The inlined reference monitor approach to security policy enforcement
- Author:
- Úlfar Erlingsson,
- Adviser:
- Fred B. Schneider
Skip Abstract Section
Abstract
Embedding security enforcement code into applications is an alternative to traditional security mechanisms. This dissertation supports the thesis that such Inlined Reference Monitors, or IRMs, offer many advantages and are a practical option in modern systems. IRMs enable flexible general-purpose enforcement of security policies, and they are especially well suited for extensible systems and other non-traditional platforms. IRMs can exhibit similar, or even better, performance than previous approaches and can help increase assurance by contributing little to the size of a trusted computing base. Moreover, IRMs' agility in distributed settings allows for their cost-effective and trustworthy deployment in many scenarios. In this dissertation, IRM implementations are derived from formal automatabased specifications of security policies. Then, an IRM toolkit for Java is described in detail. This Java IRM toolkit uses an imperative policy language that allows a security policy, in combination with the details of its enforcement, to be given in a single complete specification. Various example policies, including the stack-inspection policy of Java, illustrate the approach. These examples shed light on practical issues in policy specification, the support needed from an IRM toolkit, and the advantages of the IRM approach.
Cited By
Yao D, Zhang Z and Zhang G Practical Control Flow Integrity using Multi-Variant execution Proceedings of the 2020 International Conference on Internet Computing for Science and Engineering, (14-19)- Gu Y, Zhao Q, Zhang Y and Lin Z PT-CFI Proceedings of the Seventh ACM on Conference on Data and Application Security and Privacy, (173-184)
- Cassar I and Francalanza A On Implementing a Monitor-Oriented Programming Framework for Actor Systems Proceedings of the 12th International Conference on Integrated Formal Methods - Volume 9681, (176-192)
- Bielova N and Rezk T A Taxonomy of Information Flow Monitors Proceedings of the 5th International Conference on Principles of Security and Trust - Volume 9635, (46-67)
- Amir-Mohammadian S, Chong S and Skalka C Correct Audit Logging Proceedings of the 5th International Conference on Principles of Security and Trust - Volume 9635, (139-162)
- You W, Liang B, Shi W, Zhu S, Wang P, Xie S and Zhang X Reference hijacking Proceedings of the 38th International Conference on Software Engineering, (959-970)
- Backes M, Bugiel S, Hammer C, Schranz O and Von Styp-Rekowsky P Boxify Proceedings of the 24th USENIX Conference on Security Symposium, (691-706)
- Backes M, Schranz O and von Styp-Rekowsky P POSTER Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, (1629-1631)
- Armando A, Costa G, Merlo A and Verderame L Enabling BYOD through secure meta-market Proceedings of the 2014 ACM conference on Security and privacy in wireless & mobile networks, (219-230)
- Magazinius J, Hedin D and Sabelfeld A Architectures for Inlining Security Monitors in Web Applications Proceedings of the 6th International Symposium on Engineering Secure Software and Systems - Volume 8364, (141-160)
- Joiner R, Reps T, Jha S, Dhawan M and Ganapathy V Efficient runtime-enforcement techniques for policy weaving Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, (224-234)
- De Groef W, Massacci F and Piessens F NodeSentry Proceedings of the 30th Annual Computer Security Applications Conference, (446-455)
- Davis B and Chen H RetroSkeleton Proceeding of the 11th annual international conference on Mobile systems, applications, and services, (181-192)
- Basin D, Jugé V, Klaedtke F and Zălinescu E (2013). Enforceable Security Policies Revisited, ACM Transactions on Information and System Security (TISSEC), 16:1, (1-26), Online publication date: 1-Jun-2013.
- Rafailidis F, Panagos I, Katsaros P and Arvanitidis A Inlined monitors for security policy enforcement in web applications Proceedings of the 17th Panhellenic Conference on Informatics, (75-82)
- Backes M, Gerling S, Hammer C, Maffei M and von Styp-Rekowsky P AppGuard Proceedings of the 19th international conference on Tools and Algorithms for the Construction and Analysis of Systems, (543-548)
- Richards G, Hammer C, Zappa Nardelli F, Jagannathan S and Vitek J (2013). Flexible access control for javascript, ACM SIGPLAN Notices, 48:10, (305-322), Online publication date: 12-Nov-2013.
- Richards G, Hammer C, Zappa Nardelli F, Jagannathan S and Vitek J Flexible access control for javascript Proceedings of the 2013 ACM SIGPLAN international conference on Object oriented programming systems languages & applications, (305-322)
- Dhawan M, Shan C and Ganapathy V Enhancing javascript with transactions Proceedings of the 26th European conference on Object-Oriented Programming, (383-408)
- Magazinius J, Russo A and Sabelfeld A (2019). On-the-fly inlining of dynamic security monitors, Computers and Security, 31:7, (827-843), Online publication date: 1-Oct-2012.
- Hussein S, Meredith P and Roşlu G Security-policy monitoring and enforcement with JavaMOP Proceedings of the 7th Workshop on Programming Languages and Analysis for Security, (1-11)
- Dam M, Le Guernic G and Lundblad A TreeDroid Proceedings of the 2012 ACM conference on Computer and communications security, (894-905)
- Basin D, Jugé V, Klaedtke F and Zălinescu E Enforceable security policies revisited Proceedings of the First international conference on Principles of Security and Trust, (309-328)
- Sridhar M and Hamlen K Flexible in-lined reference monitor certification Proceedings of the 5th ACM workshop on Programming languages meets program verification, (55-60)
- Birgisson A, Russo A and Sabelfeld A Capabilities for information flow Proceedings of the ACM SIGPLAN 6th Workshop on Programming Languages and Analysis for Security, (1-15)
- Bielova N and Massacci F Predictability of enforcement Proceedings of the Third international conference on Engineering secure software and systems, (73-86)
- Politz J, Eliopoulos S, Guha A and Krishnamurthi S ADsafety Proceedings of the 20th USENIX conference on Security, (12-12)
- Bello L and Bonelli E On-the-Fly inlining of dynamic dependency monitors for secure information flow Proceedings of the 8th international conference on Formal Aspects of Security and Trust, (55-69)
- Cappos J, Dadgar A, Rasley J, Samuel J, Beschastnikh I, Barsan C, Krishnamurthy A and Anderson T Retaining sandbox containment despite bugs in privileged memory-safe code Proceedings of the 17th ACM conference on Computer and communications security, (212-223)
- Dam M, Jacobs B, Lundblad A and Piessens F (2010). Provably correct inline monitoring for multithreaded Java-like programs, Journal of Computer Security, 18:1, (37-59), Online publication date: 1-Jan-2010.
- Ligatti J and Reddy S A theory of runtime enforcement, with results Proceedings of the 15th European conference on Research in computer security, (87-100)
- Swamy N and Hicks M (2009). Verified enforcement of stateful information release policies, ACM SIGPLAN Notices, 43:12, (21-31), Online publication date: 28-Feb-2009.
- Pistoia M and Erlingsson Ú (2009). Programming languages and program analysis for security, ACM SIGPLAN Notices, 43:12, (32-39), Online publication date: 28-Feb-2009.
- Bauer L, Ligatti J and Walker D (2009). Composing expressive runtime security policies, ACM Transactions on Software Engineering and Methodology, 18:3, (1-43), Online publication date: 1-May-2009.
- Falcone Y, Fernandez J and Mounier L Enforcement monitoring wrt. the safety-progress classification of properties Proceedings of the 2009 ACM symposium on Applied Computing, (593-600)
- Phung P, Sands D and Chudnov A Lightweight self-protecting JavaScript Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, (47-60)
- Ligatti J, Bauer L and Walker D (2009). Run-Time Enforcement of Nonsafety Policies, ACM Transactions on Information and System Security (TISSEC), 12:3, (1-41), Online publication date: 1-Jan-2009.
- Kallel S, Charfi A, Mezini M, Jmaiel M and Sewe A (2009). A holistic approach for access control policies: from formal specification to aspect-based enforcement, International Journal of Information and Computer Security, 3:3/4, (337-354), Online publication date: 1-Jan-2009.
- Hamlen K and Jones M Aspect-oriented in-lined reference monitors Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, (11-20)
- Swamy N and Hicks M Verified enforcement of stateful information release policies Proceedings of the third ACM SIGPLAN workshop on Programming languages and analysis for security, (21-32)
- Aktug I and Naliuka K (2008). ConSpec – A formal language for policy specification, Science of Computer Programming, 74:1-2, (2-12), Online publication date: 1-Dec-2008.
- Vanoverberghe D and Piessens F A Caller-Side Inline Reference Monitor for an Object-Oriented Intermediate Language Proceedings of the 10th IFIP WG 6.1 international conference on Formal Methods for Open Object-Based Distributed Systems, (240-258)
- Chang W, Streiff B and Lin C Efficient and extensible security enforcement using dynamic data flow analysis Proceedings of the 15th ACM conference on Computer and communications security, (39-50)
- Ganapathy V, King D, Jaeger T and Jha S Mining Security-Sensitive Operations in Legacy Code Using Concept Analysis Proceedings of the 29th international conference on Software Engineering, (458-467)
- Criswell J, Lenharth A, Dhurjati D and Adve V Secure virtual architecture Proceedings of twenty-first ACM SIGOPS symposium on Operating systems principles, (351-366)
- Desmet L, Joosen W, Massacci F, Naliuka K, Philippaerts P, Piessens F and Vanoverberghe D A flexible security architecture to support third-party applications on mobile devices Proceedings of the 2007 ACM workshop on Computer security architecture, (19-28)
- Criswell J, Lenharth A, Dhurjati D and Adve V (2007). Secure virtual architecture, ACM SIGOPS Operating Systems Review, 41:6, (351-366), Online publication date: 14-Oct-2007.
- Shah H and Shyamasundar R On run-time enforcement of policies Proceedings of the 12th Asian computing science conference on Advances in computer science: computer and network security, (268-281)
- Moon S and Chang B (2006). A thread monitoring system for multithreaded Java programs, ACM SIGPLAN Notices, 41:5, (21-29), Online publication date: 1-May-2006.
- Barthe G, Burdy L, Charles J, Grégoire B, Huisman M, Lanet J, Pavlova M and Requet A JACK Proceedings of the 5th international conference on Formal methods for components and objects, (152-174)
- Paul N and Evans D (2006). Comparing Java and .NET security, Computers and Security, 25:5, (338-350), Online publication date: 1-Jul-2006.
- Le Guernic G, Banerjee A, Jensen T and Schmidt D Automata-based confidentiality monitoring Proceedings of the 11th Asian computing science conference on Advances in computer science: secure software and related issues, (75-89)
- Ligatti J, Bauer L and Walker D Enforcing non-safety security policies with program monitors Proceedings of the 10th European conference on Research in Computer Security, (355-373)
- Ohe H and Chang B An exception monitoring system for java Proceedings of the First international conference on Rapid Integration of Software Engineering Techniques, (71-81)
Index Terms
- The inlined reference monitor approach to security policy enforcement
Recommendations
Efficient Network Security Policy Enforcement With Policy Space Analysis
Network operators rely on security services to protect their IT infrastructures. Different kinds of network security policies are defined globally and distributed among multiple security middleboxes deployed in networks. However, due to the complexity ...
Policy-driven reflective enforcement of security policies
SAC '06: Proceedings of the 2006 ACM symposium on Applied computingPractical experience has shown that separating security enforcement code from functional code using separation of concerns techniques such as behavioural reflection leads to improvements in code undestandability and maintainability. However, using these ...