Temporal Mode-Checking for Runtime Monitoring of Privacy Policies

Fragments of first-order temporal logic are useful for representing many practical privacy and security policies. Past work has proposed two strategies for checking event trace (audit log) compliance with policies: online monitoring and offline audit. Although online monitoring is spaceand timeefficient, existing techniques insist that satisfying instances of all subformulas of the policy be amenable to caching, which limits expressiveness when some subformulas have infinite support. In contrast, offline audit is brute force and can handle more policies but is not as efficient. This paper proposes a new online monitoring algorithm that caches satisfying instances when it can, and falls back to the brute force search when it cannot. Our key technical insight is a new flowand time-sensitive static check of variable groundedness, called the temporal mode check, which determines subformulas for which such caching is feasible and those for which it is not and, hence, guides our algorithm. We prove the correctness of our algorithm and evaluate its performance over synthetic traces and realistic policies. z This is the extended version of the paper titled “Temporal Mode-Checking for Runtime Monitoring of Privacy Policies” that appears in the 26th International Conference on Computer Aided Verification (CAV) 2014. All the opinions expressed in this paper represent only the authors’ views.

[1]  Elena Marchiori,et al.  UvA-DARE ( Digital Academic Repository ) Reasoning about Prolog Programs : from Modes through Types to Assertions , 2005 .

[2]  Dimitra Giannakopoulou,et al.  Automata-based verification of temporal properties on running programs , 2001, Proceedings 16th Annual International Conference on Automated Software Engineering (ASE 2001).

[3]  U. S. Code,et al.  Gramm-Leach-Bliley Act , 1999 .

[4]  Grigore Rosu,et al.  Efficient parametric runtime verification with deterministic string rewriting , 2013, 2013 28th IEEE/ACM International Conference on Automated Software Engineering (ASE).

[5]  Jan Chomicki,et al.  Efficient checking of temporal integrity constraints using bounded history encoding , 1995, TODS.

[6]  Limin Jia,et al.  Policy auditing over incomplete logs: theory, implementation and applications , 2011, CCS '11.

[7]  Marcelo d'Amorim,et al.  Efficient Monitoring of omega-Languages , 2005, CAV.

[8]  G. Ro Synthesizing Dynamic Programming Algorithms from Linear Temporal Logic Formulae , 2001 .

[9]  William H. Manz Legislative history of the Gramm-Leach-Bliley Act Public Law No. 106-102, 113 Stat. 1338 , 2001 .

[10]  Fabio Martinelli,et al.  Through Modeling to Synthesis of Security Automata , 2007, STM.

[11]  Lujo Bauer,et al.  Edit automata: enforcement mechanisms for run-time security policies , 2005, International Journal of Information Security.

[12]  Johan van Benthem,et al.  Modal Languages and Bounded Fragments of Predicate Logic , 1998, J. Philos. Log..

[13]  Peter Nakaji,et al.  Case 1-2 , 2013 .

[14]  Perdita Stevens,et al.  Modelling Recursive Calls with UML State Diagrams , 2003, FASE.

[15]  Jan Maluszynski,et al.  AND-Parallelism with Intelligent Backtracking for Annotated Logic Programs , 1985, SLP.

[16]  Martin Leucker,et al.  Monitoring of Real-Time Properties , 2006, FSTTCS.

[17]  Martin Leucker,et al.  Runtime Verification for LTL and TLTL , 2011, TSEM.

[18]  G. Rosu,et al.  Efficient Monitoring of ω-Languages , 2005 .

[19]  Srdjan Marinovic,et al.  Monitoring Compliance Policies over Incomplete and Disagreeing Logs , 2012, RV.

[20]  Martin Leucker,et al.  A brief account of runtime verification , 2009, J. Log. Algebraic Methods Program..

[21]  Vladimiro Sassone,et al.  A logical framework for history-based access control and reputation systems , 2008, J. Comput. Secur..

[22]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[23]  Martin Leucker,et al.  The Good, the Bad, and the Ugly, But How Ugly Is Ugly? , 2007, RV.

[24]  Grigore Rosu,et al.  Hardware Runtime Monitoring for Dependable COTS-Based Real-Time Embedded Systems , 2008, 2008 Real-Time Systems Symposium.

[25]  Carroll Morgan,et al.  Theoretical Aspects of Computing - ICTAC 2009 , 2009, Lecture Notes in Computer Science.

[26]  Dilsun Kirli Kaynar,et al.  Experiences in the logical specification of the HIPAA and GLBA privacy laws , 2010, WPES '10.

[27]  Frits W. Vaandrager,et al.  Automata Learning through Counterexample Guided Abstraction Refinement , 2012, FM.

[28]  Grigore Rosu,et al.  Synthesizing Monitors for Safety Properties: This Time with Calls and Returns , 2008, RV.

[29]  Grigore Rosu,et al.  On Safety Properties and Their Monitoring , 2012, Sci. Ann. Comput. Sci..

[30]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[31]  G. Rosu,et al.  Synthesizing Dynamic Programming Algorithms fromLinear Temporal Logic Formulae , 2001 .

[32]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[33]  Grigore Rosu,et al.  Security-policy monitoring and enforcement with JavaMOP , 2012, PLAS '12.

[34]  Marieke Huisman,et al.  A Formal Connection between Security Automata and JML Annotations , 2009, FASE.

[35]  Marc Langheinrich,et al.  The platform for privacy preferences 1.0 (p3p1.0) specification , 2002 .

[36]  Jorge Lobo,et al.  Privacy-Aware Role-Based Access Control , 2007, IEEE Security & Privacy.

[37]  John C. Mitchell,et al.  A Formalization of HIPAA for a Medical Messaging System , 2009, TrustBus.

[38]  S. Sieber On a decision method in restricted second-order arithmetic , 1960 .

[39]  Grigore Rosu,et al.  Runtime Verification with the RV System , 2010, RV.

[40]  KoymansRon Specifying real-time properties with metric temporal logic , 1990 .

[41]  Insup Lee,et al.  Privacy APIs: access control techniques to analyze and verify legal privacy policies , 2006, 19th IEEE Computer Security Foundations Workshop (CSFW'06).

[42]  Felix Klaedtke,et al.  Monitoring security policies with metric first-order temporal logic , 2010, SACMAT '10.

[43]  Naveen Garg,et al.  FSTTCS 2006: Foundations of Software Technology and Theoretical Computer Science, 26th International Conference, Kolkata, India, December 13-15, 2006, Proceedings , 2006, FSTTCS.

[44]  Fred Kröger,et al.  Temporal Logic of Programs , 1987, EATCS Monographs on Theoretical Computer Science.

[45]  Wa Halang,et al.  REAL-TIME SYSTEMS .2. , 1989 .

[46]  Ron Koymans,et al.  Specifying real-time properties with metric temporal logic , 1990, Real-Time Systems.

[47]  Felix Klaedtke,et al.  Enforceable Security Policies Revisited , 2012, TSEC.

[48]  Srdjan Marinovic,et al.  Monitoring of Temporal First-Order Properties with Aggregations , 2013, RV.

[49]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[50]  Vitaly Shmatikov,et al.  Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011 , 2011, CCS.

[51]  Grzegorz Rozenberg,et al.  Real-Time: Theory in Practice: Rex Workshop, Mook, the Netherlands, June 3-7, 1991: Proceedings , 1992 .

[52]  Jan-Christoph Küster,et al.  From Propositional to First-Order Monitoring , 2013, RV.

[53]  Rajeev Goré,et al.  A First-Order Policy Language for History-Based Transaction Monitoring , 2009, ICTAC.

[54]  Grigore Rosu,et al.  Allen Linear (Interval) Temporal Logic - Translation to LTL and Monitor Synthesis , 2006, CAV.

[55]  Grigore Rosu,et al.  Efficient monitoring of parametric context-free patterns , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[56]  Grigore Rosu,et al.  Efficient monitoring of safety properties , 2004, International Journal on Software Tools for Technology Transfer.

[57]  Ludwig Staiger,et al.  Ω-languages , 1997 .

[58]  Yliès Falcone,et al.  Decentralised LTL monitoring , 2011, Formal Methods in System Design.

[59]  Jarred Adam Ligatti,et al.  More Enforceable Security Policies , 2002 .

[60]  Insup Lee,et al.  Checking Traces for Regulatory Conformance , 2008, RV.

[61]  Jan Chomicki,et al.  On the Feasibility of Checking Temporal Integrity Constraints , 1995, J. Comput. Syst. Sci..

[62]  Günter Karjoth,et al.  A privacy policy model for enterprises , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[63]  Grigore Rosu,et al.  Rewriting-Based Techniques for Runtime Verification , 2005, Automated Software Engineering.

[64]  John C. Mitchell,et al.  Privacy and Utility in Business Processes , 2007, 20th IEEE Computer Security Foundations Symposium (CSF'07).

[65]  Thomas A. Henzinger,et al.  Logics and Models of Real Time: A Survey , 1991, REX Workshop.

[66]  Martin Leucker,et al.  Comparing LTL Semantics for Runtime Verification , 2010, J. Log. Comput..

[67]  Riley Davis Health Insurance Portability and Accountability Act , 2011 .