Provably correct inline monitoring for multithreaded Java-like programs

Inline reference monitoring is a powerful technique to enforce security policies on untrusted programs. The security-by-contract paradigm proposed by the EU FP6 S 3MS project uses policies, monitoring, and monitor inlining to secure third-party applications running on mobile devices. The focus of this paper is on multi-threaded Java bytecode. An important consideration is that inlining should interfere with the client program only when mandated by the security policy. In a multi-threaded setting, however, this requirement turns out to be problematic. Generally, inliners use locks to control access to shared resources such as an embedded monitor state. This will interfere with application program non-determinism due to Java's relaxed memory consistency model, and rule out the transparency property, that all policy-adherent behaviour of an application program is preserved under inlining. In its place we propose a notion of strong conservativity, to formalise the property that the inliner can terminate the client program only when the policy is about to be violated. An example inlining algorithm is given and proved to be strongly conservative. Finally, benchmarks are given for four example applications studied in the S 3MS project.

[1]  Dilian Gurov,et al.  Provably Correct Runtime Monitoring , 2008, FM.

[2]  Wouter Joosen,et al.  A flexible security architecture to support third-party applications on mobile devices , 2007, CSAW '07.

[3]  Úlfar Erlingsson,et al.  The Inlined Reference Monitor Approach to Security Policy Enforcement , 2004 .

[4]  Kevin W. Hamlen,et al.  Certified In-lined Reference Monitoring on .NET , 2006, PLAS '06.

[5]  Fabio Massacci,et al.  Security-by-Contract: Toward a Semantics for Digital Signatures on Mobile Code , 2007, EuroPKI.

[6]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[7]  Fabio Massacci,et al.  Security-by-contract for web services , 2007, SWS '07.

[8]  Fabio Massacci,et al.  Simulating midlet's security claims with automata modulo theory , 2008, PLAS '08.

[9]  Scott F. Smith,et al.  History Effects and Verification , 2004, APLAS.

[10]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[11]  David Walker,et al.  Policy enforcement via program monitoring , 2006 .

[12]  John B. Shoven,et al.  I , Edinburgh Medical and Surgical Journal.

[13]  Robert DeLine,et al.  Enforcing high-level protocols in low-level software , 2001, PLDI '01.

[14]  Wouter Joosen,et al.  Security-by-contract on the .NET platform , 2008, Inf. Secur. Tech. Rep..

[15]  Frank Piessens,et al.  A Caller-Side Inline Reference Monitor for an Object-Oriented Intermediate Language , 2008, FMOODS.

[16]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[17]  Katsiaryna Naliuka,et al.  ConSpec - A Formal Language for Policy Specification , 2008, Electron. Notes Theor. Comput. Sci..

[18]  Alexander Aiken,et al.  Flow-sensitive type qualifiers , 2002, PLDI '02.

[19]  C MitchellJohn,et al.  A type system for object initialization in the Java bytecode language , 1999 .

[20]  David Walker,et al.  A type system for expressive security policies , 2000, POPL '00.

[21]  Xavier Leroy,et al.  Java Bytecode Verification: Algorithms and Formalizations , 2003, Journal of Automated Reasoning.

[22]  Lujo Bauer,et al.  Composing security policies with polymer , 2005, PLDI '05.