Edit Automata: Enforcement Mechanisms for Run-time Security Policies

Abstract:

We analyze the space of security policies that can be enforced by
monitoring and modifying programs at run time. Our program monitors,
called edit automata, are abstract machines that examine the
sequence of application program actions and transform the sequence
when it deviates from a specified policy. Edit automata have a rich
set of transformational powers: They may terminate the application,
thereby truncating the program action stream; they may suppress
undesired or dangerous actions without necessarily terminating the
program; and they may also insert additional actions into the event stream.

After providing a formal definition of edit automata, we develop a
rigorous framework for reasoning about them and their cousins:
truncation automata (which can only terminate applications),
suppression automata (which can terminate applications and suppress
individual actions), and insertion automata (which can terminate
and insert). We give a set-theoretic characterization of the policies
each sort of automaton can enforce and we provide examples of policies
that can be enforced by one sort of automaton but not another.