A Survey of Runtime Policy Enforcement Techniques and Implementations
نویسندگان
چکیده
Runtime techniques bring new promises of accuracy and flexibility in enforcing security policies. While static security enforcement was previously studied and classified, this work is the first to survey the state of the art on runtime security enforcement. Our purpose is to encourage a better understanding of limitations and advantages of enforcement techniques and their implementations. We classify techniques by criteria such as abstraction level, enforced policies and security guarantees. We analyse several implementations of each technique, from the point of view of trust model, policy language and performance overhead. Finally, we discuss research issues for further investigation in policy enforcement.
منابع مشابه
Principles of Data Flow Integrity: Specification and Enforcement
Subverting runtime data flow is common in many current software attacks. Data Flow Integrity (DFI) is a policy whose satisfaction can prevent such attacks. This paper develops a formal foundation on DFI specification, and characteristics of its enforcement techniques with formulations of hypotheses and guarantees. Enforcement techniques are based on static analysis and program monitoring at run...
متن کاملA Survey and Performance Evaluation of Bandwidth Enforcement Techniques over Edge Devices
This study comprehensively surveys various bandwidth enforcement techniques and evaluates them from eight commercial/open-source implementations. Bandwidth enforcement at organizational edges can allocate the access-link bandwidth according to administrative policy rules. Their policy rules can be categorized into (1) class-based bandwidth allocation rule; (2) connection guarantee rule within a...
متن کاملWhich security policies are enforceable by runtime monitors? A survey
Runtime monitoring is a widely used approach to ensure code safety. Several implementations of formal monitors have been proposed in the literature, and these differ with respect to the set of security policies that they are capable of enforcing. In this survey, we examine the evolution of knowledge regarding the issue of precisely which security policies monitors are capable of enforcing. We i...
متن کاملEfficient Runtime Policy Enforcement Using Counterexample-Guided Abstraction Refinement
Stateful security policies—which specify restrictions on behavior in terms of temporal safety properties—are a powerful tool for administrators to control the behavior of untrusted programs. However, the runtime overhead required to enforce them on real programs can be high. This paper describes a technique for rewriting programs to incorporate runtime checks so that all executions of the resul...
متن کاملEvent composition model: achieving naturalness in runtime enforcement
Runtime enforcement techniques are introduced in the literature to cope with the failures that occur while software is being executed in its target environment. These techniques may also offer diagnosis and recovery actions to respectively identify the causes of the failures and to heal them. Since the development of runtime enforcement techniques can be complex, errorprone and costly, runtime ...
متن کامل