Skip to main content
SpringerLink
Log in

Edit automata: enforcement mechanisms for run-time security policies

  • Regular contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy. Edit automata have a rich set of transformational powers: they may terminate an application, thereby truncating the program action stream; they may suppress undesired or dangerous actions without necessarily terminating the program; and they may also insert additional actions into the event stream.

After providing a formal definition of edit automata, we develop a rigorous framework for reasoning about them and their cousins: truncation automata (which can only terminate applications), suppression automata (which can terminate applications and suppress individual actions), and insertion automata (which can terminate and insert). We give a set-theoretic characterization of the policies each sort of automaton can enforce, and we provide examples of policies that can be enforced by one sort of automaton but not another.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Alpern B, Schneider F (1987) Recognizing safety and liveness. Distrib Comput 2:117–126

    Article  Google Scholar 

  2. Bauer L, Ligatti J, Walker D (2002) More enforceable security policies. In: Foundations of Computer Security, proceedings of the FLoC’02 workshop on foundations of computer security, Copenhagen, Denmark, 25–26 July 2002, pp 95–104

  3. Bauer L, Ligatti J, Walker D (2004) A language and system for enforcing run-time security policies. Technical Report TR-699-04, Princeton University, January 2004

  4. Colcombet T, Fradet P (2000) Enforcing trace properties by program transformation. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000. ACM Press, New York, pp 54–66

  5. Elmasri R, Navathe SB (1994) Fundamentals of database systems. Benjamin/Cummings, San Francisco

  6. Evans D, Twyman A (1999) Flexible policy-directed code safety. In: Proceedings of the 1999 IEEE symposium on security and privacy, Oakland, CA, May 1999

  7. Fong PWL (2004) Access control by tracking shallow execution history. In: Proceedings of the 2004 IEEE symposium on security and privacy, Oakland, CA, May 2004

  8. Hamlen K, Morrisett G, Schneider F (2003) Computability classes for enforcement mechanisms. Technical Report TR2003-1908, Cornell University, Ithaca, NY

  9. Kiczales G, Hilsdale E, Hugunin J, Kersten M, Palm J, Griswold W (2001) An overview of AspectJ. In: Proceedings of the European conference on object-oriented programming. Springer, Berlin Heidelberg New York

  10. Kim M, Kannan S, Lee I, Sokolsky O, Viswantathan M (2002) Computational analysis of run-time monitoring – fundamentals of Java-MaC. Electronic notes in theoretical computer science, vol 70. Elsevier, Amsterdam

  11. Kim M, Viswanathan M, Ben-Abdallah H, Kannan S, Lee I, Sokolsky O (1999) Formally specified monitoring of temporal properties. In: Proceedings of the European conference on real-time systems, York, UK, June 1999

  12. Lamport L (1977) Proving the correctness of multiprocess programs. IEEE Trans Softw Eng 3(2):125–143

    Article  MathSciNet  Google Scholar 

  13. Schneider FB (2000) Enforceable security policies. ACM Trans Inf Syst Secur 3(1):30–50

    Article  Google Scholar 

  14. Sandholm A, Schwartzbach M (1998) Distributed safety controllers for web services. In: Fundamental approaches to software engineering. Lecture notes in computer science, vol 1382. Springer, Berlin Heidelberg New York, pp 270–284

  15. Thiemann P (2001) Enforcing security properties by type specialization. In: Proceedings of the European symposium on programming, Genova, Italy, April 2001

  16. Erlingsson Ú, Schneider FB (1999) SASI enforcement of security policies: a retrospective. In: Proceedings of the New Security Paradigms workshop, Caledon Hills, Canada, pp 87–95, September 1999

  17. Erlingsson Ú, Schneider FB (2000) IRM enforcement of Java stack inspection. In: Proceedings of the 2000 IEEE symposium on security and privacy, Oakland, CA, May 2000, pp 246–255

  18. Viswanathan M (2000) Foundations for the run-time analysis of software systems. PhD thesis, University of Pennsylvania

  19. Walker D (2000) A type system for expressive security policies. In: Proceedings of the 27th ACM symposium on principles of programming languages, Boston, January 2000, pp 254–267

Download references

Author information

Authors and Affiliations

  1. Princeton University, Princeton, NJ, USA

    Jay Ligatti & David Walker

  2. Carnegie Mellon University, Pittsburgh, PA, USA

    Lujo Bauer

Authors
  1. Jay Ligatti
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Lujo Bauer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. David Walker
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jay Ligatti.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Ligatti, J., Bauer, L. & Walker, D. Edit automata: enforcement mechanisms for run-time security policies. IJIS 4, 2–16 (2005). https://doi.org/10.1007/s10207-004-0046-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-004-0046-8

Keywords

Search

Navigation