On transparent value-sensitive run-time monitoring for information flow policies

Abstract

Run-time monitoring proves to be a successful mechanism for enforcing information flow policies. The main challenge, however, is to achieve transparency which generally demands that monitors should make as minimal changes to program executions as possible. We investigate the level of transparency a monitor can attain when it uses static and dynamic information about possible values of program variables. To study such value-sensitive monitors, we consider two paradigms of corrective enforcement that indeed formulate the ultimate transparency. Then, we propose a number of purely dynamic and hybrid value-sensitive monitors for some known noninterference policies. Although value sensitivity leads to more transparent monitors, it can hardly provide the ultimate transparency. This motivates us to give partial orders reflecting the level of transparency a monitor may achieve and to locate monitors on the proposed partial orders. It is shown that hybrid value-sensitive monitors can correctively enforce so-called termination-insensitive noninterference only if they can compute the set of possible values of certain variables. We also prove that such an ideal monitor is the only hybrid monitor, in the large class of monitors identified in this paper, that can be more transparent than purely dynamic monitors.