Enforcing Non-safety Security Policies with Program Monitors

  • Jay Ligatti
  • Lujo Bauer
  • David Walker
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3679)


We consider the enforcement powers of program monitors, which intercept security-sensitive actions of a target application at run time and take remedial steps whenever the target attempts to execute a potentially dangerous action. A common belief in the security community is that program monitors, regardless of the remedial steps available to them when detecting violations, can only enforce safety properties. We formally analyze the properties enforceable by various program monitors and find that although this belief is correct when considering monitors with simple remedial options, it is incorrect for more powerful monitors that can be modeled by edit automata. We define an interesting set of properties called infinite renewal properties and demonstrate how, when given any reasonable infinite renewal property, to construct an edit automaton that provably enforces that property. We analyze the set of infinite renewal properties and show that it includes every safety property, some liveness properties, and some properties that are neither safety nor liveness.


Security Policy Operational Semantic Safety Property Liveness Property Empty Sequence 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Fournet, C.: Access control based on execution history. In: Proceedings of the 10th Annual Network and Distributed System Symposium (2003)Google Scholar
  2. 2.
    Alpern, B., Schneider, F.: Recognizing safety and liveness. Distributed Computing 2, 117–126 (1987)zbMATHCrossRefGoogle Scholar
  3. 3.
    Alpern, B., Schneider, F.B.: Defining liveness. Information Processing Letters 21(4), 181–185 (1985)zbMATHCrossRefMathSciNetGoogle Scholar
  4. 4.
    Bauer, L., Ligatti, J., Walker, D.: Types and effects for non-interfering program monitors. In: Okada, M., Pierce, B., Scedrov, A., Tokuda, H., Yonezawa, A. (eds.) ISSS 2002. LNCS, vol. 2609, pp. 154–171. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  5. 5.
    Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: Proceedings of the ACM SIGPLAN 2005 Conference on Programming Language Design and Implementation, Chicago (June 2005)Google Scholar
  6. 6.
    Brewer, D.F.C., Nash, M.J.: The chinese wall security policy. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 206–214 (1989)Google Scholar
  7. 7.
    Edjlali, G., Acharya, A., Chaudhary, V.: History-based access control for mobile code. In: ACM Conference on Computer and Communications Security, pp. 38–48 (1998)Google Scholar
  8. 8.
    Erlingsson, Ú.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Cornell University (January 2004)Google Scholar
  9. 9.
    Erlingsson, Ú., Schneider, F.B.: SASI enforcement of security policies: A retrospective. In: Proceedings of the New Security Paradigms Workshop, Caledon Hills, Canada, pp. 87–95 (September 1999)Google Scholar
  10. 10.
    Erlingsson, Ú., Schneider, F.B.: IRM enforcement of Java stack inspection. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, pp. 246–255 (May 2000)Google Scholar
  11. 11.
    Evans, D., Twyman, A.: Flexible policy-directed code safety. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA (May 1999)Google Scholar
  12. 12.
    Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings of the IEEE Symposium on Security and Privacy, Oakland, California, USA (May 2004)Google Scholar
  13. 13.
    Hamlen, K., Morrisett, G., Schneider, F.: Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University (August 2003)Google Scholar
  14. 14.
    Jeffery, C., Zhou, W., Templer, K., Brazell, M.: A lightweight architecture for program execution monitoring. In: PASTE 1998: Proceedings of the 1998 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, pp. 67–74. ACM Press, New York (1998)CrossRefGoogle Scholar
  15. 15.
    Kiczales, G., Irwin, J., Lamping, J., Loingtier, J.-M., Lopes, C.V., Maeda, C., Mendhekar, A.: Aspect-oriented programming. ACM Comput. Surv. 28(4es), 154 (1996)CrossRefGoogle Scholar
  16. 16.
    Kim, M., Kannan, S., Lee, I., Sokolsky, O., Viswantathan, M.: Computational analysis of run-time monitoring—fundamentals of Java-MaC. In: Run-time Verification (June 2002)Google Scholar
  17. 17.
    Kim, M., Viswanathan, M., Ben-Abdallah, H., Kannan, S., Lee, I., Sokolsky, O.: Formally specified monitoring of temporal properties. In: European Conference on Real-time Systems, York, UK (June 1999)Google Scholar
  18. 18.
    Lamport, L.: Proving the correctness of multiprocess programs. IEEE Transactions of Software Engineering 3(2), 125–143 (1977)CrossRefMathSciNetGoogle Scholar
  19. 19.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. Technical Report TR-681-03, Princeton University (May 2003)Google Scholar
  20. 20.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(1–2), 2–16 (2005)CrossRefGoogle Scholar
  21. 21.
    Ligatti, J., Bauer, L., Walker, D.: Enforcing non-safety security policies with program monitors. Technical Report TR-720-05, Princeton University (January 2005)Google Scholar
  22. 22.
    Lynch, N.A., Tuttle, M.R.: Hierarchical correctness proofs for distributed algorithms. In: Proceedings of the 6th annual ACM Symposium on Principles of distributed computing, pp. 137–151. ACM Press, New York (1987)CrossRefGoogle Scholar
  23. 23.
    Paxton, W.H.: A client-based transaction system to maintain data integrity. In: Proceedings of the 7th ACM symposium on Operating systems principles, pp. 18–23. ACM Press, New York (1979)Google Scholar
  24. 24.
    Schneider, F.B.: Enforceable security policies. ACM Transactions on Information and Systems Security 3(1), 30–50 (2000)CrossRefGoogle Scholar
  25. 25.
    Viswanathan, M.: Foundations for the Run-time Analysis of Software Systems. PhD thesis, University of Pennsylvania (2000)Google Scholar
  26. 26.
    Wahbe, R., Lucco, S., Anderson, T., Graham, S.: Efficient software-based fault isolation. In: Proceedings of the 14th Symposium on Operating Systems Principles, Asheville, pp. 203–216 (December 1993)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Jay Ligatti
    • 1
  • Lujo Bauer
    • 2
  • David Walker
    • 1
  1. 1.Department of Computer SciencePrinceton University 
  2. 2.CyLab, Carnegie Mellon University 

Personalised recommendations