Abstract
Security enforcement mechanisms like execution monitors are used to make sure that some untrusted program complies with a policy. Different enforcement mechanisms have different strengths and weaknesses and hence it is important to understand the qualities of various enforcement mechanisms.
This paper studies runtime enforcement mechanisms for reactive programs. We study the impact of two important constraints that many practical enforcement mechanisms satisfy: (1) the enforcement mechanism must handle each input/output event in finite time and on occurrence of the event (as opposed to for instance Ligatti's edit automata that have the power to buffer events for an arbitrary amount of time), and (2) the enforcement mechanism treats the untrusted program as a black box: it can monitor and/or edit the input/output events that the program exhibits on execution and it can explore alternative executions of the program by running additional copies of the program and providing these different inputs. It can not inspect the source or machine code of the untrusted program.
Such enforcement mechanisms are important in practice: they include for instance many execution monitors, virtual machine monitors, and secure multi-execution or shadow executions.
We establish upper and lower bounds for the class of policies that are enforceable by such black box mechanisms, and we propose a generic enforcement mechanism that works for a wide range of policies. We also show how our generic enforcement mechanism can be instantiated to enforce specific classes of policies, at the same time showing that many existing enforcement mechanisms are optimized instances of our construction.
Supplemental Material
- A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In CSF, pages 43--59, 2009. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In PLAS, pages 3:1--3:12, 2010. Google Scholar
Digital Library
- T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In POPL, pages 165--178, 2012. Google Scholar
Digital Library
- D. Basin, V. Jugé, F. Klaedtke, and E. Zălinescu. Enforceable security policies revisited. TISSEC, 16(1):3:1--3:26, June 2013. Google Scholar
Digital Library
- N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non- interference for a browser model. In 5th International Conference on Network and System Security, pages 97--104, 2011.Google Scholar
Cross Ref
- A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In CCS, pages 79--90, 2009. Google Scholar
Digital Library
- R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. Preventing information leaks through shadow executions. In ACSAC, pages 322--331, 2008. Google Scholar
Digital Library
- H. Chabot, R. Khoury, and N. Tawbi. Extending the enforcement power of truncation monitors using static analysis. Computers & Security, 30(4):194--207, June 2011. Google Scholar
Digital Library
- E. Y. Chang, Z. Manna, and A. Pnueli. Characterization of temporal property classes. In ICALP, pages 474--486, 1992. Google Scholar
Digital Library
- M. R. Clarkson and F. B. Schneider. Hyperproperties. JCS, 18:1157--1210, September 2010. Google Scholar
Digital Library
- D. Devriese and F. Piessens. Noninterference through secure multi- execution. In IEEE S&P, pages 109--124, 2010. Google Scholar
Digital Library
- U. Erlingsson and F. B. Schneider. Sasi enforcement of security policies: A retrospective. In 1999 Workshop on New Security Paradigms, pages 87--95, 2000. Google Scholar
Digital Library
- Y. Falcone, L. Mounier, J.-C. Fernandez, and J.-L. Richier. Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Formal Methods in System Design, 38(3):223--262, 2011. Google Scholar
Digital Library
- P. W. L. Fong. Access control by tracking shallow execution history. In IEEE S&P, pages 43--55, 2004.Google Scholar
- K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability classes for enforcement mechanisms. TOPLAS, 28(1):175--205, 2006. Google Scholar
Digital Library
- T. Khatiwala, R. Swaminathan, and V. N. Venkatakrishnan. Data sandboxing: A technique for enforcing confidentiality policies. In ACSAC, pages 223--234, 2006. Google Scholar
Digital Library
- G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007. Google Scholar
Digital Library
- J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. of Inf. Sec., 4(1--2):2--16, February 2005. Google Scholar
Digital Library
- J. Ligatti, L. Bauer, and D. Walker. Run-time enforcement of non- safety policies. TISSEC, 12(3):1--41, 2009. Google Scholar
Digital Library
- J. Ligatti and S. Reddy. A theory of runtime enforcement, with results. In ESORICS, pages 87--100, 2010. Google Scholar
Digital Library
- R. McNaughton and S. A. Papert. Counter-Free Automata (M.I.T. Research Monograph No. 65). The MIT Press, 1971. Google Scholar
Digital Library
- W. Rafnsson and A. Sabelfeld. Secure multi-execution: fine-grained, declassification-aware, and transparent. In CSF, pages 33--48, 2013. Google Scholar
Digital Library
- A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In CSF, pages 92--106, 2009. Google Scholar
Digital Library
- A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In ESORICS, pages 86--103, 2009. Google Scholar
Digital Library
- F. Schneider. Enforceable security policies. TISSEC, 3(1):30--50, 2000. Google Scholar
Digital Library
- C. Talhi, N. Tawbi, and M. Debbabi. Execution monitoring enforcement under memory-limitation constraints. Inf. Comput., 206(2- 4):158--184, Feb. 2008. Google Scholar
Digital Library
- M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. Stateful declassification policies for event-driven programs. In CSF, 2014. Google Scholar
Digital Library
- M. Viswanathan. Foundations for the Run-time Analysis of Software Systems. PhD thesis, University of Pennsylvania, 2000. Google Scholar
Digital Library
- A. R. Yumerefendi, B. Mickle, and L. P. Cox. Tightlip: Keeping applications from spilling the beans. In 4th USENIX Conference on Networked Systems Design & Implementation, pages 12--12, 2007. Google Scholar
Digital Library
- D. Zanarini, M. Jaskelioff, and A. Russo. Precise enforcement of confidentiality for reactive systems. In CSF, pages 18--32, 2013. Google Scholar
Digital Library
Index Terms
Runtime Enforcement of Security Policies on Black Box Reactive Programs
Recommendations
Runtime Enforcement of Security Policies on Black Box Reactive Programs
Security enforcement mechanisms like execution monitors are used to make sure that some untrusted program complies with a policy. Different enforcement mechanisms have different strengths and weaknesses and hence it is important to understand the ...







Comments