Policy ignorant caller-side inline reference monitoring | International Journal on Software Tools for Technology Transfer Skip to main content
Log in

Policy ignorant caller-side inline reference monitoring

  • ESE
  • Published:
International Journal on Software Tools for Technology Transfer Aims and scope Submit manuscript

Abstract

Runtime security policy enforcement systems are crucial to limit the risks associated with running untrustworthy (malicious or buggy) code. The inlined reference monitor approach to policy enforcement, pioneered by Erlingsson and Schneider, implements runtime enforcement through program rewriting: security checks are inserted inside untrusted programs. Ensuring complete mediation—the guarantee that every security-relevant event is actually intercepted by the monitor—is non-trivial when the program rewriter operates on an object-oriented intermediate language with state-of-the-art features such as virtual methods and delegates. This paper proposes a caller-side rewriting algorithm for MSIL—the bytecode of the .NET virtual machine—where security checks are inserted around calls to security-relevant methods. We prove that this algorithm achieves sound and complete mediation and transparency for a simplified model of MSIL and report on our experiences with the implementation of the algorithm for full MSIL.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Japan)

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

Notes

  1. A method invocation is when the execution enters a new method. Method calls are first dispatched to find the actual target method before they are invoked.

  2. In the remainder of this section, we assume that the assemblies do not contain the callvirt and ldftn instructions. This restriction will be relaxed in the next sections.

References

  1. Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: Jsand: complete client-side sandboxing of third-party javascript without browser modifications. In: ACSAC, pp. 1–10 (2012)

  2. Basin, D.A., Klaedtke, F., Zalinescu, E.: Algorithms for monitoring real-time properties. In: RV, pp. 260–275 (2011)

  3. Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: PLDI ’05, pp. 305–314. ACM Press, New York (2005)

  4. Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security monitor inlining for multithreaded java. In: ECOOP, pp. 546–569 (2009)

  5. Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Provably correct inline monitoring for multithreaded java-like programs. J. Comput. Secur. 18(1), 37–59 (2010)

    Google Scholar 

  6. Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The s3ms.net run time monitor: tool demonstration. Electron. Notes Theor. Comput. Sci. 253(5), 153–159 (2009)

    Article  Google Scholar 

  7. Desmet, Lieven, Joosen, Wouter, Massacci, Fabio, Philippaerts, Pieter, Piessens, Frank, Siahaan, Ida, Vanoverberghe, Dries: Security-by-contract on the.net platform. Inf. Secur. Tech. Rep. 13(1), 25–32 (2008)

    Article  Google Scholar 

  8. Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies: a retrospective. In WNSP: New Security Paradigms Workshop. ACM Press, New York (2000)

  9. Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University (2004). (Adviser-Fred B. Schneider)

  10. Erlingsson, U., Schneider, F.B.: IRM enforcement of Java stack inspection. In: IEEE Symposium on Security and Privacy, pp. 246–255 (2000)

  11. European Computer Machinery Association. Standard ECMA-335: Common Language Infrastructure, 4th edn. ECMA international, Geneva, Switzerland (2006)

  12. Evain, J.B.: Cecil. http://www.mono-project.com/Cecil

  13. Evans, D., Twyman, A.: Flexible policy-directed code safety. In: IEEE Symposium on Security and Privacy, pp. 32–45 (1999)

  14. Fruja, N.G.: Type Safety of C# and.NET CLR. PhD thesis, ETH Zurich (2006)

  15. Jeffrey, A.S.A., Rathke, J.: Java jr.: fully abstract trace semantics for a core Java language. In: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Science, vol. 3444, pp. 423–438. Springer, Berlin (2005)

  16. Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Mehmet, A., Satoshi M. (eds.) Proceedings of the European Conference on Object-Oriented Programming, vol. 1241, pp. 220–242. Springer, Berlin (1997)

  17. Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)

    Article  Google Scholar 

  18. Lindholm, T., Yellin, F.: The Java(TM) Virtual Machine Specification, 2nd edn. Prentice Hall PTR, New Jersey (1999)

  19. Provos, N.: Improving host security with system call policies. In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley (2003)

  20. S3MS. Security of software and services for mobile systems. http://www.s3ms.org/ (2007)

  21. Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 9(63), 1278–1308 (1975)

  22. Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)

    Article  Google Scholar 

  23. Vanoverberghe, D., Piessens, F.: A caller-side inline reference monitor for an object-oriented intermediate language. In: Proceedings of the 10th IFIP WG 6.1 International Conference on Formal Methods for Open Object-Based Distributed Systems, FMOODS ’08, pp. 240–258. Springer, Berlin (2008)

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Dries Vanoverberghe.

Additional information

D. Vanoverberghe is a postdoctoral researcher of the Fund for Scientific Research, Flanders (FWO).

Appendix

Appendix

1.1 Operational semantics

See Figs. 8, 9, 10 and 11.

Fig. 8
figure 8

Evaluation rules for normal execution (part 1)

Fig. 9
figure 9

Evaluation rules for normal execution (part 2)

Fig. 10
figure 10

Evaluation rules for exception handling

Fig. 11
figure 11

Evaluation rule for virtual calls

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Vanoverberghe, D., Piessens, F. Policy ignorant caller-side inline reference monitoring. Int J Softw Tools Technol Transfer 17, 291–303 (2015). https://doi.org/10.1007/s10009-014-0348-8

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10009-014-0348-8

Keywords

Navigation