A Theory of Runtime Enforcement, with Results

Ligatti, Jay; Reddy, Srikar

doi:10.1007/978-3-642-15497-3_6

Cited by 51 publications

(43 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Khoury and Tawbi [15,16] and Bielova et al [7,5,6] further refine the notion of enforcement by suggesting alternative definitions of enforcement. In [23] Ligatti and Reddy introduced an alternative model, the mandatory-result automaton. This model distinguishes between the action set of the target and that of the system with which it interacts.…”

Section: Related Workmentioning

confidence: 99%

“…In that case, the monitor's enforcement is bounded by the reverse subword equivalence, meaning that the monitor's output is a subword of the original sequence. This enforcement paradigm is similar to the one described in [23], where the monitor is interposed between the target program and the system. Any action requested by the target program is intercepted by the monitor which must accept or reject it, and allows us to pose an upper bound to this enforcement paradigm.…”

Section: Suppression Enforcementmentioning

confidence: 99%

See 1 more Smart Citation

Runtime Enforcement with Partial Control

Khoury

Hallé

2016

Foundations and Practice of Security

View full text Add to dashboard Cite

This study carries forward the line of enquiry that seeks to characterize precisely which security policies are enforceable by runtime monitors. In this regard, Basin et al. recently refined the structure that helps distinguish between those actions that the monitor can potentially suppress or insert in the execution, from those that the monitor can only observe. In this paper, we generalize this model by organizing the universe of possible actions in a lattice that naturally corresponds to the levels of monitor control. We then delineate the set of properties that are enforceable under this paradigm and relate our results to previous work in the field. Finally, we explore the set of security policies that are enforceable if the monitor is given greater latitude to alter the execution of its target, which allows us to reflect on the capabilities of different types of monitors.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Suppression Enforcementmentioning

confidence: 99%

Runtime Enforcement with Partial Control

Khoury

Hallé

2016

Foundations and Practice of Security

View full text Add to dashboard Cite

show abstract

“…The works on "enforceable security properties" [10,9] treat states as abstract objects, without indicating implementations. Advanced discretionary access control based on logic programming, like the Flexible Authorization Framework [8] maintains a special "done-predicate", which can be seen as a kind of a user log or as a kind of a dynamic component of the access control policy, depending on the point of view.…”

Section: Related Work Extensions and Conclusionmentioning

confidence: 99%

History-Dependent Inference Control of Queries by Dynamic Policy Adaption

Biskup

2011

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Policy-based inference control of queries submitted to a logicoriented information system requires us to consider the history of queries and answers to a particular user. In most previous approaches, the control system captures the history by maintaining a fictitious view the user is supposed to generate by exploiting rational reasoning. In this paper, we propose and explore an alternative option to represent the history, namely by suitably adapting the confidentiality policy after returning an answer to a query. Basically, such a policy adaption precomputes all relevant steps of formal proofs that the fictitious view logically implies some policy element. We focus on propositional information systems.

show abstract

“…In Runtime Enforcement (RE) [16,25,26] the system behaviour is kept in line with the correctness requirement by anticipating incorrect behaviour and countering it before it actually happens. In RE the monitor is typically designed to act as a proxy which wraps around the system and analyses its external interactions (see the dotted-line in Figure 1c).…”

Section: Monitormentioning

confidence: 99%

“…In RE the monitor is typically designed to act as a proxy which wraps around the system and analyses its external interactions (see the dotted-line in Figure 1c). The monitor is thus able to either drop incorrect events generated by the system, or add system events by executing actions on behalf of the system [25,26]. This contrasts with runtime adaptation, where monitors may allow violations to occur but then execute remedial actions to mitigate the effects of the violation.…”

Section: Monitormentioning

confidence: 99%

A Suite of Monitoring Tools for Erlang

Cassar

Francalanza

Attard

et al.

Kalpa Publications in Computing

View full text Add to dashboard Cite

Ensuring formal correctness for actor-based, concurrent systems is a difficult task, primarily because exhaustive, static analysis verification techniques such as model checking quickly run into state-explosion problems. Runtime monitoring techniques such as Runtime Verification and Adaptation circumvent this limitation by verifying the correctness of a program by dynamically analysing its executions. This paper gives an overview of a suite of monitoring tools available for verifying and adapting actor-based Erlang programs.

show abstract

A Theory of Runtime Enforcement, with Results

Cited by 51 publications

References 17 publications

Runtime Enforcement with Partial Control

Runtime Enforcement with Partial Control

History-Dependent Inference Control of Queries by Dynamic Policy Adaption

A Suite of Monitoring Tools for Erlang

Contact Info

Product

Resources

About