A Formal Connection between Security Automata and JML Annotations (original) (raw)
Related papers
Edit automata: Enforcement mechanisms for run-time security policies
2005
We analyze the space of security policies that can be enforced by monitoring and modifying programs at run time. Our program monitors, called edit automata, are abstract machines that examine the sequence of application program actions and transform the sequence when it deviates from a specified policy.
MECA: an extensible, expressive system and language for statically checking security properties
2003
This paper describes a system and annotation language, MECA, for checking security rules. MECA is expressive and designed for checking real systems. It provides a variety of practical constructs to effectively annotate large bodies of code. For example, it allows programmers to write programmatic annotators that automatically annotate large bodies of source code. As another example, it lets programmers use general predicates to determine if an annotation is applied; we have used this ability to easily handle kernel backdoors and other false-positive inducing constructs. Once code is annotated, MECA propagates annotations aggressively, allowing a single manual annotation to derive many additional annotations (e.g., over one hundred in our experiments) freeing programmers from the heavy manual effort required by most past systems. MECA is effective. Our most thorough case study was a user-pointer checker that used 75 annotations to check thousands of declarations in millions of lines of code in the Linux system. It found over forty errors, many of which were serious, while only having eight false positives.
The operational semantics of a Java secure processor
Formal Syntax and Semantics of Java, 1999
A formal specification of a Java Secure Processor is presented, which is mechanically checked for type consistency, well formedness and operational conservativity. The specification is executable and it is used to animate and study the behaviour of sample Java programs. The purpose of the semantics is to document the behaviour of the complete JSP for the benefit of implementors.
Securing Java with Local Policies
The Journal of Object Technology, 2009
We propose an extension to the security model of Java, that allows for specifying, analysing and enforcing history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Programmers can sandbox an untrusted piece of code with a policy, which is enforced at run-time through its local scope. A static analysis allows for optimizing the execution monitor: only the policies not guaranteed to be always obeyed will be enforced at run-time.
Jalapa: Securing Java with Local Policies
Electronic Notes in Theoretical Computer Science, 2009
We present Jalapa, a tool for securing Java bytecode programs with history-based usage policies. Policies are defined by usage automata, that recognize the forbidden execution histories. Usage automata are expressive enough to allow programmers specify of many real-world usage policies; yet, they are simple enough to permit formal reasoning. Programmers can sandbox untrusted pieces of code with usage policies. The Jalapa tool rewrites the Java bytecode by adding the hooks for the mechanism that enforces the given policies at run-time.
Invited paper A formal dynamic semantics of Java: an essential ingredient of Java security
2008
— Security is becoming a major issue in our highly networked and computerized era. Malicious code detection is an essential step towards securing the execution of applications in a highly inter-connected context. In this paper, we present a formal definition of Java dynamic semantics. This semantics has been used as a basis to develop efficient, rigorous and provably correct static analysis tools and a certifying compiler aimed to detect and prevent the presence of malicious code in Java applications. We propose a small step operational semantics of a large subset for Java. The latter includes features that have not been completely addressed in the related work or addressed in another semantics style. We provide a fullyfledged semantic handling of exceptions, reachable statements, modifiers and class initialization. Keywords — security, static analysis, certifying compilers, Java, dynamic semantics, operational semantics, small step semantics. 1.
A formal dynamic semantics of java: An essential ingredient of java security
2002
Security is becoming a major issue in our highly networked and computerized era. Malicious code detection is an essential step towards securing the execution of applications in a highly inter-connected context. In this paper, we present a formal definition of Java dynamic semantics. This semantics has been used as a basis to develop efficient, rigorous and provably correct static analysis tools and a certifying compiler aimed to detect and prevent the presence of malicious code in Java applications. We propose a small step operational semantics of a large subset for Java. The latter includes features that have not been completely addressed in the related work or addressed in another semantics style. We provide a fullyfledged semantic handling of exceptions, reachable statements, modifiers and class initialization.
Security monitor inlining and certification for multithreaded Java
Mathematical Structures in Computer Science, 2014
Security monitor inlining is a technique for security policy enforcement whereby monitor functionality is injected into application code in the style of aspect-oriented programming. The intention is that the injected code enforces compliance with the policy (security), and otherwise interferes with the application as little as possible (conservativity and transparency). Such inliners are said to be correct. For sequential Java-like languages, inlining is well understood, and several provably correct inliners have been proposed. For multithreaded Java one difficulty is the need to maintain a shared monitor state. We show that this problem introduces fundamental limitations in the type of security policies that can be correctly enforced by inlining. A class of race-free policies is identified that precisely characterizes the inlineable policies by showing that inlining of a policy outside this class is either not secure or not transparent, and by exhibiting a concrete inliner for poli...
Automatic Enforcement of Security Properties
Lecture Notes in Computer Science, 2016
Ensuring the security requirements of an application is not a straightforward task. Security properties (e.g., confidentiality, anonymity) need to be satisfied in different ways in different parts of the same application. Software architects are usually required to manually define security components and their dependencies with the base application, customize them to the application's requirements, identify the points where security is incorporated, and verify that the selected places are correct. The last two steps are especially complex and errorprone. In our approach, we aim to provide a solution that helps software architects to identify the correct places to incorporate the security functionality and to verify the correctness of the composed application architecture. This is achieved by identifying a set of general structural patterns for incorporating security into the application architecture, and by providing a model-driven SPL solution to customize these patterns to each application's requirements.
A PEP-PDP Architecture to Monitor and Enforce Security Policies in Java Applications
2013 International Conference on Availability, Reliability and Security, 2013
Security of Java-based applications is crucial to many businesses today. In this paper, we propose an approach to completely automate the generation of a security architecture inside of a target Java application where advanced security policies can be enforced. Our approach combines the use of Aspect-Oriented Programming with the Policy Enforcement Point (PEP)-Policy Decision Point (PDP) paradigm and allows the runtime update of policies.