Provably correct runtime monitoring

Runtime monitoring is an established technique to enforce a wide range of program safety and security properties. We present a formalization of monitoring and monitor inlining, for the Java Virtual Machine. Monitors are security automata given in a special-purpose monitor specification language, ConSpec. The automata operate on finite or infinite strings of calls to a fixed API, allowing local dependencies on parameter values and heap content. We use a two-level class file annotation scheme to characterize two key properties: (i) that the program is correct with respect to the monitor as a constraint on allowed program behavior, and (ii) that the program has a copy of the given monitor embedded into it. As the main application of these results we sketch a simple inlining algorithm and show how the two-level annotations can be completed to produce a fully annotated program which is valid in the standard sense of Floyd/Hoare logic. This establishes the mediation property that inlined programs are guaranteed to adhere to the intended policy. Furthermore, validity can be checked efficiently using a weakest precondition based annotation checker, thus preparing the ground for on-device checking of policy adherence in a proof-carrying code setting.

[1]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[2]  Úlfar Erlingsson,et al.  IRM enforcement of Java stack inspection , 2000, Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000.

[3]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[4]  Gregor Kiczales,et al.  Aspect-oriented programming , 1996, CSUR.

[5]  Mahesh Viswanathan,et al.  Java-MaC: A Run-Time Assurance Approach for Java Programs , 2004, Formal Methods Syst. Des..

[6]  Mahesh Viswanathan,et al.  Computational Analysis of Run-time Monitoring - Fundamentals of Java-MaC , 2002, Electron. Notes Theor. Comput. Sci..

[7]  Katsiaryna Naliuka,et al.  ConSpec - A formal language for policy specification , 2008, Sci. Comput. Program..

[8]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties , 2002, TACAS.

[9]  John Penix,et al.  Proceedings of the 7th International SPIN Workshop on SPIN Model Checking and Software Verification , 2000 .

[10]  Stephen N. Freund,et al.  A Type System For Object Initialization In the Java Bytecode Language , 1997, Electron. Notes Theor. Comput. Sci..

[11]  Grigore Rosu,et al.  Java-MOP: A Monitoring Oriented Programming Environment for Java , 2005, TACAS.

[12]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.

[13]  Arnd Poetzsch-Heffter,et al.  A Programming Logic for Sequential Java , 1999, ESOP.

[14]  Thomas Colcombet,et al.  Enforcing trace properties by program transformation , 2000, POPL '00.

[15]  Mads Dam,et al.  A Proof Carrying Code Framework for Inlined Reference Monitors in Java Bytecode , 2010, ArXiv.

[16]  Úlfar Erlingsson,et al.  SASI enforcement of security policies: a retrospective , 1999, NSPW '99.

[17]  David E. Evans,et al.  Flexible policy-directed code safety , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[18]  Peter Müller,et al.  A Logic for Bytecode , 2004 .

[19]  Frank Piessens,et al.  A Caller-Side Inline Reference Monitor for an Object-Oriented Intermediate Language , 2008, FMOODS.

[20]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[21]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[22]  Kevin W. Hamlen,et al.  Aspect-oriented in-lined reference monitors , 2008, PLAS '08.

[23]  Peter Müller,et al.  A Program Logic for Bytecode , 2005, Electron. Notes Theor. Comput. Sci..

[24]  Benjamin Livshits,et al.  Finding application errors and security flaws using PQL: a program query language , 2005, OOPSLA '05.

[25]  Mahesh Viswanathan,et al.  Java-MaC: a Run-time Assurance Tool for Java Programs , 2001, RV@CAV.

[26]  Doron Drusinsky,et al.  The Temporal Rover and the ATG Rover , 2000, SPIN.

[27]  Lujo Bauer,et al.  Enforcing Non-safety Security Policies with Program Monitors , 2005, ESORICS.

[28]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[29]  Jerome H. Saltzer,et al.  Protection and the control of information sharing in multics , 1974, CACM.

[30]  Tamara Rezk Verification of confidentiality policies for mobile code , 2009 .

[31]  Daniel C. DuVarney,et al.  Model-carrying code: a practical approach for safe execution of untrusted applications , 2003, SOSP '03.

[32]  Clinton L. Jeffery,et al.  A lightweight architecture for program execution monitoring , 1998, PASTE '98.

[33]  Ondrej Lhoták,et al.  Adding trace matching with free variables to AspectJ , 2005, OOPSLA '05.

[34]  Dilian Gurov,et al.  Provably Correct Runtime Monitoring , 2008, FM.

[35]  Bowen Alpern,et al.  Verifying temporal properties without temporal logic , 1989, TOPL.

[36]  Xavier Leroy,et al.  Java Bytecode Verification: Algorithms and Formalizations , 2003, Journal of Automated Reasoning.