Corrective Enforcement of Security Policies

Monitoring is a powerful security policy enforcement paradigm that allows the execution of a potentially malicious software by observing and transforming it, thus ensuring its compliance with a user-defined security policy. Yet some restrictions must be imposed on the monitor’s ability to transform sequences, so that key elements of the execution’s semantics are preserved. An approximation of the sequence is executed rather than an equivalent one. This approximation must preserve the fundamental behaviors intended by the user. In this paper, we propose a framework to express and study such a restriction based on partial orders. The intuition behind our model is that the monitor should be bounded to output a sequence that both respects the desired security property and is preserves the semantics of the input sequence. We give several examples of real-life security policies and propose monitors capable of enforcing these properties. We then turn to the question of comparing several monitors enforcing the same security property. We propose several metrics which can be used to select the best enforcement paradigm for a given property.