Types and effects for non-interfering program monitors

Authors:
Lujo Bauer;Jarred Ligatti;David Walker
Affiliations:
Department of Computer Science, Princeton University, Princeton, NJ;Department of Computer Science, Princeton University, Princeton, NJ;Department of Computer Science, Princeton University, Princeton, NJ
Venue:
ISSS'02 Proceedings of the 2002 Mext-NSF-JSPS international conference on Software security: theories and systems
Year:
2002

Citing 9
Cited 8

Notions of computation and monads

Information and Computation
SASI enforcement of security policies: a retrospective

Proceedings of the 1999 workshop on New security paradigms
Enforceable security policies

ACM Transactions on Information and System Security (TISSEC)
Typing a multi-language intermediate code

POPL '01 Proceedings of the 28th ACM SIGPLAN-SIGACT symposium on Principles of programming languages
Separating access control policy, enforcement, and functionality in extensible systems

ACM Transactions on Computer Systems (TOCS)
Java Virtual Machine Specification

Java Virtual Machine Specification
Compiling for the .Net Common Language Runtime

Compiling for the .Net Common Language Runtime
An Overview of AspectJ

ECOOP '01 Proceedings of the 15th European Conference on Object-Oriented Programming
IRM Enforcement of Java Stack Inspection

SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy

A theory of aspects

ICFP '03 Proceedings of the eighth ACM SIGPLAN international conference on Functional programming
A type-theoretic interpretation of pointcuts and advice

Science of Computer Programming - Special issue: Foundations of aspect-oriented programming
patch (1) considered harmful

HOTOS'05 Proceedings of the 10th conference on Hot Topics in Operating Systems - Volume 10
Types and trace effects of higher order programs

Journal of Functional Programming
Run-Time Enforcement of Nonsafety Policies

ACM Transactions on Information and System Security (TISSEC)
Composing expressive runtime security policies

ACM Transactions on Software Engineering and Methodology (TOSEM)
Enforcing non-safety security policies with program monitors

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security
The confinement problem in the presence of faults

ICFEM'12 Proceedings of the 14th international conference on Formal Engineering Methods: formal methods and software engineering

Quantified Score

Hi-index	0.00

Visualization

Abstract

A run-time monitor is a program that runs in parallel with an untrusted application and examines actions from the application's instruction stream. If the sequence of program actions deviates from a specified security policy, the monitor transforms the sequence or terminates the program. We present the design and formal specification of a language for defining the policies enforced by program monitors. Our language provides a number of facilities for composing complex policies from simpler ones. We allow policies to be parameterized by values or other policies, and we define operators for forming the conjunction and disjunction of policies. Since the computations that implement these policies modify program behavior, naive composition of computations does not necessarily produce the conjunction (or disjunction) of the policies that the computations implement separately. We use a type and effect system to ensure that computations do not interfere with one another when they are composed.