Provably Correct Runtime Monitoring

Runtime monitoring is an established technique to enforce a wide range of programsafety and security properties. We present a formalization of monitoring and monitorinlining, for the Java Virtual Machine. Monitors are security automata given in aspecial-purpose monitor specification language, ConSpec. The automata operateon finite or infinite strings of calls to a fixed API, allowing local dependencies onparameter values and heap content. We use a two-level class file annotation schemeto characterize two key properties: (i) that the program is correct with respect tothe monitor as a constraint on allowed program behavior, and (ii) that the programhas a copy of the given monitor embedded into it. As the main application ofthese results we sketch a simple inlining algorithm and show how the two-levelannotations can be completed to produce a fully annotated program which is validin the standard sense of Floyd/Hoare logic. This establishes the mediation propertythat inlined programs are guaranteed to adhere to the intended policy. Furthermore,validity can be checked efficiently using a weakest precondition based annotationchecker, thus preparing the ground for on-device checking of policy adherence in aproof-carrying code setting. Email addresses: [email protected] (Irem Aktug), [email protected] (Mads Dam),[email protected] (Dilian Gurov).1 The work was supported by the EU FP6 IST-STREP-27004 project S3MS, Secu-rity of Software and Services for Mobile Systems. Additionally, the second authorwas partially supported by the ACCESS Linnaeus Center at KTH, the Royal Insti-tute of Technology, and by the Swedish Research Council, projects 2003-6108 and2007-6436. Preprint submitted to Elsevier Science2 January 2009