Combining Monitors for Runtime System Verification

Abstract Runtime verification permits checking system properties that cannot be fully verified off-line. This is particularly true when the system includes complex third-party components, such as general-purpose operating systems and software libraries, and when the properties of interest include security and performance. The challenge is to find reliable ways to monitor these properties in realistic systems. In particular, it is important to have assurance that violations will be reported when they actually occur. For instance, a monitor may not detect a security violation if the violation results from a series of system events that are not in its model. We describe how combining runtime monitors for diverse features such as memory management, security-related events, performance data, and higher-level temporal properties can result in more effective runtime verification. After discussing some basic notions for combining and relating monitors, we illustrate their application in an intrusion-tolerant Web server architecture under development at SRI.

[1]  Magnus Almgren,et al.  An Adaptive Intrusion-Tolerant Server Architecture , 2004 .

[2]  Karl N. Levitt,et al.  Execution monitoring of security-critical programs in distributed systems: a specification-based approach , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[3]  James Cheney,et al.  Cyclone: A Safe Dialect of C , 2002, USENIX Annual Technical Conference, General Track.

[4]  David A. Wagner,et al.  Intrusion detection via static analysis , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[5]  Zohar Manna,et al.  Temporal Verification Diagrams , 1994, TACS.

[6]  Clinton L. Jeffery,et al.  A lightweight architecture for program execution monitoring , 1998, PASTE '98.

[7]  Peter G. Neumann,et al.  EMERALD: Event Monitoring Enabling Responses to Anomalous Live Disturbances , 1997, CCS 2002.

[8]  JefferyClinton,et al.  A lightweight architecture for program execution monitoring , 1998 .

[9]  Reid G. Simmons,et al.  Collecting and Analyzing Data from Distributed Control Programs , 2001, Electron. Notes Theor. Comput. Sci..

[10]  Alfonso Valdes,et al.  Design Assurance Arguments for Intrusion Tolerance , 2002 .

[11]  Fred B. Schneider,et al.  Enforceable security policies , 2000, Foundations of Intrusion Tolerant Systems, 2003 [Organically Assured and Survivable Information Systems].

[12]  Frank Jackson,et al.  An adaptive tenuring policy for generation scavengers , 1992, TOPL.

[13]  Mahesh Viswanathan,et al.  Runtime Assurance Based On Formal Specifications , 1999, PDPTA.

[14]  George C. Necula,et al.  CCured: type-safe retrofitting of legacy code , 2002, POPL '02.

[15]  Joseph Y. Halpern,et al.  “Sometimes” and “not never” revisited: on branching versus linear time temporal logic , 1986, JACM.

[16]  J. Rushby Security Requirements Specifications : How and What ? Extended , 2001 .

[17]  Clinton L. Jeffery,et al.  The Alamo Execution Monitor Architecture , 2000, WLPE@ICLP.

[18]  Martín Abadi,et al.  Composing Specifications , 1989, REX Workshop.

[19]  Insup Lee,et al.  Information extraction for run-time formal analysis , 2001 .

[20]  Marc Geilen,et al.  On the Construction of Monitors for Temporal Logic Properties , 2001, RV@CAV.

[21]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[22]  Mahesh Viswanathan,et al.  Foundations for the run-time analysis of software systems , 2000 .

[23]  Mordechai Ben-Ari,et al.  The temporal logic of branching time , 1981, POPL '81.

[24]  Aris Zakinthinos,et al.  On the composition of security properties , 1997 .