Skip to main content
SpringerLink
Log in

Using Equivalence Relations for Corrective Enforcement of Security Policies

  • Conference paper
Computer Network Security (MMM-ACNS 2010)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 6258))

Abstract

In this paper, we present a new framework of runtime security policy enforcement. Building on previous studies, we examine the enforcement power of monitors able to transform their target’s execution, rather than simply accepting it if it is valid, or aborting it otherwise. We bound this ability by a restriction stating that any transformation must preserve equivalence between the monitor’s input and output. We proceed by giving examples of meaningful equivalence relations and identify the security policies that are enforceable with their use. We also relate our work to previous findings in this field. Finally, we investigate how an a priori knowledge of the target program’s behavior would increase the monitor’s enforcement power.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Alpern, B., Schneider, F.B.: Recognizing safety and liveness. Distributed Computing 2, 17–126 (1987)

    Article  Google Scholar 

  2. Alpern, B., Schneider, F.: Defining liveness. Information Processing Letters 21(4), 181–185 (1985)

    Article  MATH  MathSciNet  Google Scholar 

  3. Bauer, A., Leucker, M., Schallhart, C.: Monitoring of real-time properties. In: Arun-Kumar, S., Garg, N. (eds.) FSTTCS 2006. LNCS, vol. 4337, pp. 260–272. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  4. Bauer, L., Ligatti, J., Walker, D.: More enforceable security policies. In: Proceedings of the Foundations of Computer Security Workshop (July 2002)

    Google Scholar 

  5. Bielova, N., Massacci, F., Micheletti, A.: Towards practical enforcement theories. In: Knapskog, S.J. (ed.) NordSec 2009. LNCS, vol. 5838, pp. 239–254. Springer, Heidelberg (2009)

    Google Scholar 

  6. Chabot, H.: Sécurisation de code basée sur la combinaison d’analyse statique et dynamique, génération de moniteur partir d’un automate de Rabin. Master’s thesis, Laval University (2008)

    Google Scholar 

  7. Chabot, H., Khoury, R., Tawbi, N.: Generating in-line monitors for Rabin automata. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 287–301. Springer, Heidelberg (2009)

    Google Scholar 

  8. Falcone, Y., Fernandez, J.C., Mounier, L.: Enforcement monitoring wrt. the safety-progress classification of properties. In: Proceedings of the ACM Symposium on Applied Computing (SAC), pp. 593–600. ACM Press, New York (March 2009)

    Google Scholar 

  9. Fong, P.: Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy (May 2004)

    Google Scholar 

  10. Hamlen, K.W., Morrisett, G., Schneider, F.B.: Computability classes for enforcement mechanisms. ACM Transactions on Programming Languages and Systems (TOPLAS) 28(1), 175–205 (2006)

    Article  Google Scholar 

  11. Lamport, L.: Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering 3(2), 125–143 (1977)

    Article  MathSciNet  Google Scholar 

  12. Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policie. International Journal of Information Security (2004)

    Google Scholar 

  13. Ligatti, J., Bauer, L., Walker, D.: Enforcing non-safety security policies with program monitors. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 355–373. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  14. Ligatti, J., Bauer, L., Walker, D.: Run-time enforcement of nonsafety policies. ACM Transactions on Information and System Security 12(3), 1–41 (2009)

    Article  Google Scholar 

  15. Ligatti, J., Reddy, S.: A theory of runtime enforcement, with results. Tech. Rep. USF-CSE-SS-102809, University of South Florida (April 2010)

    Google Scholar 

  16. Schneider, F.B.: Enforceable security policies. Information and System Security 3(1), 30–50 (2000)

    Article  Google Scholar 

  17. Syropoulos, A.: Mathematics of multisets. In: Calude, C.S., Pun, G., Rozenberg, G., Salomaa, A. (eds.) Multiset Processing. LNCS, vol. 2235, pp. 347–358. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  18. Talhi, C., Tawbi, N., Debbabi, M.: Execution monitoring enforcement under memory-limitations constraints. Information and Computation 206(1), 158–184 (2008)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Software Engineering, Laval University, 1065, avenue de la Médecine, Québec (QC), Canada, G1V 0A6

    Raphaël Khoury & Nadia Tawbi

Authors
  1. Raphaël Khoury
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Nadia Tawbi
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Security Research Group, St. Petersburg Institute for Informatics and Automation, 39, 14 Liniya, 199178, St.-Petersburg, Russia

    Igor Kotenko

  2. US Air Force, Binghamton University (SUNYI), 13902, Binghamton, NY, USA

    Victor Skormin

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Khoury, R., Tawbi, N. (2010). Using Equivalence Relations for Corrective Enforcement of Security Policies. In: Kotenko, I., Skormin, V. (eds) Computer Network Security. MMM-ACNS 2010. Lecture Notes in Computer Science, vol 6258. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-14706-7_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-14706-7_11

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-14705-0

  • Online ISBN: 978-3-642-14706-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation