skip to main content
research-article

Enforceable Security Policies Revisited

Published:01 June 2013Publication History
Skip Abstract Section

Abstract

We revisit Schneider’s work on policy enforcement by execution monitoring. We overcome limitations of Schneider’s setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only observable, that is, the enforcement mechanism sees them but cannot prevent their execution. For this refined setting, we give necessary and sufficient conditions on when a security policy is enforceable. To state these conditions, we generalize the standard notion of safety properties. Our classification of system actions also allows one, for example, to reason about the enforceability of policies that involve timing constraints. Furthermore, for different specification languages, we investigate the decision problem of whether a given policy is enforceable. We provide complexity results and show how to synthesize an enforcement mechanism from an enforceable policy.

References

  1. Alpern, B. and Schneider, F. B. 1985. Defining liveness. Inf. Process. Lett. 21, 4, 181--185.Google ScholarGoogle ScholarCross RefCross Ref
  2. Alur, R. and Henzinger, T. A. 1992. Logics and models of real time: A survey. In Proceedings of the REX Workshop on Real-Time: Theory in Practice. Lecture Notes in Computer Science, vol. 600, Springer, 74--106. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. Alur, R. and Henzinger, T. A. 1994. A really temporal logic. J. ACM 41, 1, 181--203. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. American National Standards Institute, Inc. 2004. Role Based Access Control. American National Standards Institute, Inc., Washington, DC.Google ScholarGoogle Scholar
  5. Barringer, H., Goldberg, A., Havelund, K., and Sen, K. 2004. Rule-based runtime verification. In Proceedings of the 5th International Conference on Verification, Model Checking and Abstract Interpretation. Lecture Notes in Computer Science, vol. 2937, Springer, 44--57.Google ScholarGoogle ScholarCross RefCross Ref
  6. Basin, D., Olderog, E.-R., and Sevinç, P. E. 2007. Specifying and analyzing security automata using CSP-OZ. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM Press, New York, 70--81. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. Basin, D., Klaedtke, F., Müller, S., and Pfitzmann, B. 2008. Runtime monitoring of metric first-order temporal properties. In Proceedings of the 28th Conference on Foundations of Software Technology and Theoretical Computer Science. Leibniz International Proceedings in Informatics Series, vol. 2, Schloss Dagstuhl - Leibniz Center for Informatics, 49--60.Google ScholarGoogle Scholar
  8. Basin, D., Klaedtke, F., and Müller, S. 2010. Monitoring security policies with metric first-order temporal logic. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM Press, New York, 23--33. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. Basin, D., Harvan, M., Klaedtke, F., and Zălinescu, E. 2011. Monitoring usage-control policies in distributed systems. In Proceedings of the 18th International Symposium on Temporal Representation and Reasoning. IEEE Computer Society, 88--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. Basin, D., Jugé, V., Klaedtke, F., and Zălinescu, E. 2012a. Enforceable security policies revisited. In Proceedings of the 1st Conference on Principles of Security and Trust. Lecture Notes in Computer Science, vol. 7215, Springer, 309--328. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. Basin, D., Klaedtke, F., and Zălinescu, E. 2012b. Algorithms for monitoring real-time properties. In Proceedings of the 2nd International Conference on Runtime Verification. Lecture Notes in Computer Science, vol. 7186, Springer, 260--275. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. Benveniste, A. and Berry, G. 1991. The synchronous approach to reactive and real-time systems. Proc. IEEE 79, 9, 1270--1282.Google ScholarGoogle ScholarCross RefCross Ref
  13. Chabot, H., Khoury, R., and Tawbi, N. 2011. Extending the enforcement power of truncation monitors using static analysis. Comput. Secur. 30, 4, 194--207.Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. Chang, E. Y., Manna, Z., and Pnueli, A. 1992. Characterization of temporal property classes. In Proceedings of the 19th International Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 623, Springer, 474--486. Google ScholarGoogle ScholarDigital LibraryDigital Library
  15. Clarke, E. M., Emerson, E. A., and Sifakis, J. 2007. Model checking: Algorithmic verification and debugging. Comm. ACM 52, 11, 75--84. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. Clarkson, M. R. and Schneider, F. B. 2010. Hyperproperties. J. Comput. Secur. 18, 6, 1157--1210. Google ScholarGoogle ScholarCross RefCross Ref
  17. Dax, C., Klaedtke, F., and Lange, M. 2010. On regular temporal logics with past. Acta Inf. 47, 4, 251--277. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. Ehlers, R. and Finkbeiner, B. 2011. Reactive safety. In Proceedings of 2nd International Symposium on Games, Logics and Formal Verification. Electronic Proceedings in Theoretical Computer Science, vol. 54, 178--191.Google ScholarGoogle ScholarCross RefCross Ref
  19. Eisner, C., Fisman, D., Havlicek, J., Lustig, Y., McIsaac, A., and Van Campenhout, D. 2003. Reasoning with temporal logic on truncated paths. In Proceedings of the 15th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 2725, Springer, 27--39.Google ScholarGoogle Scholar
  20. Erlingsson, Ú. 2004. The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University, Ithaca, NY. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. Erlingsson, Ú. and Schneider, F. B. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the Workshop on New Security Paradigms. ACM Press, New York, 87--95. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. Erlingsson, Ú. and Schneider, F. B. 2000. IRM enforcement of Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 246--255. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. Falcone, Y., Mounier, L., Fernandez, J.-C., and Richier, J.-L. 2011. Runtime enforcement monitors: Composition, synthesis, and enforcement abilities. Form. Methods Syst. Des. 38, 2, 223--262. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. Fong, P. W. 2004. Access control by tracking shallow execution history. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 43--55.Google ScholarGoogle ScholarCross RefCross Ref
  25. Garg, D., Jia, L., and Datta, A. 2011. Policy auditing over incomplete logs: Theory, implementation and applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM Press, New York, 151--162. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. Hallé, S. and Villemaire, R. 2012. Runtime enforcement of web service message contracts with data. IEEE Trans. Serv. Comput. 5, 2, 192--206. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. Hamlen, K. W., Morrisett, G., and Schneider, F. B. 2006. Computability classes for enforcement mechanisms. ACM Trans. Progr. Lang. Syst. 28, 1, 175--205. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. Havelund, K. 2000. Using runtime analysis to guide model checking of java programs. In Proceedings of the 7th International SPIN Workshop. Lecture Notes in Computer Science, vol. 1885, Springer, 245--264. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. Havelund, K. and Roşu, G. 2001. Monitoring programs using rewriting. In Proceedings of the 16th IEEE International Conference on Automated Software Engineering. IEEE Computer Society, 135--143. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. Henzinger, T. A. 1992. Sooner is safer than later. Inform. Process. Lett. 43, 3, 135--141. Google ScholarGoogle ScholarDigital LibraryDigital Library
  31. Hopcroft, J. E. 1971. An n log n algorithm for minimizing the states in a finite automaton. In Proceedings of the International Symposium on Theory of Machines and Computations. Z. Kohavi and A. Paz Eds., Academic Press, 189--196.Google ScholarGoogle ScholarCross RefCross Ref
  32. Hopcroft, J. E. and Ullman, J. D. 1979. Introduction to Automata Theory, Languages and Computation. Addison-Wesley Longman, Boston, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. Jones, N. D. 1975. Space-bounded reducibility among combinatorial problems. J. Comput. Syst. Sci. 11, 1, 68--85. Google ScholarGoogle ScholarDigital LibraryDigital Library
  34. Kim, M., Viswanathan, M., Ben-Abdallah, H., Kannan, S., Lee, I., and Sokolsky, O. 1999. Formally specified monitoring of temporal properties. In Proceedings of the 11th Euromicro Conference on Real-Time Systems. IEEE Computer Society, 114--122.Google ScholarGoogle Scholar
  35. Koymans, R. 1990. Specifying real-time properties with metric temporal logic. Real-Time Syst. 2, 4, 255--299. Google ScholarGoogle ScholarDigital LibraryDigital Library
  36. Lamport, L. 1977. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Engin. 3, 2, 125--143. Google ScholarGoogle ScholarDigital LibraryDigital Library
  37. Ligatti, J. and Reddy, S. 2010. A theory of runtime enforcement, with results. In Proceedings of the 15th European Symposium on Research in Computer Security. Lecture Notes in Computer Science, vol. 6345. Springer, 87--100. Google ScholarGoogle ScholarDigital LibraryDigital Library
  38. Ligatti, J., Bauer, L., and Walker, D. 2005. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4, 1--2, 2--16.Google ScholarGoogle ScholarDigital LibraryDigital Library
  39. Ligatti, J., Bauer, L., and Walker, D. 2009. Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12, 3. Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. McNaughton, R. and Papert, S. 1971. Counter-Free Automata. Research Monograph Series, vol. 65, The MIT Press, Cambridge, MA. Google ScholarGoogle ScholarDigital LibraryDigital Library
  41. Paul, M., Siegert, H. J., Alford, M. W., Ansart, J. P., Hommel, G., Lamport, L., Liskov, B., Mullery, G. P., and Schneider, F. B. 1985. Distributed Systems: Methods and Tools for Specification: An Advanced Course. Lecture Notes in Computer Science, vol. 190, Springer. Google ScholarGoogle ScholarDigital LibraryDigital Library
  42. Pnueli, A. 1977. The temporal logic of programs. In Proceedings of the 18th Annual Symposium on Foundations of Computer Science. IEEE Computer Society, 46--57. Google ScholarGoogle ScholarDigital LibraryDigital Library
  43. Pretschner, A., Hilty, M., and Basin, D. 2006. Distributed usage control. Comm. ACM 49, 9, 39--44. Google ScholarGoogle ScholarDigital LibraryDigital Library
  44. Rabin, M. O. and Scott, D. 1959. Finite automata and their decision problems. IBM J. Res. Dev. 3, 2, 114--125. Google ScholarGoogle ScholarDigital LibraryDigital Library
  45. Ramadge, P. J. and Wonham, W. M. 1987. Supervisory control of a class of discrete event processes. SIAM J. Control Optim. 25, 1, 206--230. Google ScholarGoogle ScholarDigital LibraryDigital Library
  46. Schneider, F. B. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1, 30--50. Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. Sistla, A. P. and Clarke, E. M. 1985. The complexity of propositional linear temporal logic. J. ACM 32, 3, 733--749. Google ScholarGoogle ScholarDigital LibraryDigital Library
  48. Talhi, C., Tawbi, N., and Debbabi, M. 2008. Execution monitoring enforcement under memory-limitation constraints. Inf. Comput. 206, 2--4, 158--184. Google ScholarGoogle ScholarDigital LibraryDigital Library
  49. Vardi, M. Y. 1995. An automata-theoretic approach to linear temporal logic. In Proceedings of the 8th Banff Higher Order Workshop on Logics for Concurrency: Structure Versus Automata. Lecture Notes in Computer Science, vol. 1043, Springer, 238--266. Google ScholarGoogle ScholarDigital LibraryDigital Library
  50. Vardi, M. Y. 2007. Automata-theoretic model checking revisited. In Proceedings of the 8th International Conference on Verification, Model Checking, and Abstract Interpretation. Lecture Notes in Computer Science, vol. 4349, Springer, 137--150. Google ScholarGoogle ScholarDigital LibraryDigital Library
  51. Vardi, M. Y. and Wolper, P. 1994. Reasoning about infinite computations. Inf. Comput. 115, 1, 1--37. Google ScholarGoogle ScholarDigital LibraryDigital Library
  52. Viswanathan, M. 2000. Foundations for the run-time analysis of software systems. Ph.D. thesis, University of Pennsylvania, Philadelphia, PA. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Enforceable Security Policies Revisited

                            Recommendations

                            Comments

                            Login options

                            Check if you have access through your login credentials or your institution to get full access on this article.

                            Sign in

                            Full Access

                            • Published in

                              cover image ACM Transactions on Information and System Security
                              ACM Transactions on Information and System Security  Volume 16, Issue 1
                              June 2013
                              113 pages
                              ISSN:1094-9224
                              EISSN:1557-7406
                              DOI:10.1145/2487222
                              Issue’s Table of Contents

                              Copyright © 2013 ACM

                              Publisher

                              Association for Computing Machinery

                              New York, NY, United States

                              Publication History

                              • Published: 1 June 2013
                              • Accepted: 1 February 2013
                              • Revised: 1 December 2012
                              • Received: 1 June 2012
                              Published in tissec Volume 16, Issue 1

                              Permissions

                              Request permissions about this article.

                              Request Permissions

                              Check for updates

                              Qualifiers

                              • research-article
                              • Research
                              • Refereed

                            PDF Format

                            View or Download as a PDF file.

                            PDF

                            eReader

                            View online with eReader.

                            eReader
                            About Cookies On This Site

                            We use cookies to ensure that we give you the best experience on our website.

                            Learn more

                            Got it!