Computational Analysis of Run-time Monitoring

Kim, Moonjoo; Kannan, Sampath; Lee, Insup; Sokolsky, Oleg; Viswanathan, Mahesh

doi:10.1016/s1571-0661(04)80578-4

Cited by 26 publications

(31 citation statements)

References 4 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Past research claimed to equate the enforcement power of truncation automata with the set of computable safety properties [Viswanathan 2000;Kim et al 2002]. We improve previous work by showing that there is exactly one computable safety property unenforceable by any sound security automaton: the unsatisfiable safety property that considers all executions invalid.…”

mentioning

confidence: 74%

“…A truncation automaton has only two options when it intercepts an action from the target program: it may accept the action and make it observable, or it may halt (i.e., truncate the action sequence of) the target program altogether. Schneider first defined this model of program monitors [Schneider 2000], and other authors have similarly focused on this simple, though limited, model when considering the properties enforceable by security automata [Viswanathan 2000;Kim et al 2002;Fong 2004]. Truncation-based monitors have been used successfully to enforce a rich set of interesting safety policies including access control [Evans and Twyman 1999], stack inspection [Erlingsson and Schneider 1999;Abadi and Fournet 2003], software fault isolation [Wahbe et al 1993;Erlingsson and Schneider 2000], Chinese Wall [Brewer and Nash 1989;Erlingsson 2003;Fong 2004], and one-out-of-k authorization [Fong 2004] policies.…”

Section: Truncation Automatamentioning

confidence: 99%

See 1 more Smart Citation

Run-Time Enforcement of Nonsafety Policies

Ligatti

Bauer

Walker

2009

ACM Trans. Inf. Syst. Secur.

154

205

View full text Add to dashboard Cite

A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed.This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how, when given any reasonable infinite renewal property, to construct a program monitor that provably enforces that policy. We also show that the set of infinite renewal properties includes some nonsafety policies, i.e., that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.

show abstract

mentioning

confidence: 74%

Section: Truncation Automatamentioning

confidence: 99%

Run-Time Enforcement of Nonsafety Policies

Ligatti

Bauer

Walker

2009

ACM Trans. Inf. Syst. Secur.

154

205

View full text Add to dashboard Cite

show abstract

“…The computability constraints that can further restrict a monitor's enforcement power are discussed in [14,19]; that of monitors relying upon an a priori model of the program's possible behaviour is discussed in [9] and [21].…”

Section: Related Workmentioning

confidence: 99%

Runtime Enforcement with Partial Control

Khoury

Hallé

2016

Foundations and Practice of Security

View full text Add to dashboard Cite

This study carries forward the line of enquiry that seeks to characterize precisely which security policies are enforceable by runtime monitors. In this regard, Basin et al. recently refined the structure that helps distinguish between those actions that the monitor can potentially suppress or insert in the execution, from those that the monitor can only observe. In this paper, we generalize this model by organizing the universe of possible actions in a lattice that naturally corresponds to the levels of monitor control. We then delineate the set of properties that are enforceable under this paradigm and relate our results to previous work in the field. Finally, we explore the set of security policies that are enforceable if the monitor is given greater latitude to alter the execution of its target, which allows us to reflect on the capabilities of different types of monitors.

show abstract

“…Most models (e.g., [15,17,11,9,8,1,5]) are based on truncation automata [15,12], which can only respond to policy violations by immediately halting the application being monitored (i.e., the target application). This constraint simplifies analyses but sacrifices generality.…”

Section: Related Workmentioning

confidence: 99%

A Theory of Runtime Enforcement, with Results

Ligatti

Reddy

2010

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. This paper presents a theory of runtime enforcement based on mechanism models called MRAs (Mandatory Results Automata). MRAs can monitor and transform security-relevant actions and their results. Because previous work could not model monitors transforming results, MRAs capture realistic behaviors outside the scope of previous models. MRAs also have a simple but realistic operational semantics that makes it straightforward to define concrete MRAs. Moreover, the definitions of policies and enforcement with MRAs are significantly simpler and more expressive than those of previous models. Putting all these features together, we argue that MRAs make good general models of runtime mechanisms, upon which a theory of runtime enforcement can be based. We develop some enforceability theory by characterizing the policies MRAs can and cannot enforce.

show abstract

Computational Analysis of Run-time Monitoring

Cited by 26 publications

References 4 publications

Run-Time Enforcement of Nonsafety Policies

Run-Time Enforcement of Nonsafety Policies

Runtime Enforcement with Partial Control

A Theory of Runtime Enforcement, with Results

Contact Info

Product

Resources

About