Abstract
We revisit Schneider’s work on policy enforcement by execution monitoring. We overcome limitations of Schneider’s setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only observable, that is, the enforcement mechanism sees them but cannot prevent their execution. For this refined setting, we give necessary and sufficient conditions on when a security policy is enforceable. To state these conditions, we generalize the standard notion of safety properties. Our classification of system actions also allows one, for example, to reason about the enforceability of policies that involve timing constraints. Furthermore, for different specification languages, we investigate the decision problem of whether a given policy is enforceable. We provide complexity results and show how to synthesize an enforcement mechanism from an enforceable policy.
- Alpern, B. and Schneider, F. B. 1985. Defining liveness. Inf. Process. Lett. 21, 4, 181--185.Google Scholar
Cross Ref
- Alur, R. and Henzinger, T. A. 1992. Logics and models of real time: A survey. In Proceedings of the REX Workshop on Real-Time: Theory in Practice. Lecture Notes in Computer Science, vol. 600, Springer, 74--106. Google Scholar
Digital Library
- Alur, R. and Henzinger, T. A. 1994. A really temporal logic. J. ACM 41, 1, 181--203. Google Scholar
Digital Library
- American National Standards Institute, Inc. 2004. Role Based Access Control. American National Standards Institute, Inc., Washington, DC.Google Scholar
- Barringer, H., Goldberg, A., Havelund, K., and Sen, K. 2004. Rule-based runtime verification. In Proceedings of the 5th International Conference on Verification, Model Checking and Abstract Interpretation. Lecture Notes in Computer Science, vol. 2937, Springer, 44--57.Google Scholar
Cross Ref
- Basin, D., Olderog, E.-R., and Sevinç, P. E. 2007. Specifying and analyzing security automata using CSP-OZ. In Proceedings of the ACM Symposium on Information, Computer and Communications Security. ACM Press, New York, 70--81. Google Scholar
Digital Library
- Basin, D., Klaedtke, F., Müller, S., and Pfitzmann, B. 2008. Runtime monitoring of metric first-order temporal properties. In Proceedings of the 28th Conference on Foundations of Software Technology and Theoretical Computer Science. Leibniz International Proceedings in Informatics Series, vol. 2, Schloss Dagstuhl - Leibniz Center for Informatics, 49--60.Google Scholar
- Basin, D., Klaedtke, F., and Müller, S. 2010. Monitoring security policies with metric first-order temporal logic. In Proceedings of the 15th ACM Symposium on Access Control Models and Technologies. ACM Press, New York, 23--33. Google Scholar
Digital Library
- Basin, D., Harvan, M., Klaedtke, F., and Zălinescu, E. 2011. Monitoring usage-control policies in distributed systems. In Proceedings of the 18th International Symposium on Temporal Representation and Reasoning. IEEE Computer Society, 88--95. Google Scholar
Digital Library
- Basin, D., Jugé, V., Klaedtke, F., and Zălinescu, E. 2012a. Enforceable security policies revisited. In Proceedings of the 1st Conference on Principles of Security and Trust. Lecture Notes in Computer Science, vol. 7215, Springer, 309--328. Google Scholar
Digital Library
- Basin, D., Klaedtke, F., and Zălinescu, E. 2012b. Algorithms for monitoring real-time properties. In Proceedings of the 2nd International Conference on Runtime Verification. Lecture Notes in Computer Science, vol. 7186, Springer, 260--275. Google Scholar
Digital Library
- Benveniste, A. and Berry, G. 1991. The synchronous approach to reactive and real-time systems. Proc. IEEE 79, 9, 1270--1282.Google Scholar
Cross Ref
- Chabot, H., Khoury, R., and Tawbi, N. 2011. Extending the enforcement power of truncation monitors using static analysis. Comput. Secur. 30, 4, 194--207.Google Scholar
Digital Library
- Chang, E. Y., Manna, Z., and Pnueli, A. 1992. Characterization of temporal property classes. In Proceedings of the 19th International Colloquium on Automata, Languages and Programming. Lecture Notes in Computer Science, vol. 623, Springer, 474--486. Google Scholar
Digital Library
- Clarke, E. M., Emerson, E. A., and Sifakis, J. 2007. Model checking: Algorithmic verification and debugging. Comm. ACM 52, 11, 75--84. Google Scholar
Digital Library
- Clarkson, M. R. and Schneider, F. B. 2010. Hyperproperties. J. Comput. Secur. 18, 6, 1157--1210. Google Scholar
Cross Ref
- Dax, C., Klaedtke, F., and Lange, M. 2010. On regular temporal logics with past. Acta Inf. 47, 4, 251--277. Google Scholar
Digital Library
- Ehlers, R. and Finkbeiner, B. 2011. Reactive safety. In Proceedings of 2nd International Symposium on Games, Logics and Formal Verification. Electronic Proceedings in Theoretical Computer Science, vol. 54, 178--191.Google Scholar
Cross Ref
- Eisner, C., Fisman, D., Havlicek, J., Lustig, Y., McIsaac, A., and Van Campenhout, D. 2003. Reasoning with temporal logic on truncated paths. In Proceedings of the 15th International Conference on Computer Aided Verification. Lecture Notes in Computer Science, vol. 2725, Springer, 27--39.Google Scholar
- Erlingsson, Ú. 2004. The inlined reference monitor approach to security policy enforcement. Ph.D. thesis, Cornell University, Ithaca, NY. Google Scholar
Digital Library
- Erlingsson, Ú. and Schneider, F. B. 1999. SASI enforcement of security policies: A retrospective. In Proceedings of the Workshop on New Security Paradigms. ACM Press, New York, 87--95. Google Scholar
Digital Library
- Erlingsson, Ú. and Schneider, F. B. 2000. IRM enforcement of Java stack inspection. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 246--255. Google Scholar
Digital Library
- Falcone, Y., Mounier, L., Fernandez, J.-C., and Richier, J.-L. 2011. Runtime enforcement monitors: Composition, synthesis, and enforcement abilities. Form. Methods Syst. Des. 38, 2, 223--262. Google Scholar
Digital Library
- Fong, P. W. 2004. Access control by tracking shallow execution history. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, 43--55.Google Scholar
Cross Ref
- Garg, D., Jia, L., and Datta, A. 2011. Policy auditing over incomplete logs: Theory, implementation and applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM Press, New York, 151--162. Google Scholar
Digital Library
- Hallé, S. and Villemaire, R. 2012. Runtime enforcement of web service message contracts with data. IEEE Trans. Serv. Comput. 5, 2, 192--206. Google Scholar
Digital Library
- Hamlen, K. W., Morrisett, G., and Schneider, F. B. 2006. Computability classes for enforcement mechanisms. ACM Trans. Progr. Lang. Syst. 28, 1, 175--205. Google Scholar
Digital Library
- Havelund, K. 2000. Using runtime analysis to guide model checking of java programs. In Proceedings of the 7th International SPIN Workshop. Lecture Notes in Computer Science, vol. 1885, Springer, 245--264. Google Scholar
Digital Library
- Havelund, K. and Roşu, G. 2001. Monitoring programs using rewriting. In Proceedings of the 16th IEEE International Conference on Automated Software Engineering. IEEE Computer Society, 135--143. Google Scholar
Digital Library
- Henzinger, T. A. 1992. Sooner is safer than later. Inform. Process. Lett. 43, 3, 135--141. Google Scholar
Digital Library
- Hopcroft, J. E. 1971. An n log n algorithm for minimizing the states in a finite automaton. In Proceedings of the International Symposium on Theory of Machines and Computations. Z. Kohavi and A. Paz Eds., Academic Press, 189--196.Google Scholar
Cross Ref
- Hopcroft, J. E. and Ullman, J. D. 1979. Introduction to Automata Theory, Languages and Computation. Addison-Wesley Longman, Boston, MA. Google Scholar
Digital Library
- Jones, N. D. 1975. Space-bounded reducibility among combinatorial problems. J. Comput. Syst. Sci. 11, 1, 68--85. Google Scholar
Digital Library
- Kim, M., Viswanathan, M., Ben-Abdallah, H., Kannan, S., Lee, I., and Sokolsky, O. 1999. Formally specified monitoring of temporal properties. In Proceedings of the 11th Euromicro Conference on Real-Time Systems. IEEE Computer Society, 114--122.Google Scholar
- Koymans, R. 1990. Specifying real-time properties with metric temporal logic. Real-Time Syst. 2, 4, 255--299. Google Scholar
Digital Library
- Lamport, L. 1977. Proving the correctness of multiprocess programs. IEEE Trans. Softw. Engin. 3, 2, 125--143. Google Scholar
Digital Library
- Ligatti, J. and Reddy, S. 2010. A theory of runtime enforcement, with results. In Proceedings of the 15th European Symposium on Research in Computer Security. Lecture Notes in Computer Science, vol. 6345. Springer, 87--100. Google Scholar
Digital Library
- Ligatti, J., Bauer, L., and Walker, D. 2005. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4, 1--2, 2--16.Google Scholar
Digital Library
- Ligatti, J., Bauer, L., and Walker, D. 2009. Run-time enforcement of nonsafety policies. ACM Trans. Inf. Syst. Secur. 12, 3. Google Scholar
Digital Library
- McNaughton, R. and Papert, S. 1971. Counter-Free Automata. Research Monograph Series, vol. 65, The MIT Press, Cambridge, MA. Google Scholar
Digital Library
- Paul, M., Siegert, H. J., Alford, M. W., Ansart, J. P., Hommel, G., Lamport, L., Liskov, B., Mullery, G. P., and Schneider, F. B. 1985. Distributed Systems: Methods and Tools for Specification: An Advanced Course. Lecture Notes in Computer Science, vol. 190, Springer. Google Scholar
Digital Library
- Pnueli, A. 1977. The temporal logic of programs. In Proceedings of the 18th Annual Symposium on Foundations of Computer Science. IEEE Computer Society, 46--57. Google Scholar
Digital Library
- Pretschner, A., Hilty, M., and Basin, D. 2006. Distributed usage control. Comm. ACM 49, 9, 39--44. Google Scholar
Digital Library
- Rabin, M. O. and Scott, D. 1959. Finite automata and their decision problems. IBM J. Res. Dev. 3, 2, 114--125. Google Scholar
Digital Library
- Ramadge, P. J. and Wonham, W. M. 1987. Supervisory control of a class of discrete event processes. SIAM J. Control Optim. 25, 1, 206--230. Google Scholar
Digital Library
- Schneider, F. B. 2000. Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3, 1, 30--50. Google Scholar
Digital Library
- Sistla, A. P. and Clarke, E. M. 1985. The complexity of propositional linear temporal logic. J. ACM 32, 3, 733--749. Google Scholar
Digital Library
- Talhi, C., Tawbi, N., and Debbabi, M. 2008. Execution monitoring enforcement under memory-limitation constraints. Inf. Comput. 206, 2--4, 158--184. Google Scholar
Digital Library
- Vardi, M. Y. 1995. An automata-theoretic approach to linear temporal logic. In Proceedings of the 8th Banff Higher Order Workshop on Logics for Concurrency: Structure Versus Automata. Lecture Notes in Computer Science, vol. 1043, Springer, 238--266. Google Scholar
Digital Library
- Vardi, M. Y. 2007. Automata-theoretic model checking revisited. In Proceedings of the 8th International Conference on Verification, Model Checking, and Abstract Interpretation. Lecture Notes in Computer Science, vol. 4349, Springer, 137--150. Google Scholar
Digital Library
- Vardi, M. Y. and Wolper, P. 1994. Reasoning about infinite computations. Inf. Comput. 115, 1, 1--37. Google Scholar
Digital Library
- Viswanathan, M. 2000. Foundations for the run-time analysis of software systems. Ph.D. thesis, University of Pennsylvania, Philadelphia, PA. Google Scholar
Digital Library
Index Terms
Enforceable Security Policies Revisited
Recommendations
Security policies for downgrading
CCS '04: Proceedings of the 11th ACM conference on Computer and communications securityA long-standing problem in information security is how to specify and enforce expressive security policies that control information flow while also permitting information release (i.e., declassification) where appropriate. This paper presents security ...
Enforceable security policies
A precise characterization is given for the class of security policies enforceable with mechanisms that work by monitoring system execution, and automata are introduced for specifying exactly that class of security policies. Techniques to enforce ...
Enforceable security policies revisited
POST'12: Proceedings of the First international conference on Principles of Security and TrustWe revisit Schneider's work on policy enforcement by execution monitoring. We overcome limitations of Schneider's setting by distinguishing between system actions that are controllable by an enforcement mechanism and those actions that are only ...






Comments