A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed. This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how, when given any reasonable infinite renewal property, to construct a program monitor that provably enforces that policy. We also show that the set of infinite renewal properties includes some nonsafety policies, i.e., that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors. Categories and Subject Descriptors: D.2.0 [Software Engineering]: General—protection mechanisms;

Program monitors enforce security policies by interposing themselves into the control flow of untrusted software whenever that software attempts to execute security-relevant actions. At the point of interposition, a monitor has authority to permit or deny (perhaps conditionally) the untrusted software’s attempted action. Program monitors are common security enforcement mechanisms and integral parts of operating systems, virtual machines, firewalls, network auditors, and anti-virus and anti-spyware tools. Unfortunately, the run-time policies we require program monitors to enforce grow more complex both as the monitored software is given new capabilities and as policies are refined in response to attacks and user feedback. We propose dealing with policy complexity by organizing policies in such a way as to make them composable, so that complex policies can be specified more simply as compositions of smaller subpolicy modules. We present a fully implemented language and system called Polymer that allows security engineers to specify and enforce composable policies on Java applications. We formalize the central workings of Polymer by defining an unambiguous semantics for our language. Using this formalization, we state and prove an uncircumventability theorem, which guarantees that monitors will intercept all security-relevant actions of untrusted software.

Traditional approaches to protecting computer systems from malicious or other misbehaved code typically involve (1) monitoring code for unacceptable behavior as it runs, or (2) detecting potentially misbehaved code and preventing it from running at all. These approaches are effective when unacceptable behavior can be detected in time to take remedial action, but in many settings and for many im-portant security policies this is computationally expensive or provably impossible. A third approach, termed in this dissertation program-rewriting, involves auto-matically rewriting code prior to running it in such a way that acceptable behavior is preserved but unacceptable behavior is not. Rewritten code can be run without further analysis or monitoring because it is guaranteed to exhibit only acceptable behavior. Program-rewriting has received recent attention in the literature in the form of in-lined reference monitors, which implement approach 1 above by in-lining security checks directly into the code being monitored. Program-rewriting generalizes in-lined reference monitoring, encompassing many other strategies for automatically rewriting programs as well.

In the modern, multi-threaded, multi-core programming environment, correctly managing system resources such as locks and shared variables can be especially difficult and error-prone. A simple error, such as forgetting to release a lock, can have major consequences on the correct operation of the program (e.g. deadlock), often at a time and location that is isolated from the original error. While there have been many previous proposals for managing locks and resources, these often arise from the systems arena, and are therefore often only loosely integrated with the host programming language. Such approaches therefore do not generally provide the strong formal guarantees of correctness-by-construction that we would prefer for all fundamental properties of our programs. In this paper, we propose a new type-based approach to resource management, based on the use of dependent types to construct a Domain-Specific Embedded Language (DSEL) whose typing rules enforce the properties we require. We illustrate our approach by implementing a DSEL for concurrent programming and demonstrate its applicability with reference to concurrent transactions on a bank account. 1.

The lifecycle mismatch between vehicles and their IT system poses a problem for the automotive industry. Such systems need to be open and extensible to provide customised functionalities and services. What is less clear is how to achieve this with quality and security guarantees. Recent studies in language-based security – the use of programming language technology to enforce application specific security policies – show that security policy enforcement mechanisms such as inlined reference monitors provide a potential solution for security in extensible systems. In this paper we study the implementation of security policy enforcement using aspect-oriented programming for the OSGi (Open Services Gateway initiative) framework. We identify classes of reference monitor-style policies that can be defined and enforced using AspectJ, a well-known aspect-oriented programming language. We demonstrate the use of security states to describe history-based policies. We also introduce and implement various levels of security states in Java to describe session level history versus global application level history. We illustrate the effectiveness of the implementation by deploying the security policy enforcement solution in an example scenario of software downloading in a standard vehicle system. 1.

In the modern, multi-threaded, multi-core programming environment, correctly managing system resources such as locks or file handles can be especially difficult and error prone. A simple error, such as forgetting to release a lock, can have major consequences on the correct operation of the program (e.g. deadlock), often at a time and location that is isolated from the original error. While there have been many previous proposals for managing locks and resources, these often arise from the systems arena, and are therefore integrated only loosely with the host programming language. Such approaches therefore do not generally provide the strong formal guarantees of correctness-by-construction that we would prefer for all fundamental properties of our programs. In this paper, we propose a new type-based approach to resource management, based on the use of dependent types to construct a Domain Specific Language whose typing rules enforce the properties we require. We illustrate our approach with reference to simple file manipulating operations on a Unix-like file system, and also with reference to a concurrent multi-threaded environment.