Download - Academy Publisher
Download - Academy Publisher
Download - Academy Publisher
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
ISBN 978-952-5726-09-1 (Print)<br />
Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10)<br />
Jinggangshan, P. R. China, 2-4, April. 2010, pp. 120-123<br />
Provably Correct Aspect-Oriented Selfmonitoring<br />
Programs<br />
Li Li 1 , and GuoSun Zeng 2<br />
1 Department of Computer Science and Technology, Tongji University, Shanghai 201804, China<br />
Email: snopy-xj@163.org<br />
2 Department of Computer Science and Technology, Tongji University, Shanghai 201804, China<br />
Email: gszeng@sina.com<br />
Abstract—In-lining monitor into software to produce selfmonitoring<br />
programs is a powerful, flexible method to<br />
enforce runtime monitoring over untrusted code. The<br />
preconditions of its application are formal proofs which<br />
show that these monitor inlined programs will comply with<br />
the intended security policies and monitor has no bad effect<br />
on original programs. But at present, the existing methods<br />
can only prove that the programs comply with the safety<br />
policies. Thus a new method is proposed in this paper.<br />
Firstly, we encode security policies and develop monitor by<br />
means of Aspect-oriented programming. Secondly, adopting<br />
Alternating Transition System and Alternating-Time<br />
Temporal Logic, an abstract program structure for monitor<br />
inlined program is constructed, and the formulas, which<br />
describe the correct executions of programs, are defined<br />
according to security policies. Finally, by checking the<br />
validity of formulas on abstract structure, the conclusions of<br />
whether the executions of the monitor-inlined program<br />
complies with the security policies and whether the monitor<br />
has some bad effect on original program can be get. This<br />
method can prove that monitor can execute broader classes<br />
of policies, including important classes of liveness policies.<br />
Its validity exemplified lastly.<br />
Index Terms—Monitor-inlined program; Correct; Aspectoriented;<br />
Alternating-Time Temporal Logic<br />
I. INTRODUCTION<br />
In-lining monitor into software to produce selfmonitoring<br />
programs is an efficient, powerful method to<br />
enforce execution monitoring over untrusted code<br />
according to some security policies[1,2]. The general<br />
implementation of this method is that the untrusted code<br />
or the binary executables are automatically rewritten<br />
according to security policies, which may be defined by<br />
some kind of policy specification languages. The outputs<br />
of this rewrite process are monitor in-lined selfmonitoring<br />
programs.<br />
Though powerful and flexible as this method is, it must<br />
be certified correct. Correct implicates two abstract<br />
properties, which we call the soundness and transparency.<br />
Soundness means that the self-monitoring programs<br />
should be guaranteed to adhere to the security policies.<br />
Transparency indicates that the in-lined monitor code<br />
Supported by the china 863 program under grant of 2009AA012201,<br />
the National Natural Science Foundation of China under grant of<br />
90718015,the joint of NSFC and Microsoft Asia Research under grant<br />
of 60970155, the Ph.D. Programs Foundation of Ministry of Education<br />
under grant of 20090072110035.<br />
© 2010 ACADEMY PUBLISHER<br />
AP-PROC-CS-10CN006<br />
120<br />
should not impair the functions of the original programs.<br />
Mobile [3] is a certifying in-lined reference monitoring<br />
system for the Microsoft .NET framework. It<br />
rewrites .NET CLI binaries according to a declarative<br />
security policy specification, producing a proof of policyadherence<br />
in the form of typing annotations in an effectbased<br />
type system. These proofs can be verified by a<br />
type-checker to guarantee policy-adherence of code with<br />
in-line monitors.Aktuga et al. [4] designed a two-level<br />
class file annotation scheme using Floyd-style program<br />
logic for Java bytecode, characterizing two key properties:<br />
(i) that the program adheres to a given policy, and (ii) that<br />
the program has an embedded monitor for this policy.<br />
They sketch a simple in-lining algorithm, and show how<br />
the two-level annotations can be completed to produce a<br />
fully annotated program. This method establishes the<br />
mediation property, meaning that in-lined programs are<br />
guaranteed to adhere to the intended policy. Those two<br />
methods can only certify that a monitor in-lined program<br />
adheres to certain safety policies- police specifying that<br />
“nothing bad ever happens”. Neither can establish the<br />
transparency property.<br />
In this paper, we try to deal with the certification of<br />
self-monitoring programs in a different way. Firstly, we<br />
encode the security policies to build monitors by means<br />
of Aspect-oriented programming (AOP), and by virtue of<br />
the weaving process of AOP, monitor is in-lined into<br />
primary program. This process will produce an Aspectoriented<br />
self-monitoring (AOSM) program. Secondly,<br />
based on the characteristics of AOSM program, adopting<br />
Alternating-Time Temporal Logic and Alternating<br />
Transition System, we abstract execution structure of an<br />
AOSM program, and define formulas which characterize<br />
the soundness and transparency properties of an AOSM<br />
program. Finally, by model checking the validity of<br />
formulas against program’s structure, the conclusions of<br />
whether AOSM is correct can be got.<br />
II. AOSM PROGRAM<br />
AOP[5] have been proposed to deal with the code<br />
tangling and scattering problems driving from the<br />
apartment of crosscutting concerns. It especially realized<br />
in the AspectJ languages [6]. We now exemplify how to<br />
encode a security policy into Aspects to Produce AOSM<br />
programs.<br />
Example 1:There is a Separation of Duty policy,<br />
which claim that critical () operation is performed only