Iterative enforcement by suppression: Towards practical enforcement theories^*

Issue title: ARSPA-WITS'10

Guest editors: Alessandro ArmandoEditor and Gavin LoweEditor

Article type: Research Article

Authors: Bielova, Nataliia^{; **} | Massacci, Fabio

Affiliations: University of Trento, Trento, Italy

Correspondence: [**] Corresponding author. Tel.: +39 0461 883916; E-mail: [email protected].

Note: [*] A preliminary, much shorter version of this paper appears in the Proceedings of NordSec’09 [6].

Abstract: Runtime enforcement is a common mechanism for ensuring that program executions adhere to constraints specified by a security policy. It is based on two simple ideas: the enforcement mechanism should leave good executions without changes (transparency) and make sure that the bad ones got amended (soundness). From the theory side, a number of papers (Hamlen et al., Ligatti et al., Talhi et al.) provide the precise characterization of good executions that can be captured by a security policy and thus enforced by mechanisms like security automata or edit automata. Unfortunately, transparency and soundness do not distinguish what happens when an execution is actually bad (the practical case). They only tell that the outcome of enforcement mechanism should be “good” but not how far the bad execution should be changed. So we cannot formally distinguish between an enforcement mechanism that makes a small change and one that drops the whole execution. In this paper we explore a set of policies called iterative properties that revises the notion of good executions in terms of repeated iterations. We propose an enforcement mechanism that can deal with bad executions (and not only the good ones) in a more predictable way by eliminating bad iterations.

Keywords: Runtime enforcement, execution monitors, edit automata

DOI: 10.3233/JCS-2011-0431

Journal: Journal of Computer Security, vol. 20, no. 1, pp. 51-79, 2012