skip to main content
research-article

Runtime Enforcement of Security Policies on Black Box Reactive Programs

Published:14 January 2015Publication History
Skip Abstract Section

Abstract

Security enforcement mechanisms like execution monitors are used to make sure that some untrusted program complies with a policy. Different enforcement mechanisms have different strengths and weaknesses and hence it is important to understand the qualities of various enforcement mechanisms.

This paper studies runtime enforcement mechanisms for reactive programs. We study the impact of two important constraints that many practical enforcement mechanisms satisfy: (1) the enforcement mechanism must handle each input/output event in finite time and on occurrence of the event (as opposed to for instance Ligatti's edit automata that have the power to buffer events for an arbitrary amount of time), and (2) the enforcement mechanism treats the untrusted program as a black box: it can monitor and/or edit the input/output events that the program exhibits on execution and it can explore alternative executions of the program by running additional copies of the program and providing these different inputs. It can not inspect the source or machine code of the untrusted program.

Such enforcement mechanisms are important in practice: they include for instance many execution monitors, virtual machine monitors, and secure multi-execution or shadow executions.

We establish upper and lower bounds for the class of policies that are enforceable by such black box mechanisms, and we propose a generic enforcement mechanism that works for a wide range of policies. We also show how our generic enforcement mechanism can be instantiated to enforce specific classes of policies, at the same time showing that many existing enforcement mechanisms are optimized instances of our construction.

Skip Supplemental Material Section

Supplemental Material

p43-sidebyside.mpg

References

  1. A. Askarov and A. Sabelfeld. Tight enforcement of information-release policies for dynamic languages. In CSF, pages 43--59, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  2. T. H. Austin and C. Flanagan. Permissive dynamic information flow analysis. In PLAS, pages 3:1--3:12, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  3. T. H. Austin and C. Flanagan. Multiple facets for dynamic information flow. In POPL, pages 165--178, 2012. Google ScholarGoogle ScholarDigital LibraryDigital Library
  4. D. Basin, V. Jugé, F. Klaedtke, and E. Zălinescu. Enforceable security policies revisited. TISSEC, 16(1):3:1--3:26, June 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  5. N. Bielova, D. Devriese, F. Massacci, and F. Piessens. Reactive non- interference for a browser model. In 5th International Conference on Network and System Security, pages 97--104, 2011.Google ScholarGoogle ScholarCross RefCross Ref
  6. A. Bohannon, B. C. Pierce, V. Sjöberg, S. Weirich, and S. Zdancewic. Reactive noninterference. In CCS, pages 79--90, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  7. R. Capizzi, A. Longo, V. N. Venkatakrishnan, and A. P. Sistla. Preventing information leaks through shadow executions. In ACSAC, pages 322--331, 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  8. H. Chabot, R. Khoury, and N. Tawbi. Extending the enforcement power of truncation monitors using static analysis. Computers & Security, 30(4):194--207, June 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  9. E. Y. Chang, Z. Manna, and A. Pnueli. Characterization of temporal property classes. In ICALP, pages 474--486, 1992. Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. M. R. Clarkson and F. B. Schneider. Hyperproperties. JCS, 18:1157--1210, September 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  11. D. Devriese and F. Piessens. Noninterference through secure multi- execution. In IEEE S&P, pages 109--124, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  12. U. Erlingsson and F. B. Schneider. Sasi enforcement of security policies: A retrospective. In 1999 Workshop on New Security Paradigms, pages 87--95, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  13. Y. Falcone, L. Mounier, J.-C. Fernandez, and J.-L. Richier. Runtime enforcement monitors: composition, synthesis, and enforcement abilities. Formal Methods in System Design, 38(3):223--262, 2011. Google ScholarGoogle ScholarDigital LibraryDigital Library
  14. P. W. L. Fong. Access control by tracking shallow execution history. In IEEE S&P, pages 43--55, 2004.Google ScholarGoogle Scholar
  15. K. W. Hamlen, G. Morrisett, and F. B. Schneider. Computability classes for enforcement mechanisms. TOPLAS, 28(1):175--205, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  16. T. Khatiwala, R. Swaminathan, and V. N. Venkatakrishnan. Data sandboxing: A technique for enforcing confidentiality policies. In ACSAC, pages 223--234, 2006. Google ScholarGoogle ScholarDigital LibraryDigital Library
  17. G. Le Guernic. Confidentiality Enforcement Using Dynamic Information Flow Analyses. PhD thesis, Kansas State University, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  18. J. Ligatti, L. Bauer, and D. Walker. Edit automata: Enforcement mechanisms for run-time security policies. Int. J. of Inf. Sec., 4(1--2):2--16, February 2005. Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. J. Ligatti, L. Bauer, and D. Walker. Run-time enforcement of non- safety policies. TISSEC, 12(3):1--41, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  20. J. Ligatti and S. Reddy. A theory of runtime enforcement, with results. In ESORICS, pages 87--100, 2010. Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. R. McNaughton and S. A. Papert. Counter-Free Automata (M.I.T. Research Monograph No. 65). The MIT Press, 1971. Google ScholarGoogle ScholarDigital LibraryDigital Library
  22. W. Rafnsson and A. Sabelfeld. Secure multi-execution: fine-grained, declassification-aware, and transparent. In CSF, pages 33--48, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library
  23. A. Russo and A. Sabelfeld. Securing timeout instructions in web applications. In CSF, pages 92--106, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  24. A. Russo, A. Sabelfeld, and A. Chudnov. Tracking information flow in dynamic tree structures. In ESORICS, pages 86--103, 2009. Google ScholarGoogle ScholarDigital LibraryDigital Library
  25. F. Schneider. Enforceable security policies. TISSEC, 3(1):30--50, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  26. C. Talhi, N. Tawbi, and M. Debbabi. Execution monitoring enforcement under memory-limitation constraints. Inf. Comput., 206(2- 4):158--184, Feb. 2008. Google ScholarGoogle ScholarDigital LibraryDigital Library
  27. M. Vanhoef, W. De Groef, D. Devriese, F. Piessens, and T. Rezk. Stateful declassification policies for event-driven programs. In CSF, 2014. Google ScholarGoogle ScholarDigital LibraryDigital Library
  28. M. Viswanathan. Foundations for the Run-time Analysis of Software Systems. PhD thesis, University of Pennsylvania, 2000. Google ScholarGoogle ScholarDigital LibraryDigital Library
  29. A. R. Yumerefendi, B. Mickle, and L. P. Cox. Tightlip: Keeping applications from spilling the beans. In 4th USENIX Conference on Networked Systems Design & Implementation, pages 12--12, 2007. Google ScholarGoogle ScholarDigital LibraryDigital Library
  30. D. Zanarini, M. Jaskelioff, and A. Russo. Precise enforcement of confidentiality for reactive systems. In CSF, pages 18--32, 2013. Google ScholarGoogle ScholarDigital LibraryDigital Library

Index Terms

  1. Runtime Enforcement of Security Policies on Black Box Reactive Programs

    Recommendations

    Comments

    Login options

    Check if you have access through your login credentials or your institution to get full access on this article.

    Sign in

    Full Access

    • Published in

      cover image ACM SIGPLAN Notices
      ACM SIGPLAN Notices  Volume 50, Issue 1
      POPL '15
      January 2015
      682 pages
      ISSN:0362-1340
      EISSN:1558-1160
      DOI:10.1145/2775051
      • Editor:
      • Andy Gill
      Issue’s Table of Contents
      • cover image ACM Conferences
        POPL '15: Proceedings of the 42nd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages
        January 2015
        716 pages
        ISBN:9781450333009
        DOI:10.1145/2676726

      Copyright © 2015 ACM

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      • Published: 14 January 2015

      Check for updates

      Qualifiers

      • research-article

    PDF Format

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader
    About Cookies On This Site

    We use cookies to ensure that we give you the best experience on our website.

    Learn more

    Got it!