A Caller-Side Inline Reference Monitor for an Object-Oriented Intermediate Language

Authors:
Dries Vanoverberghe;Frank Piessens
Affiliations:
No Affiliations,;No Affiliations,
Venue:
FMOODS '08 Proceedings of the 10th IFIP WG 6.1 international conference on Formal Methods for Open Object-Based Distributed Systems
Year:
2008

Citing 8
Cited 2

SASI enforcement of security policies: a retrospective

Proceedings of the 1999 workshop on New security paradigms
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
Java Virtual Machine Specification

Java Virtual Machine Specification
IRM Enforcement of Java Stack Inspection

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
The inlined reference monitor approach to security policy enforcement

The inlined reference monitor approach to security policy enforcement
Composing security policies with polymer

Proceedings of the 2005 ACM SIGPLAN conference on Programming language design and implementation
Improving host security with system call policies

SSYM'03 Proceedings of the 12th conference on USENIX Security Symposium - Volume 12
Java JR: fully abstract trace semantics for a core java language

ESOP'05 Proceedings of the 14th European conference on Programming Languages and Systems

Security-By-Contract for the Future Internet

Future Internet --- FIS 2008
Security Monitor Inlining for Multithreaded Java

Genoa Proceedings of the 23rd European Conference on ECOOP 2009 --- Object-Oriented Programming

Quantified Score

Hi-index	0.00

Visualization

Abstract

Runtime security policy enforcement systems are crucial to limit the risks associated with running untrustworthy (malicious or buggy) code. The inlined reference monitor approach to policy enforcement, pioneered by Erlingsson and Schneider, implements runtime enforcement through program rewriting: security checks are inserted inside untrusted programs.Ensuring complete mediation --- the guarantee that every security-relevant event is actually intercepted by the monitor --- is non-trivial when the program rewriter operates on an object-oriented intermediate language with state-of-the-art features such as virtual methods and delegates.This paper proposes a caller-side rewriting algorithm for MSIL --- the bytecode of the .NET virtual machine --- where security checks are inserted around calls to security-relevant methods. We prove that this algorithm achieves sound and complete mediation and transparency for a simplified model of MSIL, and we report on our experiences with the implementation of the algorithm for full MSIL.