Abstract
We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.
After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.
Similar content being viewed by others
References
Alpern B, Schneider F (1987) Recognizing safety and liveness. Distrib Comput 2:117–126
Bauer L, Ligatti J, Walker D (2002) More enforceable security policies. In: Foundations of Computer Security, proceedings of the FLoC’02 workshop on foundations of computer security, Copenhagen, Denmark, 25–26 July 2002, pp 95–104
Bauer L, Ligatti J, Walker D (2004) A language and system for enforcing run-time security policies. Technical Report TR-699-04, Princeton University, January 2004
Colcombet T, Fradet P (2000) Enforcing trace properties by program transformation. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000. ACM Press, New York, pp 54–66
Elmasri R, Navathe SB (1994) Fundamentals of database systems. Benjamin/Cummings, San Francisco
Evans D, Twyman A (1999) Flexible policy-directed code safety. In: Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, CA, May 1999
Fong PWL (2004) Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE symposium on security and privacy, Oakland, CA, May 2004
Hamlen K, Morrisett G, Schneider F (2003) Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University, Ithaca, NY
Kiczales G, Hilsdale E, Hugunin J, Kersten M, Palm J, Griswold W (2001) An overview of AspectJ. In: Proceedings of the European conference on object-oriented programming. Springer, Berlin Heidelberg New York
Kim M, Kannan S, Lee I, Sokolsky O, Viswantathan M (2002) Computational analysis of run-time monitoring – fundamentals of Java-MaC. Electronic notes in theoretical computer science, vol 70. Elsevier, Amsterdam
Kim M, Viswanathan M, Ben-Abdallah H, Kannan S, Lee I, Sokolsky O (1999) Formally specified monitoring of temporal properties. In: Proceedings of the European conference on real-time systems, York, UK, June 1999
Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 3(2):125–143
Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50
Sandholm A, Schwartzbach M (1998) Distributed safety controllers for web services. In: Fundamental approaches to software engineering. Lecture notes in computer science, vol 1382. Springer, Berlin Heidelberg New York, pp 270–284
Thiemann P (2001) Enforcing security properties by type specialization. In: Proceedings of the European symposium on programming, Genova, Italy, April 2001
Erlingsson Ú, Schneider FB (1999) SASI enforcement of security policies: a retrospective. In: Proceedings of the New Security Paradigms workshop, Caledon Hills, Canada, pp 87–95, September 1999
Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE symposium on security and privacy, Oakland, CA, May 2000, pp 246–255
Viswanathan M (2000) Foundations for the run-time analysis of software systems. PhD thesis, University of Pennsylvania
Walker D (2000) A type system for expressive security policies. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000, pp 254–267
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Ligatti, J., Bauer, L. & Walker, D. Edit automata: enforcement mechanisms for run-time security policies. IJIS 4, 2–16 (2005). https://doi.org/10.1007/s10207-004-0046-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-004-0046-8