Provably Correct Inline Monitoring for Multi-threaded Java-like Programs
2010 (English)In: Journal of Computer Security, ISSN 0926-227X, Vol. 18, no 1, 37-59 p.Article in journal (Other (popular science, discussion, etc.)) Published
Inline reference monitoring is a powerful technique to enforce security policies on untrusted programs. The security-by-contract paradigm proposed by the EU FP6 S 3 MS project uses policies, monitoring, and monitor inlining to secure third-party applications running on mobile devices. The focus of this paper is on multi-threaded Java bytecode. An important consideration is that inlining should interfere with the client program only when mandated by the security policy. In a multithreaded setting, however, this requirement turns out to be problematic. Generally, inliners use locks to control access to shared resources such as an embedded monitor state. This will interfere with application program non-determinism due to Java's relaxed memory consistency model, and rule out the transparency property, that all policy-adherent behaviour of an application program is preserved under inlining. In its place we propose a notion of strong conservativity, to formalise the property that the inliner can terminate the client program only when the policy is about to be violated. An example inlining algorithm is given and proved to be strongly conservative. Finally, benchmarks are given for four example applications studied in the S 3 MS project.
Place, publisher, year, edition, pages
2010. Vol. 18, no 1, 37-59 p.
Security-by-contract; Runtime monitoring; Monitor inlining.
Computer and Information Science
IdentifiersURN: urn:nbn:se:kth:diva-62951DOI: 10.3233/JCS-2010-0365ScopusID: 2-s2.0-71749083026OAI: oai:DiVA.org:kth-62951DiVA: diva2:481400
QC 201201252012-01-202012-01-202013-02-20Bibliographically approved