Abstract
A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed. This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how to construct a program monitor that provably enforces any reasonable infinite renewal property. We also show that the set of infinite renewal properties includes some nonsafety policies, that is, that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.
Original language | English (US) |
---|---|
Article number | 19 |
Journal | ACM Transactions on Information and System Security |
Volume | 12 |
Issue number | 3 |
DOIs | |
State | Published - Jan 1 2009 |
All Science Journal Classification (ASJC) codes
- General Computer Science
- Safety, Risk, Reliability and Quality
Keywords
- Liveness
- Monitoring
- Policy enforcement
- Safety
- Security automata
- Security policies