Edit automata: enforcement mechanisms for run-time security policies

Ligatti, Jay; Bauer, Lujo; Walker, David

doi:10.1007/s10207-004-0046-8

Cited by 283 publications

(250 citation statements)

References 16 publications

Supporting

Mentioning

248

Contrasting

Order By: Relevance

“…Section VI shows how to represent the monitor [28] for sequential programs in our framework. Ligatti et al [29] present a general framework for security policies that can be enforced by monitoring and modifying programs at runtime. The authors introduce the notion of edit automata, i.e., monitors that can stop, suppress, and modify the behavior of programs.…”

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

Abstract-This paper seeks to answer fundamental questions about trade-offs between static and dynamic security analysis. It has been previously shown that flow-sensitive static information-flow analysis is a natural generalization of flowinsensitive static analysis, which allows accepting more secure programs. It has been also shown that sound purely dynamic information-flow enforcement is more permissive than static analysis in the flow-insensitive case. We argue that the step from flow-insensitive to flow-sensitive is fundamentally limited for purely dynamic information-flow controls. We prove impossibility of a sound purely dynamic information-flow monitor that accepts programs certified by a classical flow-sensitive static analysis. A side implication is impossibility of permissive dynamic instrumented security semantics for information flow, which guides us to uncover an unsound semantics from the literature. We present a general framework for hybrid mechanisms that is parameterized in the static part and in the reaction method of the enforcement (stop, suppress, or rewrite) and give security guarantees with respect to terminationinsensitive noninterference for a simple language with output.

show abstract

Section: Related Workmentioning

confidence: 99%

Dynamic vs. Static Flow-Sensitive Security Analysis

Russo

Sabelfeld

2010

2010 23rd IEEE Computer Security Foundations Symposium

155

216

View full text Add to dashboard Cite

show abstract

“…The computability constraints that can further restrict a monitor's enforcement power are discussed in [14,19]; that of monitors relying upon an a priori model of the program's possible behaviour is discussed in [9] and [21].…”

Section: Related Workmentioning

confidence: 99%

Runtime Enforcement with Partial Control

Khoury

Hallé

2016

Foundations and Practice of Security

View full text Add to dashboard Cite

This study carries forward the line of enquiry that seeks to characterize precisely which security policies are enforceable by runtime monitors. In this regard, Basin et al. recently refined the structure that helps distinguish between those actions that the monitor can potentially suppress or insert in the execution, from those that the monitor can only observe. In this paper, we generalize this model by organizing the universe of possible actions in a lattice that naturally corresponds to the levels of monitor control. We then delineate the set of properties that are enforceable under this paradigm and relate our results to previous work in the field. Finally, we explore the set of security policies that are enforceable if the monitor is given greater latitude to alter the execution of its target, which allows us to reflect on the capabilities of different types of monitors.

show abstract

“…Ligatti et al [20] present a general framework for security policies that can be enforced by monitoring and modifying programs at runtime. They introduce edit automata that enable monitors to stop, suppress, and modify the behavior of programs.…”

Section: Related Workmentioning

confidence: 99%

On-the-fly inlining of dynamic security monitors

Magazinius

Russo

Sabelfeld

2012

Computers & Security

View full text Add to dashboard Cite

Abstract. Language-based information-flow security considers programs that manipulate pieces of data at different sensitivity levels. Securing information flow in such programs remains an open challenge. Recently, considerable progress has been made on understanding dynamic monitoring for secure information flow. This paper presents a framework for inlining dynamic information-flow monitors. A novel feature of our framework is the ability to perform inlining on the fly. We consider a source language that includes dynamic code evaluation of strings whose content might not be known until runtime. To secure this construct, our inlining is done on the fly, at the string evaluation time, and, just like conventional offline inlining, requires no modification of the hosting runtime environment. We present a formalization for a simple language to show that the inlined code is secure: it satisfies a noninterference property. We also discuss practical considerations and preliminary experimental results.

show abstract

Edit automata: enforcement mechanisms for run-time security policies

Cited by 283 publications

References 16 publications

Dynamic vs. Static Flow-Sensitive Security Analysis

Dynamic vs. Static Flow-Sensitive Security Analysis

Runtime Enforcement with Partial Control

On-the-fly inlining of dynamic security monitors

Contact Info

Product

Resources

About