1 / 10

More Enforceable Security Policies

This paper explores language-based security mechanisms that analyze and modify program behavior through static and dynamic methods. It formalizes the concept of program monitors, distinguishes between security automata, suppression, insertion, and edit automata, and discusses their capabilities in enforcing runtime security policies. The research introduces Polymer, a programming language designed to create modular and higher-order program monitors with advanced logical combinators. The emphasis is on balancing static and dynamic program analysis for improved security in untrusted applications.

ling
Télécharger la présentation

More Enforceable Security Policies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. More Enforceable Security Policies Lujo Bauer, Jay Ligatti and David Walker Princeton University (graciously presented by Iliano Cervesato)

  2. Language-Based Security • language-based security mechanisms operate by analyzing and modifying program behavior • static mechanisms (analysis at link time) • type checking, proof checking, abstract interpretation • dynamic mechanisms (analysis at run time) • access control lists, stack inspection, capabilities FCS 02

  3. Program Monitors • A program monitor is a computation that runs in parallel with an untrusted application • monitors detect, prevent, and recover from application errors at run time • monitor decisions may be based on the history of all actions an application has executed • we assume monitors have no knowledge of future application actions FCS 02

  4. Program Monitors: Good operations Monitor Application foo FCS 02

  5. Program Monitors: Bad operations Monitor Application foo halt! FCS 02

  6. Program Monitors: Options • A program monitor may do any of the following when it recognizes a dangerous operation: • abort the application • suppress (skip) the operation but allow the application to continue • perform some computation on behalf of (against the wishes of) the application FCS 02

  7. This paper • Formalizes the notion of a program monitor by providing operational semantics for • security automata [Schneider 00] • insertion automata • suppression automata • edit automata FCS 02

  8. This paper • Begins to address the fundamental question of what run-time security policies can be enforced by program monitors • security automata are the least powerful • suppression and insertion automata are more powerful than security automata but incomparable • edit automata are the most powerful FCS 02

  9. Current Work • We are currently developing a programming language called Polymer • Poymer allows programmers to define higher-order, first-class and modular program monitors • Poymer has logical combinators (⊤ ⋀ ⊥ ⋁) that allow programmers to build complex policies from simple ones • Polymer provides security against untrusted Java applications FCS 02

  10. Conclusions • There are two equally important aspects of language-based security • static program analysis • dynamic program analysis • Most of the research in the programming languages community has focused on the first at the expense of the second • we plan to fix this! FCS 02

More Related