Execution monitoring enforcement for limited-memory systems

Abstract

Recently, attention has been given to formally characterize security policies that are enforceable by different kinds of security mechanisms. Since execution monitoring (EM) is a ubiquitous technique for enforcing security policies, this class of enforcement mechanisms has attracted the attention of the majority of authors characterizing security enforcement. A very important research problem is the characterization of security policies that are enforceable by execution monitors constrained by memory limitations. This paper contributes to give more precise answers to this research problem. To represent execution monitors constrained by memory limitations, we introduce a new class of automata that we call Bounded History Automata. Characterizing memory limitations gives rise to a precise taxonomy of security policies enforceable under such constraints.This work is in the same line as the research work advanced by Schneider [31], Ligatti et. al [1, 21] and Fong [12] on security enforcement. Our main contribution consists in (1) instantiating Fong's abstraction idea to deal with memory-limitations, (2) defining Bounded History Automata by applying our abstraction to both security automata and edit automata [1], and (3) Reasoning about the enforcement power of bounded history automata by investigating the enforcement of locally testable properties; a well studied class of languages that are recognizable by investigating local information. Our approach gives rise to a realistic evaluation of the enforcement power of execution monitoring. This evaluation is based on bounding the memory size used by the monitor to save execution history, and identifying the security policies enforceable under such constraint.