ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Composing expressive runtime security policies
Full text PdfPdf (1.26 MB)
Source
ACM Transactions on Software Engineering and Methodology (TOSEM) archive
Volume 18 ,  Issue 3  (May 2009) table of contents
Article No. 9  
Year of Publication: 2009
ISSN:1049-331X
Authors
Lujo Bauer  Carnegie Mellon University, Pittsburgh, PA
Jay Ligatti  University of South Florida
David Walker  Princeton University, Princeton, NJ
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 40,   Downloads (12 Months): 231,   Citation Count: 0
Additional Information:

abstract   references   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1525880.1525882
What is a DOI?

ABSTRACT

Program monitors enforce security policies by interposing themselves into the control flow of untrusted software whenever that software attempts to execute security-relevant actions. At the point of interposition, a monitor has authority to permit or deny (perhaps conditionally) the untrusted software's attempted action. Program monitors are common security enforcement mechanisms and integral parts of operating systems, virtual machines, firewalls, network auditors, and antivirus and antispyware tools.

Unfortunately, the runtime policies we require program monitors to enforce grow more complex, both as the monitored software is given new capabilities and as policies are refined in response to attacks and user feedback. We propose dealing with policy complexity by organizing policies in such a way as to make them composable, so that complex policies can be specified more simply as compositions of smaller subpolicy modules. We present a fully implemented language and system called Polymer that allows security engineers to specify and enforce composable policies on Java applications. We formalize the central workings of Polymer by defining an unambiguous semantics for our language. Using this formalization, we state and prove an uncircumventability theorem which guarantees that monitors will intercept all security-relevant actions of untrusted software.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

1
Ole Agesen , Stephen N. Freund , John C. Mitchell, Adding type parameterization to the Java language, Proceedings of the 12th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.49-65, October 05-09, 1997, Atlanta, Georgia, United States
 
2
Apache Software Foundation. 2003. Byte Code Engineering Library. Apache Software Foundation. http://jakarta.apache.org/bcel/.
 
3
Lujo Bauer , Andrew W. Appel , Edward W. Felten, Mechanisms for secure modular programming in Java, Software—Practice & Experience, v.33 n.5, p.461-480, 25 April 2003  [doi>10.1002/spe.516]
 
4
Bauer, L., Ligatti, J., and Walker, D. 2003. Types and effects for non-interfering program monitors. In Software Security—Theories and Systems. Mext-NSF-JSPS International Symposium Revised Papers, M. Okada (ISSS'02) et al., Eds. Lecture Notes in Computer Science, vol. 2609. Springer.
5
Lujo Bauer , Jay Ligatti , David Walker, Composing security policies with polymer, Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation, June 12-15, 2005, Chicago, IL, USA
 
6
Bauer, L., Ligatti, J., and Walker, D. 2005b. Polymer: A language for composing runtime security policies. http://www.cs.princeton.edu/sip/projects/polymer/.
 
7
Nicodemos Damianou , Naranker Dulay , Emil Lupu , Morris Sloman, The Ponder Policy Specification Language, Proceedings of the International Workshop on Policies for Distributed Systems and Networks, p.18-38, January 29-31, 2001
8
Guy Edjlali , Anurag Acharya , Vipin Chaudhary, History-based access control for mobile code, Proceedings of the 5th ACM conference on Computer and communications security, p.38-48, November 02-05, 1998, San Francisco, California, United States  [doi>10.1145/288090.288102]
 
9
Ulfar Erlingsson , Fred B. Schneider, The inlined reference monitor approach to security policy enforcement, Cornell University, Ithaca, NY, 2004
10
Úlfar Erlingsson , Fred B. Schneider, SASI enforcement of security policies: a retrospective, Proceedings of the 1999 workshop on New security paradigms, p.87-95, September 22-24, 1999, Caledon Hills, Ontario, Canada  [doi>10.1145/335169.335201]
 
11
Ulfar Erlingsson , Fred B. Schneider, IRM Enforcement of Java Stack Inspection, Proceedings of the 2000 IEEE Symposium on Security and Privacy, p.246, May 14-17, 2000
 
12
David E. Evans , John V. Guttag, Policy-directed code safety, Massachusetts Institute of Technology, 2000
 
13
Evans, D. and Twyman, A. 1999. Flexible policy-directed code safety. In IEEE Security and Privacy.
 
14
J. Alex Halderman , Edward W. Felten, Lessons from the Sony CD DRM episode, Proceedings of the 15th conference on USENIX Security Symposium, July 31-August 04, 2006, Vancouver, B.C., Canada
 
15
Klaus Havelund , Grigore Roşu, Efficient monitoring of safety properties, International Journal on Software Tools for Technology Transfer (STTT), v.6 n.2, p.158-173, August 2004  [doi>10.1007/s10009-003-0117-6]
 
16
Hindman, B. and Grossman, D. 2006. Strong atomicity for Java without virtual-machine support.
17
Atshushi Igarashi , Benjamin Pierce , Philip Wadler, Featherwieght Java: a minimal core calculus for Java and GJ, Proceedings of the 14th ACM SIGPLAN conference on Object-oriented programming, systems, languages, and applications, p.132-146, November 01-05, 1999, Denver, Colorado, United States
18
Clinton Jeffery , Wenyi Zhou , Kevin Templer , Michael Brazell, A lightweight architecture for program execution monitoring, Proceedings of the 1998 ACM SIGPLAN-SIGSOFT workshop on Program analysis for software tools and engineering, p.67-74, June 16-16, 1998, Montreal, Quebec, Canada
 
19
Gregor Kiczales , Erik Hilsdale , Jim Hugunin , Mik Kersten , Jeffrey Palm , William G. Griswold, An Overview of AspectJ, Proceedings of the 15th European Conference on Object-Oriented Programming, p.327-353, June 18-22, 2001
20
G. Kiczales, Aspect-oriented programming, ACM Computing Surveys (CSUR), v.28 n.4es, Dec. 1996  [doi>10.1145/242224.242420]
 
21
Kim, M., Viswanathan, M., Ben-Abdallah, H., Kannan, S., Lee, I., and Sokolsky, O. 1999. Formally specified monitoring of temporal properties. In European Conference on Real-time Systems.
 
22
Krishnan, P. 2005. A monitoring policy calculus. Tech. rep. CSA-05-01, Bond University.
 
23
Yingsha Liao , Donald Cohen, A Specificational Approach to High Level Program Monitoring and Measuring, IEEE Transactions on Software Engineering, v.18 n.11, p.969-978, November 1992  [doi>10.1109/32.177366]
 
24
Jarred Adam Ligatti , David P. Walker, Policy enforcement via program monitoring, Princeton University, Princeton, NJ, 2006
 
25
Ligatti, J., Bauer, L., and Walker, D. 2005. Enforcing non-safety security policies with program monitors. In 10th European Symposium on Research in Computer Security (ESORICS).
 
26
Gary McGraw , Edward W. Felten, Securing Java: getting down to business with mobile code, John Wiley & Sons, Inc., New York, NY, 1999
 
27
Robin Milner , Mads Tofte , David Macqueen, The Definition of Standard ML, MIT Press, Cambridge, MA, 1997
 
28
Oasis. 2005. eXtensible Access Control Markup Language (XACML) version 2.0. http://docs.oasis-open.org/xacml/2.0/access_control-xacml-2.0-core-spec-os.pdf.
 
29
Petersen, A. 2003. Pooka: A Java email client. http://www.suberic.net/pooka/.
 
30
W. Robinson, Monitoring Software Requirements Using Instrumented Code, Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 9, p.276.2, January 07-10, 2002
 
31
Saltzer, J. H. and Schroeder, M. D. 1975. The protection of information in computer systems. In IEEE 63, 9. 1278--1308.
 
32
Koushik Sen , Abhay Vardhan , Gul Agha , Grigore Rosu, Efficient Decentralized Monitoring of Safety in Distributed Systems, Proceedings of the 26th International Conference on Software Engineering, p.418-427, May 23-28, 2004
33
David B. Tucker , Shriram Krishnamurthi, Pointcuts and advice in higher-order languages, Proceedings of the 2nd international conference on Aspect-oriented software development, p.158-167, March 17-21, 2003, Boston, Massachusetts  [doi>10.1145/643603.643620]
34
David Walker , Steve Zdancewic , Jay Ligatti, A theory of aspects, Proceedings of the eighth ACM SIGPLAN international conference on Functional programming, p.127-139, August 25-29, 2003, Uppsala, Sweden

INDEX TERMS

Primary Classification:
  D. Software
  D.3 PROGRAMMING LANGUAGES
      D.3.3 Language Constructs and Features
          Subjects: Frameworks

Additional Classification:
  D. Software
  D.2 SOFTWARE ENGINEERING
      D.2.1 Requirements/Specifications
          Subjects: Tools; Languages
      D.2.5 Testing and Debugging
          Subjects: Monitors
  D.3 PROGRAMMING LANGUAGES
      D.3.1 Formal Definitions and Theory
          Subjects: Syntax; Semantics
      D.3.3 Language Constructs and Features
          Subjects: Patterns; Procedures, functions, and subroutines


General Terms:
Design, Languages, Security


Keywords:
Policy composition, policy enforcement, policy-specification language

Collaborative Colleagues:
Lujo Bauer: colleagues
Jay Ligatti: colleagues
David Walker: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player