Download - Academy Publisher

More documents

Recommendations

Info

ISBN 978-952-5726-09-1 (Print) Proceedings of the Second International Symposium on Networking and Network Security (ISNNS ’10) Jinggangshan, P. R. China, 2-4, April. 2010, pp. 120-123 Provably Correct Aspect-Oriented Selfmonitoring Programs Li Li 1 , and GuoSun Zeng 2 1 Department of Computer Science and Technology, Tongji University, Shanghai 201804, China Email: snopy-xj@163.org 2 Department of Computer Science and Technology, Tongji University, Shanghai 201804, China Email: gszeng@sina.com Abstract—In-lining monitor into software to produce selfmonitoring programs is a powerful, flexible method to enforce runtime monitoring over untrusted code. The preconditions of its application are formal proofs which show that these monitor inlined programs will comply with the intended security policies and monitor has no bad effect on original programs. But at present, the existing methods can only prove that the programs comply with the safety policies. Thus a new method is proposed in this paper. Firstly, we encode security policies and develop monitor by means of Aspect-oriented programming. Secondly, adopting Alternating Transition System and Alternating-Time Temporal Logic, an abstract program structure for monitor inlined program is constructed, and the formulas, which describe the correct executions of programs, are defined according to security policies. Finally, by checking the validity of formulas on abstract structure, the conclusions of whether the executions of the monitor-inlined program complies with the security policies and whether the monitor has some bad effect on original program can be get. This method can prove that monitor can execute broader classes of policies, including important classes of liveness policies. Its validity exemplified lastly. Index Terms—Monitor-inlined program; Correct; Aspectoriented; Alternating-Time Temporal Logic I. INTRODUCTION In-lining monitor into software to produce selfmonitoring programs is an efficient, powerful method to enforce execution monitoring over untrusted code according to some security policies[1,2]. The general implementation of this method is that the untrusted code or the binary executables are automatically rewritten according to security policies, which may be defined by some kind of policy specification languages. The outputs of this rewrite process are monitor in-lined selfmonitoring programs. Though powerful and flexible as this method is, it must be certified correct. Correct implicates two abstract properties, which we call the soundness and transparency. Soundness means that the self-monitoring programs should be guaranteed to adhere to the security policies. Transparency indicates that the in-lined monitor code Supported by the china 863 program under grant of 2009AA012201, the National Natural Science Foundation of China under grant of 90718015,the joint of NSFC and Microsoft Asia Research under grant of 60970155, the Ph.D. Programs Foundation of Ministry of Education under grant of 20090072110035. © 2010 ACADEMY PUBLISHER AP-PROC-CS-10CN006 120 should not impair the functions of the original programs. Mobile [3] is a certifying in-lined reference monitoring system for the Microsoft .NET framework. It rewrites .NET CLI binaries according to a declarative security policy specification, producing a proof of policyadherence in the form of typing annotations in an effectbased type system. These proofs can be verified by a type-checker to guarantee policy-adherence of code with in-line monitors.Aktuga et al. [4] designed a two-level class file annotation scheme using Floyd-style program logic for Java bytecode, characterizing two key properties: (i) that the program adheres to a given policy, and (ii) that the program has an embedded monitor for this policy. They sketch a simple in-lining algorithm, and show how the two-level annotations can be completed to produce a fully annotated program. This method establishes the mediation property, meaning that in-lined programs are guaranteed to adhere to the intended policy. Those two methods can only certify that a monitor in-lined program adheres to certain safety policies- police specifying that “nothing bad ever happens”. Neither can establish the transparency property. In this paper, we try to deal with the certification of self-monitoring programs in a different way. Firstly, we encode the security policies to build monitors by means of Aspect-oriented programming (AOP), and by virtue of the weaving process of AOP, monitor is in-lined into primary program. This process will produce an Aspectoriented self-monitoring (AOSM) program. Secondly, based on the characteristics of AOSM program, adopting Alternating-Time Temporal Logic and Alternating Transition System, we abstract execution structure of an AOSM program, and define formulas which characterize the soundness and transparency properties of an AOSM program. Finally, by model checking the validity of formulas against program’s structure, the conclusions of whether AOSM is correct can be got. II. AOSM PROGRAM AOP[5] have been proposed to deal with the code tangling and scattering problems driving from the apartment of crosscutting concerns. It especially realized in the AspectJ languages [6]. We now exemplify how to encode a security policy into Aspects to Produce AOSM programs. Example 1:There is a Separation of Duty policy, which claim that critical () operation is performed only
under the endorsement of both the manager () and accountant () operations. We encode this policy using AspectJ language. The code is shown in Fig. 1. bool pm = false; aspect Cr bool pa = false; { Pointcut c()}: …… call (* critical()) manager(); &&target(P); if(…) { accountant(); } before c() critical(); if (pm ∧ pa) { pm = false; pa = false; } else throw IRMException(); (a) Base Code } aspect Ma aspect Ac { Pointcut m()}: { Pointcut a()}: call (* manager()) call (* accountant()) &&target(P); &&target(P); After m() { pm = true;} After a() { pa = true;} } } Figure 1. base code and aspect of example 1 The base code in block (a) is the primary program. It defines two global variables, pa and pm, and executes three security-related functions: accountant(), manager() and critical(). According to the policy, critical() can be executed only after both accountant() and manager() have been executed. To execute this policy, we create three aspects. First, aspect Ma defines Pointcut m, which is located at the function manager(). The type of advice is After. Thus, the action defined by aspect Ma is that after manager() has finished, the variable pm is set to “true”. Next, aspect Ac is defined similarly to aspect Ma, but sets pa to true after accountant() has finished. Finally, aspect Cr defines Pointcut c() at the function critical(). The type of advice is Before, so the actions defined by aspect Cr take place before the execution of critical(). The code fragment evaluates pa and pm; if both are true, it executes the critical() function and sets pa and pm to false. Otherwise, it throws an exception. At compilation, the aspect weaver incorporates all three aspects into the base code to produce a AOSM. Figure 2 displays the code for the resulting program. …… manager(); pm = true; if(…) {accountant(); pa = true;} if (pm ∧ pa) { pm = false; pa = false; critical();} else throw new IRMException(); Figure 2. Policy-adherence program after Aspect weaving III. CORRECT VERIFICATION MODEL FOR AOSM PROGRAM Based on the characteristics of AOSM programs, we construct a verification model to verify the correct property of monitor inlined programs. A. Abstract structure Alternating-Time Temporal Logic (ATL) and Alternating Transition System (ATS) [7, 8] are logical specification tools for open system. We specify an AOSM program as a Turn-Based Alternating Transition System (Turn-based ATS). The concrete definition given as follows: Definition 3.1 An AOSM program structure (AOSM structure ) can be abstracted as a Turn-based ATS. Expressed as tuple AOSM Structure= with the follow components: 1. ∑ is a set of players, which includes system components Aspect and BaseCode, as well as Environment. 2. Q is a finite set of state; 3. ∏ is a finite set of proposition; 4. Function π :Q→2∏ is a labeling function, which maps each state q∈Q to a set π (q) ⊆ ∏. π (q) is the set of propositions true at state q. 5. Function σ: Q→ ∑ map a state q to a player aq. Representing that at state q, it is the turn of player aq to choose the next execution steps of program. Nature number da(q)≥1 is moves available at state q for player a. We identify the moves of player a at state q with the numbers 1,……,da(q). For each state q∈Q, a move vector at q is a tuple < j1; : : : ; jk> such that 1 ≤ja≤da(q) for each player a. For other players b∈∑\ aq at state q, db(q)=1; 6. δ(q, J a ) is a transition function. When a q choose action j a , the state will transit to next state q`=δ(q, J a ) ∈Q. B. Defination of correct property We now describe soundness and transparency properties in ATL formulas in this section. So it needs to interpret the syntax of ATL at first: Definition 3.2 An ATL formula is one of the following: 1. Proposition p,P∈∏; 2. ¬ ϕ or ϕ 1∨ϕ 2, where ϕ 、ϕ 1、ϕ 2 are ATL formulas; 3. ○ ϕ , or □ ϕ , or ◇ ϕ , or ϕ 1 uϕ 2 are ATL formulas, where A ⊆ ∑is a set of players, and ϕ 、 ϕ 1 and ϕ 2 are ATL formulas. The operator is path quantifier, and ○(“next”), □(“always”), ◇ (“eventually”), and U (“until”) are temporal operators. represent path chosen by players in set A. Quantifieralso has a dual form 〖〗. While formalsϕ means that the players in A can cooperate to make the ϕ true, the dual form 〖A〗ϕ means that the players in A can not cooperate to make the ϕ false. Based on above definitions of ATL, we now formulate the correct property of self-monitoring program on AOSM structure. Definition 3.3 (Soundness) Soundness means that the self-monitoring program should adhere to the intended policy. That is to say, on an AOSM structure, all the path decided by the strategies of players Aspect and BaseCode should satisfy the charactersϕ of policy, no matter how 121
Page 1 and 2:
Proceedings The Second Internationa
Page 3 and 4:
Table of Contents Message from the
Page 5 and 6:
Zuming Xiao, Zhan Guo, Bin Tan, and
Page 7 and 8:
Message from the Symposium Chairs T
Page 9 and 10:
Second International Symposium on N
Page 11 and 12:
ISBN 978-952-5726-09-1 (Print) Proc
Page 13 and 14:
model that can deal with time serie
Page 15 and 16:
ISBN 978-952-5726-09-1 (Print) Proc
Page 17 and 18:
training for the Wushu competition
Page 19 and 20:
ISBN 978-952-5726-09-1 (Print) Proc
Page 21 and 22:
information, called weak uncertain
Page 23 and 24:
Student side Student side Student s
Page 25 and 26:
ISBN 978-952-5726-09-1 (Print) Proc
Page 27 and 28:
If we define element of student as
Page 29 and 30:
ISBN 978-952-5726-09-1 (Print) Proc
Page 31 and 32:
QoS, each frame data is divided int
Page 33 and 34:
ISBN 978-952-5726-09-1 (Print) Proc
Page 35 and 36:
for Imaging Two and Three Phase Flo
Page 37 and 38:
ISBN 978-952-5726-09-1 (Print) Proc
Page 39 and 40:
A. Profiling&following control algo
Page 41 and 42:
Research and Realization about Conv
Page 43 and 44:
PDF document structure is a tree st
Page 45 and 46:
ISBN 978-952-5726-09-1 (Print) Proc
Page 47 and 48:
support 10 Mb / s. But ENC28J60 onl
Page 49 and 50:
ISBN 978-952-5726-09-1 (Print) Proc
Page 51 and 52:
condition the first byte output of
Page 53 and 54:
ISBN 978-952-5726-09-1 (Print) Proc
Page 55 and 56:
According to maximum membership deg
Page 57 and 58:
ISBN 978-952-5726-09-1 (Print) Proc
Page 59 and 60:
ubber according to the mass ratio o
Page 61 and 62:
Ⅲ. AN IMPROVED DNA ALGORITHM FOR
Page 63 and 64:
Ⅴ.CONCLUSION REMARKS DNA computer
Page 65 and 66:
its first child q 1 on the left, th
Page 67 and 68:
chains can greatly improve efficien
Page 69 and 70:
II. RELATED WORK A. Mobile Service
Page 71 and 72:
special services. SOAP is used to b
Page 73 and 74:
detection methods of DDoS attacks m
Page 75 and 76:
Step4 calculate the new subordinate
Page 77 and 78:
Figure 1. An analysis of the partit
Page 79 and 80: ISBN 978-952-5726-09-1 (Print) Proc
Page 81 and 82: The preceding three formulas can be
Page 85 and 86: And the decay speed of buffer seque
Page 89 and 90: distance of view point. Given that
Page 93 and 94: Ⅳ. EVALUATION OF BLENDED LEARNING
Page 97 and 98: symmetric with respect to the origi
Page 101 and 102: each sample belongs to each categor
Page 105 and 106: A. Data Preparing To generate our t
Page 109 and 110: oth α and β . determination of Qu
Page 113 and 114: Strong earthquake 0.1< M L
Page 117 and 118: indirect causes, and the logical re
Page 119 and 120: egression. Granger causality test i
Page 121 and 122: B. Evaluation We have evaluated thi
Page 123 and 124: used as a source and neighboring ce
Page 125 and 126: Figure 3. Drainage networks generat
Page 127 and 128: Combinational logic unit failures i
Page 129: Tabal.1 Combinational fault logic t
Page 133 and 134: TABLE I. DESCRIPTION OF PROPOSITION
Page 135 and 136: Figure 2. The process of the invers
Page 137 and 138: Figure 9. (a)the original image.(b)
Page 141 and 142: In order to reduce to the number of
Page 145 and 146: that studying being going to be to
Page 147 and 148: Reference[10] analyzed the evolutio
Page 149 and 150: module, communication module, apper
Page 151 and 152: After the comprehensive performance
Page 153 and 154: system testing can be seen that the
Page 155 and 156: III. AUTONOMIC RESOURCE ALLOCATION
Page 157 and 158: The QoE i (T i ) is the ith user’
Page 161 and 162: nodes will be formed one cluster, t
Page 165 and 166: Where n is the number of data point
Page 169 and 170: Keyboard event Application User mod
Page 173 and 174: SQL Azure will eventually include a
Page 177 and 178: The nodes in the suffix tree are dr
Page 179 and 180: [3] Y. Li, S. M. Chung, and J. D. H
Page 181 and 182:
some drilling fluid produces hydrog
Page 183 and 184:
"normalization", whose membership b
Page 185 and 186:
and minimum structural elements in
Page 187 and 188:
esults of the spatial transform par
Page 189 and 190:
B. Research on protocol actions Com
Page 191 and 192:
ACKNOWLEDGMENT This work is funded
Page 193 and 194:
A. Problem Description In a small b
Page 195 and 196:
[4] Huang, Hung, and J. Y. jen Hsu.
Page 197 and 198:
Further by calculating, the followi
Page 199 and 200:
TABLE II. THE CONCENTRATION BETWEEN
Page 201 and 202:
private key that obtained by using
Page 203 and 204:
ISBN 978-952-5726-09-1 (Print) Proc
Page 205 and 206:
ontology, and the domain dictionary
Page 207 and 208:
ISBN 978-952-5726-09-1 (Print) Proc
Page 209 and 210:
Eq.4 is NP-hard and can be solved b
Page 211 and 212:
ISBN 978-952-5726-09-1 (Print) Proc
Page 213 and 214:
Where: G i is the selection field o
Page 215 and 216:
If there is X j in a generation, wh
Page 217 and 218:
Theorem 2.4([10]). Let L 1 and L 2
Page 219 and 220:
The relation between the lattice im
Page 221 and 222:
Figure 2. Example of single-step de
Page 223 and 224:
evocation and the fourth group stor
Page 225 and 226:
focused mainly on rule-based forms
Page 227 and 228:
Ⅵ. CONCLUSION Figure 6. The Flask
Page 229 and 230:
EDCF in comparison with DCF, has so
Page 231 and 232:
B. Simulation results and analysis
Page 233 and 234:
ISBN 978-952-5726-09-1 (Print) Proc
Page 235 and 236:
in routing table. When search resou
Page 237 and 238:
ISBN 978-952-5726-09-1 (Print) Proc
Page 239 and 240:
others through the selective emotio
Page 241 and 242:
such as weather information, techno
Page 243 and 244:
the opening window, a related page
Page 245 and 246:
1) Process context storage areas. I
Page 247 and 248:
V. CONCLUSION In this thesis, sCPU-
Page 249 and 250:
main types of horizontal search env
Page 251 and 252:
Enterprise Portal security provides
Page 253 and 254:
() t = [ S () t S () t ] T N S ,...
Page 255 and 256:
[2] Kumaravel, N., and Kavitha, V.,
Page 257 and 258:
output, so BP network has been wide
Page 259 and 260:
input to the artificial neural netw
Page 261 and 262:
(2) In a process (tokens from outsi
Page 263 and 264:
The reduction process consists of t
Page 265 and 266:
all eight normal vectors are identi
Page 267 and 268:
is B object , and the number of emp
Page 269 and 270:
xi, j y' = εα ( (1 + tanh( )) −
Page 271 and 272:
Error 8000 7000 6000 5000 4000 3000
Page 273 and 274:
Architecture (AMBA) a new bus archi
Page 275 and 276:
In order to ensure the smooth proce
Page 277 and 278:
ISBN 978-952-5726-09-1 (Print) Proc
Page 279 and 280:
In this paper, we adopt two Sobel o
Page 281 and 282:
ISBN 978-952-5726-09-1 (Print) Proc
Page 283 and 284:
four layers.The far right of the gr
Page 285 and 286:
ISBN 978-952-5726-09-1 (Print) Proc
Page 287 and 288:
TABLE II. OPERATIONAL EMPLOYEE TABL
Page 289 and 290:
A. Object-relational Type To audit
Page 291 and 292:
to execution time. Also, DBA would
Page 293 and 294:
Liping Chen .......................
show all

Download - Academy Publisher

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?