katsiaryna Naliuka,et al.  ConSpec - A formal language for policy specification , 2008, Sci. Comput. Program..

[6]  Sophia Drossopoulou,et al.  Session Types for Object-Oriented Languages , 2006, ECOOP.

[7]  George C. Necula,et al.  Proof-Carrying Code , 2011, Encyclopedia of Cryptography and Security.

[8]  George C. Necula,et al.  The design and implementation of a certifying compiler (with retrospective) , 1998, PLDI 1998.

[9]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[10]  George C. Necula,et al.  Enforcing Resource Bounds via Static Verification of Dynamic Checks , 2005, ESOP.

[11]  George C. Necula,et al.  The design and implementation of a certifying compiler , 1998, PLDI.

[12]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[13]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[14]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[15]  Patrick Maier,et al.  Monitoring External Resources in Java MIDP , 2008, Electron. Notes Theor. Comput. Sci..

[16]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[17]  Yoonsik Cheon,et al.  Specifying and Checking Method Call Sequences in JML , 2005, Software Engineering Research and Practice.

[18]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[19]  Marco Pistoia,et al.  Access rights analysis for Java , 2002, OOPSLA '02.