On Run-Time Enforcement of Policies

  • Harshit Shah
  • R. K. Shyamasundar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4846)


Monitoring untrusted code for harmful behaviour is an important security issue. Many approaches have been proposed for restricting activities and the range of untrusted code. Among these, run-time monitoring is a promising approach for constricting run-time behaviour of programs. In this paper we describe a method of containing the effects of untrusted code with respect to a specified policy. We use a guarded command like language for specifying policies that could monitor system calls, APIs or library routines of the underlying system. We also discuss a system call monitoring architecture for an operating system like Linux. We provide semantics of the language in terms of Security Automata and also discuss how pure past temporal properties can be automatically compiled into policies in guarded command language. This allows users to specify policies in terms of logical formulae and automatically generate monitoring algorithm for the same in terms of guarded commands. We show how simple modifications allow us to specify constraints on the overall behaviour of a group of processes.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Acharya, A., Raje, M.: MAPbox: using parameterized behavior classes to confine untrusted applications. In: SSYM 2000. Proceedings of the 9th conference on USENIX Security Symposium, Denver, Colorado, p. 1. USENIX Association, Berkeley, CA, USA (2000)Google Scholar
  2. 2.
    Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (2005)Google Scholar
  3. 3.
    Chari, S.N., Cheng, P.-C.: Bluebox: A policy-driven, host-based intrusion detection system. ACM Trans. Inf. Syst. Secur. 6(2), 173–200 (2003)CrossRefGoogle Scholar
  4. 4.
    Dijkstra, E.W.: Guarded commands, nondeterminacy and formal derivation of programs. Communications of the ACM 18(8), 453–457 (1975)zbMATHCrossRefMathSciNetGoogle Scholar
  5. 5.
    Erlingsson, U.: The Inlined Reference Monitor Approach to Security Policy Enforcement. PhD thesis, Department of Computer Science, Cornell University (2003)Google Scholar
  6. 6.
    Evans, D.: Policy-Directed Code Safety. PhD thesis, Dept. of Electrical Engg. amd Computer Science, Massachusetts Institute of Technology (February 2000)Google Scholar
  7. 7.
    Fong, P.W.L.: Access control by tracking shallow execution history. In: Proceedings, IEEE Symposium on Security and Privacy, 2004, pp. 43–55 (May 2004)Google Scholar
  8. 8.
    Fraser, T., Badger, L., Feldman, M.: Hardening COTS software with generic software wrappers. In: Proceedings of the 1999 IEEE Symposium on Security and Privacy, 1999, pp. 2–16 (1999)Google Scholar
  9. 9.
    Hamlen, K., Morrisett, G., Schneider, F.: Computability classes for enforcement mechanisms. Technical Report 2003-1908, Department of Computer Science, Cornell University (2003)Google Scholar
  10. 10.
    Havelund, K., Rosu, G.: Efficient monitoring of safety properties. International Journal on Software Tools for Technology Transfer 6(2), 158–173 (2004)CrossRefGoogle Scholar
  11. 11.
    Kim, M., Kannan, S., Lee, I., Sokolsky, O.: Java-mac: a run-time assurance tool for java. In: 1st International Workshop on Run-time Verification, vol. 55 (2001)Google Scholar
  12. 12.
    Lichtenstein, O., Pnueli, A., Zuck, L.D.: The glory of the past. In: Parikh, R. (ed.) Logics of Programs. LNCS, vol. 193, pp. 196–218. Springer, Heidelberg (1985)Google Scholar
  13. 13.
    Ligatti, J., Bauer, L., Walker, D.: Edit automata: Enforcement mechanisms for run-time security policies. International Journal of Information Security 4(5), 2–16 (2005)CrossRefGoogle Scholar
  14. 14.
    McGraw, G., Morrisett, G.: Attacking malicous code: a report to the infosec research council. Software, IEEE 17(5), 33–41 (2000)CrossRefGoogle Scholar
  15. 15.
    Provos, N.: Improving host security with system call policies. In: SSYM 2003. Proceedings of the 12th conference on USENIX Security Symposium, Washington, DC, p. 18. USENIX Association, Berkeley, CA, USA (2003)Google Scholar
  16. 16.
    Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)CrossRefGoogle Scholar
  17. 17.
    Shah, H., Shyamasundar, R.K.: Efficient automata generation for pure past LTL. Technical report, School of Technology and Computer Science, TIFR (2007)Google Scholar
  18. 18.
    Thomson, K.: Reflections on trusting trust. Communication of the ACM 27(8), 761–763 (1984)CrossRefGoogle Scholar
  19. 19.
    Uppuluri, P., Sekar, R.: Experiences with specification-based intrusion detection. In: RAID 2000. Proceedings of the 4th International Symposium on Recent Advances in Intrusion Detection, pp. 172–189. Springer, Heidelberg (2001)Google Scholar
  20. 20.
    Wagner, D.: Janus: an approach for confinement of untrusted applications. Technical Report CSD-99-1056, University of California, Berkeley (1999)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Harshit Shah
    • 1
  • R. K. Shyamasundar
    • 2
  1. 1.Dep. Informatica & TLC, Univ. of TrentoItaly
  2. 2.School of Tech. & Comp. Science, TIFR, MumbaiIndia

Personalised recommendations