Abstract
Runtime security policy enforcement systems are crucial to limit the risks associated with running untrustworthy (malicious or buggy) code. The inlined reference monitor approach to policy enforcement, pioneered by Erlingsson and Schneider, implements runtime enforcement through program rewriting: security checks are inserted inside untrusted programs. Ensuring complete mediation—the guarantee that every security-relevant event is actually intercepted by the monitor—is non-trivial when the program rewriter operates on an object-oriented intermediate language with state-of-the-art features such as virtual methods and delegates. This paper proposes a caller-side rewriting algorithm for MSIL—the bytecode of the .NET virtual machine—where security checks are inserted around calls to security-relevant methods. We prove that this algorithm achieves sound and complete mediation and transparency for a simplified model of MSIL and report on our experiences with the implementation of the algorithm for full MSIL.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
Notes
A method invocation is when the execution enters a new method. Method calls are first dispatched to find the actual target method before they are invoked.
In the remainder of this section, we assume that the assemblies do not contain the callvirt and ldftn instructions. This restriction will be relaxed in the next sections.
References
Agten, P., Van Acker, S., Brondsema, Y., Phung, P.H., Desmet, L., Piessens, F.: Jsand: complete client-side sandboxing of third-party javascript without browser modifications. In: ACSAC, pp. 1–10 (2012)
Basin, D.A., Klaedtke, F., Zalinescu, E.: Algorithms for monitoring real-time properties. In: RV, pp. 260–275 (2011)
Bauer, L., Ligatti, J., Walker, D.: Composing security policies with polymer. In: PLDI ’05, pp. 305–314. ACM Press, New York (2005)
Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Security monitor inlining for multithreaded java. In: ECOOP, pp. 546–569 (2009)
Dam, M., Jacobs, B., Lundblad, A., Piessens, F.: Provably correct inline monitoring for multithreaded java-like programs. J. Comput. Secur. 18(1), 37–59 (2010)
Desmet, L., Joosen, W., Massacci, F., Naliuka, K., Philippaerts, P., Piessens, F., Vanoverberghe, D.: The s3ms.net run time monitor: tool demonstration. Electron. Notes Theor. Comput. Sci. 253(5), 153–159 (2009)
Desmet, Lieven, Joosen, Wouter, Massacci, Fabio, Philippaerts, Pieter, Piessens, Frank, Siahaan, Ida, Vanoverberghe, Dries: Security-by-contract on the.net platform. Inf. Secur. Tech. Rep. 13(1), 25–32 (2008)
Erlingsson, U., Schneider, F.B.: SASI enforcement of security policies: a retrospective. In WNSP: New Security Paradigms Workshop. ACM Press, New York (2000)
Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. PhD thesis, Cornell University (2004). (Adviser-Fred B. Schneider)
Erlingsson, U., Schneider, F.B.: IRM enforcement of Java stack inspection. In: IEEE Symposium on Security and Privacy, pp. 246–255 (2000)
European Computer Machinery Association. Standard ECMA-335: Common Language Infrastructure, 4th edn. ECMA international, Geneva, Switzerland (2006)
Evain, J.B.: Cecil. http://www.mono-project.com/Cecil
Evans, D., Twyman, A.: Flexible policy-directed code safety. In: IEEE Symposium on Security and Privacy, pp. 32–45 (1999)
Fruja, N.G.: Type Safety of C# and.NET CLR. PhD thesis, ETH Zurich (2006)
Jeffrey, A.S.A., Rathke, J.: Java jr.: fully abstract trace semantics for a core Java language. In: Proceedings of the European Symposium on Programming. Lecture Notes in Computer Science, vol. 3444, pp. 423–438. Springer, Berlin (2005)
Kiczales, G., Lamping, J., Menhdhekar, A., Maeda, C., Lopes C., Loingtier, J.-M., Irwin, J.: Aspect-oriented programming. In: Mehmet, A., Satoshi M. (eds.) Proceedings of the European Conference on Object-Oriented Programming, vol. 1241, pp. 220–242. Springer, Berlin (1997)
Ligatti, J., Bauer, L., Walker, D.: Edit automata: enforcement mechanisms for run-time security policies. Int. J. Inf. Secur. 4(1–2), 2–16 (2005)
Lindholm, T., Yellin, F.: The Java(TM) Virtual Machine Specification, 2nd edn. Prentice Hall PTR, New Jersey (1999)
Provos, N.: Improving host security with system call policies. In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 18–18. USENIX Association, Berkeley (2003)
S3MS. Security of software and services for mobile systems. http://www.s3ms.org/ (2007)
Saltzer, J., Schroeder, M.: The protection of information in computer systems. Proc. IEEE 9(63), 1278–1308 (1975)
Schneider, F.B.: Enforceable security policies. ACM Trans. Inf. Syst. Secur. 3(1), 30–50 (2000)
Vanoverberghe, D., Piessens, F.: A caller-side inline reference monitor for an object-oriented intermediate language. In: Proceedings of the 10th IFIP WG 6.1 International Conference on Formal Methods for Open Object-Based Distributed Systems, FMOODS ’08, pp. 240–258. Springer, Berlin (2008)
Author information
Authors and Affiliations
Corresponding author
Additional information
D. Vanoverberghe is a postdoctoral researcher of the Fund for Scientific Research, Flanders (FWO).
Rights and permissions
About this article
Cite this article
Vanoverberghe, D., Piessens, F. Policy ignorant caller-side inline reference monitoring. Int J Softw Tools Technol Transfer 17, 291–303 (2015). https://doi.org/10.1007/s10009-014-0348-8
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10009-014-0348-8