We analyze the space of security policies that can be enforced by monitoring programs at runtime. Our program monitors are automata that
examine the sequence of program actions and transform the sequence
when it deviates from the specified policy. The simplest such automaton
truncates the action sequence by terminating a program. Such automata
are commonly known as security automata, and they enforce Schneider’s
EM class of security policies. We define automata with more powerful
transformational abilities, including the ability to insert a sequence of actions into the event stream and to suppress actions in the event stream
without terminating the program. We give a set-theoretic characterization
of the policies these new automata are able to enforce and show that
they are a superset of the EM policies.
Download the paper in PDF format here.