12/03/071/51 monitoring software to enforce run-time policies jay ligatti, university of south...
TRANSCRIPT
![Page 1: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/1.jpg)
12/03/0712/03/07 11/51/51
Monitoring Software to Monitoring Software to Enforce Run-time PoliciesEnforce Run-time Policies
Jay Ligatti, University of South Jay Ligatti, University of South FloridaFlorida
![Page 2: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/2.jpg)
12/03/0712/03/07 22/51/51
ProblemProblem
Software often behaves Software often behaves unexpectedlyunexpectedly– BugsBugs– Malicious design (malware)Malicious design (malware)
0100020003000400050006000700080009000
# Vulner-abilities
Reported to CERT
1995 1997 1999 2001 2003 2005
Year [ http://www.cert.org/stats ]
![Page 3: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/3.jpg)
12/03/0712/03/07 33/51/51
A Protection MechanismA Protection Mechanism
Run-time program monitorsRun-time program monitors– Ensure that software dynamically Ensure that software dynamically
adheres to constraints specified by a adheres to constraints specified by a security policysecurity policy
UntrustedTarget
ProgramMonitor
ExecutingSystem
Open(f,“w”)is OK
Open(f,“w”) Open(f,“w”)
![Page 4: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/4.jpg)
12/03/0712/03/07 44/51/51
Common Monitor Common Monitor ExamplesExamples
File access controlFile access control FirewallsFirewalls Resource monitorsResource monitors Stack inspectionStack inspection Applet sandboxingApplet sandboxing Bounds checks on input values Bounds checks on input values Security loggingSecurity logging Displaying security warningsDisplaying security warnings Operating systems and virtual Operating systems and virtual
machinesmachines ……
![Page 5: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/5.jpg)
12/03/0712/03/07 55/51/51
Policies Become More Policies Become More ComplexComplex
As software becomes more sophisticatedAs software becomes more sophisticated– Multi-user and networked systemsMulti-user and networked systems– Electronic commerceElectronic commerce– Medical databases (HIPAA)Medical databases (HIPAA)
As we tighten overly relaxed policiesAs we tighten overly relaxed policies– Insecure default configurations disallowedInsecure default configurations disallowed– Downloading .exe files requires warningDownloading .exe files requires warning
As we relax overly tight policiesAs we relax overly tight policies– All applets sandboxed (JDK 1.0) vs. All applets sandboxed (JDK 1.0) vs.
only only unsignedunsigned applets sandboxed (JDK 1.1) applets sandboxed (JDK 1.1)
![Page 6: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/6.jpg)
12/03/0712/03/07 66/51/51
Research QuestionsResearch Questions
Given:Given:• The prevalence and usefulness of monitorsThe prevalence and usefulness of monitors• The need to enforce increasingly complex policiesThe need to enforce increasingly complex policies
1.1. Which of the policies can monitors enforce?Which of the policies can monitors enforce?• Want to know when and when not to use monitorsWant to know when and when not to use monitors
2.2. How can we conveniently specify the complex How can we conveniently specify the complex policies that monitors can enforce?policies that monitors can enforce?
![Page 7: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/7.jpg)
12/03/0712/03/07 77/51/51
OutlineOutline
Motivation and GoalsMotivation and Goals– Program monitors are useful, so…Program monitors are useful, so…– What are their enforcement powers?What are their enforcement powers?– How can we cope with their complexity?How can we cope with their complexity?
Delineating the enforceable policiesDelineating the enforceable policies Conveniently specifying policies in Conveniently specifying policies in
practicepractice ConclusionsConclusions
![Page 8: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/8.jpg)
12/03/0712/03/07 88/51/51
Delineating the Delineating the Enforceable PoliciesEnforceable Policies
2. Define monitors and how they enforce policies
1. Define policies on systems
3. Analyze which policies monitors can enforce
![Page 9: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/9.jpg)
12/03/0712/03/07 99/51/51
Systems and Systems and ExecutionsExecutions
SystemSystem = a state machine that transitions states = a state machine that transitions states by executing by executing actionsactions
We specify a system according to the possibly We specify a system according to the possibly countably infinite set of actions it can executecountably infinite set of actions it can execute AA = { logBegin( = { logBegin(nn), ), (log that ATM is about to dispense $(log that ATM is about to dispense $nn))
dispense( dispense(nn),), (dispense $(dispense $nn)) logEnd( logEnd(nn)) (log that ATM just dispensed $(log that ATM just dispensed $nn))
} }
ExecutionExecution = possibly infinite sequence of actions = possibly infinite sequence of actions logBegin(80); logEnd(80) logBegin(80); logEnd(80) dispense(100); dispense(100); dispense(100); …dispense(100); dispense(100); dispense(100); …
![Page 10: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/10.jpg)
12/03/0712/03/07 1010/51/51
Execution NotationExecution Notation
On a system with action set On a system with action set AA,,AA** = set of all = set of all finitefinite executionsexecutionsAAωω = set of all = set of all infiniteinfinite executionsexecutionsAA∞∞ = set of = set of allall executionsexecutions
Prefix notation: Prefix notation: ss≤≤uu (or (or uu≥≥ss) ) – Means: Means: ss is a finite prefix of possibly is a finite prefix of possibly
infinite infinite uu– Read: Read: ss prefixesprefixes uu (or (or uu extendsextends ss))
![Page 11: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/11.jpg)
12/03/0712/03/07 1111/51/51
PoliciesPolicies
A A policypolicy PP is a predicate on executions is a predicate on executions
Execution Execution ss satisfies policy satisfies policy PP if and only if if and only if P P ((ss))– Termination: Termination: P P ((ss) ) ss is finite is finite– Transactional: Transactional: P P ((ss) ) s s is a sequence of valid is a sequence of valid
transactionstransactions
TerminologyTerminology– IfIf P P ((ss) then) then s s is valid, or “good” is valid, or “good”– IfIf P P ((ss) then) then s s is invalid, or “bad” is invalid, or “bad”
![Page 12: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/12.jpg)
12/03/0712/03/07 1212/51/51
Safety and LivenessSafety and Liveness [Lamport ’77; Alpern, Schneider ’85][Lamport ’77; Alpern, Schneider ’85]
Two types of policies have been studied a lotTwo types of policies have been studied a lot
SafetySafety: “Bad executions cannot be made good”: “Bad executions cannot be made good”
ssAA∞∞ : : P P ((ss) ) ss’≤’≤ss : : uu≥≥ss’ : ’ : P P ((uu))– Access-control (cannot “undo” illegal accesses)Access-control (cannot “undo” illegal accesses)
LivenessLiveness: “Finite executions can be made good”: “Finite executions can be made good” ssAA* : * : uu≥≥ss : : P P ((uu))– Termination and nonterminationTermination and nontermination
![Page 13: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/13.jpg)
12/03/0712/03/07 1313/51/51
Delineating the Delineating the Enforceable PoliciesEnforceable Policies
2. Define monitors and how they enforce policies
1. Define policies on systems
3. Analyze which policies monitors can enforce
![Page 14: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/14.jpg)
12/03/0712/03/07 1414/51/51
Operation of Monitors: Operation of Monitors: Accepting an OK ActionAccepting an OK Action
UntrustedTarget
ProgramMonitor
ExecutingSystem
Open(f,“w”)is OK
Open(f,“w”) Open(f,“w”)
Monitor inputs actions from target andoutputs actions to the executing system
Here, input action is safe to execute, somonitor accepts it (makes it observable)
![Page 15: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/15.jpg)
12/03/0712/03/07 1515/51/51
Operation of Monitors: Operation of Monitors: Suppressing an ActionSuppressing an Action
UntrustedTarget
ProgramMonitor
ExecutingSystem
Open(f,“w”)is not OK
Open(f,“w”)
Input action is not safe to execute, so monitor suppresses it and allows target to continue executing
![Page 16: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/16.jpg)
12/03/0712/03/07 1616/51/51
Operation of Monitors: Operation of Monitors: Inserting an ActionInserting an Action
UntrustedTarget
ProgramMonitor
ExecutingSystem
Open(f,“w”)is not OK
Open(f,“w”) Close(f,“w”)
Input action is not safe to execute, so monitor inserts another action, then reconsiders the original action
![Page 17: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/17.jpg)
12/03/0712/03/07 1717/51/51
Modeling MonitorsModeling Monitors[Ligatti, Bauer, Walker ’05][Ligatti, Bauer, Walker ’05]
Model a monitor that can Model a monitor that can accept, suppress, accept, suppress, andand insert insert actions as an actions as an edit automatonedit automaton ((QQ,,qq00,,tt))– QQ is finite or countably infinite set of states is finite or countably infinite set of states
– qq00 is initial state is initial state
– A complete, deterministic, and TM-decidable A complete, deterministic, and TM-decidable functionfunction
t : Q x A Q x (A U {●})
currentstate
input(trigger)action
new state
actionto insert
suppresstriggeraction
![Page 18: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/18.jpg)
12/03/0712/03/07 1818/51/51
Operational SemanticsOperational Semantics
Transition functions define how monitors behave Transition functions define how monitors behave on on individualindividual input actions input actions
For the definition of enforcement, we will For the definition of enforcement, we will generalize and consider how monitors transform generalize and consider how monitors transform entireentire input executions input executions
a1;a2;a2;a3;… a1;a2;a2;a4;…Untrusted input Valid output
Monitor
Monitors are execution transformers
![Page 19: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/19.jpg)
12/03/0712/03/07 1919/51/51
Enforcing PoliciesEnforcing Policies[Ligatti, Bauer, Walker ’05][Ligatti, Bauer, Walker ’05]
A monitor A monitor enforcesenforces a policy a policy PP when it is when it is sound sound and and transparent transparent with respect to with respect to PP
SoundnessSoundness: : – Monitors’ outputs (observable executions) must be Monitors’ outputs (observable executions) must be
validvalid
TransparencyTransparency::– Monitors must not alter the semantics of valid inputsMonitors must not alter the semantics of valid inputs– Conservative definition: on a valid input execution Conservative definition: on a valid input execution ss, ,
a monitor must output a monitor must output ss
![Page 20: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/20.jpg)
12/03/0712/03/07 2020/51/51
Delineating the Delineating the Enforceable PoliciesEnforceable Policies
2. Define monitors and how they enforce policies
1. Define policies on systems
3. Analyze which policies monitors can enforce
![Page 21: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/21.jpg)
12/03/0712/03/07 2121/51/51
Enforcement Powers Enforcement Powers Related WorkRelated Work
Previous work on monitors’ enforcement Previous work on monitors’ enforcement bounds only considered monitors that bounds only considered monitors that accept actions and halt target accept actions and halt target [Schneider ’00; [Schneider ’00; Viswanathan ’00; Hamlen, Morrisett, Schneider ’03; Fong ’04]Viswanathan ’00; Hamlen, Morrisett, Schneider ’03; Fong ’04]
Enforcing policy meant Enforcing policy meant recognizingrecognizing rather rather than than transformingtransforming executionsexecutions
Result: monitors only enforce safety Result: monitors only enforce safety policiespolicies
![Page 22: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/22.jpg)
12/03/0712/03/07 2222/51/51
Enforcing Properties with Enforcing Properties with Edit AutomataEdit Automata
Modeling realistic ability to Modeling realistic ability to insertinsert and and suppresssuppress actions enables a powerful actions enables a powerful enforcement techniqueenforcement technique– Suppress (feign execution of) potentially bad Suppress (feign execution of) potentially bad
actions, and later, if the suppressed actions are actions, and later, if the suppressed actions are found to be safe, re-insert themfound to be safe, re-insert them
Using this technique, Using this technique, monitors can monitors can sometimes enforce non-safety policiessometimes enforce non-safety policies, , contrary to earlier results and conjecturescontrary to earlier results and conjectures
![Page 23: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/23.jpg)
12/03/0712/03/07 2323/51/51
Example: ATM PolicyExample: ATM Policy
ATM must log before and after dispensing ATM must log before and after dispensing cashcashand may only log before and after dispensing and may only log before and after dispensing cashcash
Valid executions = (logBegin(n); dispense(n); Valid executions = (logBegin(n); dispense(n); logEnd(n))logEnd(n))∞∞
Guarantees that the ATM software generates a proper log whenever it dispenses cash
![Page 24: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/24.jpg)
12/03/0712/03/07 2424/51/51
Example: ATM PolicyExample: ATM Policy
ATM must log before and after dispensing ATM must log before and after dispensing cashcashand may only log before and after dispensing and may only log before and after dispensing cashcash
Valid executions = (logBegin(n); dispense(n); Valid executions = (logBegin(n); dispense(n); logEnd(n))logEnd(n))∞∞
init begun(n) dispensed(n)
logBegin(n) dispense(n)
logEnd(n)insert: logBegin(n);dispense(n);logEnd(n)
(suppress) (suppress)
![Page 25: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/25.jpg)
12/03/0712/03/07 2525/51/51
Example: ATM PolicyExample: ATM Policy
ATM must log before and after dispensing cashATM must log before and after dispensing cashand may only log before and after dispensing cashand may only log before and after dispensing cash
Valid executions = (logBegin(n); dispense(n); logEnd(n))Valid executions = (logBegin(n); dispense(n); logEnd(n))∞∞
Is not a safety policy:Is not a safety policy: logBegin(200) by itself is illegal but can be “made good”logBegin(200) by itself is illegal but can be “made good”
Is not a liveness policy:Is not a liveness policy: dispense(200) cannot be “made good”dispense(200) cannot be “made good”
![Page 26: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/26.jpg)
12/03/0712/03/07 2626/51/51
Enforceable Policies Enforceable Policies Renewal PoliciesRenewal Policies
Theorem: Theorem: Except for a technical corner case, edit Except for a technical corner case, edit automata enforce automata enforce exactlyexactly the set of the set of reasonable reasonable infinite renewalinfinite renewal policiespolicies
RenewalRenewal: “Infinite executions are good iff : “Infinite executions are good iff they are good infinitely often”they are good infinitely often”
sAω : P(s) {u≤s | P(u)} is an infinite set
![Page 27: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/27.jpg)
12/03/0712/03/07 2727/51/51
Example: ATM PolicyExample: ATM Policy
ATM must log before and after dispensing cashATM must log before and after dispensing cashand may only log before and after dispensing cashand may only log before and after dispensing cash Valid executions = (logBegin(n); dispense(n); logEnd(n))Valid executions = (logBegin(n); dispense(n); logEnd(n))∞∞
This is a renewal policy:This is a renewal policy:– Valid infinite executions have infinitely many valid Valid infinite executions have infinitely many valid
prefixesprefixes– Invalid infinite executions have finitely many valid Invalid infinite executions have finitely many valid
prefixesprefixes Some prefix with multiple of 3 actions ends with a bad Some prefix with multiple of 3 actions ends with a bad
transaction; all successive prefixes are invalidtransaction; all successive prefixes are invalid
![Page 28: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/28.jpg)
12/03/0712/03/07 2828/51/51
Safety, Liveness, Safety, Liveness, RenewalRenewal
Safety Liveness
Renewal
All Policies
1 2
4
3 5
6
1 File access control2 Trivial3 Eventually audits4 ATM transactions5 Termination6 Termination + File access control
![Page 29: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/29.jpg)
12/03/0712/03/07 2929/51/51
OutlineOutline
Motivation and GoalsMotivation and Goals– Program monitors are useful, so…Program monitors are useful, so…– What are their enforcement powers?What are their enforcement powers?– How can we cope with their complexity?How can we cope with their complexity?
Delineating the enforceable policiesDelineating the enforceable policies Conveniently specifying policies in Conveniently specifying policies in
practicepractice ConclusionsConclusions
![Page 30: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/30.jpg)
12/03/0712/03/07 3030/51/51
Related Work: Specifying Related Work: Specifying Monitor PoliciesMonitor Policies
General monitoring systems General monitoring systems – Java-MaC [Lee, Kannan, Kim, Sokolsky, Viswanathan ’99]Java-MaC [Lee, Kannan, Kim, Sokolsky, Viswanathan ’99]– Naccio [Evans, Twyman ’99]Naccio [Evans, Twyman ’99]– Policy Enforcement Toolkit [Erlingsson, Schneider ’00]Policy Enforcement Toolkit [Erlingsson, Schneider ’00]– Aspect-oriented software systems [Kiczales, Hilsdale, Aspect-oriented software systems [Kiczales, Hilsdale,
Hugunin, Kersten, Palm, Griswold ’01; …]Hugunin, Kersten, Palm, Griswold ’01; …]– ……
Language theoryLanguage theory– Semantics for AOPLs [Tucker, Krishnamurthi ’03; Walker, Semantics for AOPLs [Tucker, Krishnamurthi ’03; Walker,
Zdancewic, Ligatti ’03; Wand, Kiczales, Dutchyn ’04; …]Zdancewic, Ligatti ’03; Wand, Kiczales, Dutchyn ’04; …]
Lack: Flexible methodology for decomposing Lack: Flexible methodology for decomposing complex policies into simpler modulescomplex policies into simpler modules
![Page 31: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/31.jpg)
12/03/0712/03/07 3131/51/51
Polymer ContributionsPolymer Contributions[Bauer, Ligatti, Walker ’05][Bauer, Ligatti, Walker ’05]
PolymerPolymer– Is a fully implemented language (with formal Is a fully implemented language (with formal
semantics) for specifying run-time policies on Java semantics) for specifying run-time policies on Java codecode
– Provides a methodology for conveniently specifying Provides a methodology for conveniently specifying and generating complex monitors from simpler and generating complex monitors from simpler modulesmodules
StrategyStrategy– MakeMake all all policies first-class and composeable policies first-class and composeable– So higher-order policies (So higher-order policies (superpoliciessuperpolicies) can compose ) can compose
simpler policies (simpler policies (subpoliciessubpolicies))
![Page 32: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/32.jpg)
12/03/0712/03/07 3232/51/51
Polymer Language Polymer Language OverviewOverview
Syntactically almost identical to Java Syntactically almost identical to Java sourcesource
Primary additions to JavaPrimary additions to Java– Key abstractions for first-class actions, Key abstractions for first-class actions,
suggestions, and policiessuggestions, and policies– Programming disciplineProgramming discipline– Composeable policy organizationComposeable policy organization
![Page 33: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/33.jpg)
12/03/0712/03/07 3333/51/51
First-class ActionsFirst-class Actions
ActionAction objects contain information objects contain information about a method invocationabout a method invocation– Static method signatureStatic method signature– Dynamic calling object Dynamic calling object – Dynamic parametersDynamic parameters
Policies can analyze trigger actionsPolicies can analyze trigger actions Policies can synthesize actions to Policies can synthesize actions to
insertinsert
![Page 34: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/34.jpg)
12/03/0712/03/07 3434/51/51
Action PatternsAction Patterns
For convenient analysis, action objects For convenient analysis, action objects can be matched to patterns in aswitch can be matched to patterns in aswitch statementsstatements
Wildcards can appear in action patternsWildcards can appear in action patterns
aswitch(a) { case <void ex.ATM.logBegin(int amt)>: E; …}
<public void *.*.logBegin(..)>
![Page 35: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/35.jpg)
12/03/0712/03/07 3535/51/51
First-class SuggestionsFirst-class Suggestions
Policies return Policies return SuggestionSuggestion objects to objects to indicate how to handle trigger actionsindicate how to handle trigger actions– IrrSugIrrSug: action is irrelevant: action is irrelevant– OKSugOKSug: action is relevant but safe: action is relevant but safe– InsSugInsSug: defer judgment until after running and : defer judgment until after running and
evaluating some auxiliary codeevaluating some auxiliary code– ReplSugReplSug: replace action (which computes a : replace action (which computes a
return value) with another return valuereturn value) with another return value– ExnSugExnSug: raise an exception to notify target that : raise an exception to notify target that
it is not allowed to execute this actionit is not allowed to execute this action– HaltSugHaltSug: disallow action and halt execution: disallow action and halt execution
![Page 36: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/36.jpg)
12/03/0712/03/07 3636/51/51
First-class SuggestionsFirst-class Suggestions
SuggestionsSuggestions implement the implement the theoretical capabilities of monitorstheoretical capabilities of monitors
– IrrSugIrrSug– OKSugOKSug– InsSugInsSug– ReplSugReplSug– ExnSugExnSug– HaltSugHaltSug
Different ways to accept
Insert
Different ways to suppress
![Page 37: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/37.jpg)
12/03/0712/03/07 3737/51/51
First-class PoliciesFirst-class Policies PoliciesPolicies include state and several methods: include state and several methods:
– query()query() suggests how to deal with trigger actionssuggests how to deal with trigger actions– accept()accept() performs bookkeeping before a performs bookkeeping before a
suggestion is followedsuggestion is followed– result()result() performs bookkeeping after an OK’d or performs bookkeeping after an OK’d or
inserted action returns a resultinserted action returns a result
public abstract class Policy { public abstract Sug query(Action a); public void accept(Sug s) { }; public void result(Sug s, Object result, boolean wasExnThn) { };}
![Page 38: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/38.jpg)
12/03/0712/03/07 3838/51/51
Compositional Policy Compositional Policy DesignDesign
query()query() methods should be effect-free methods should be effect-free– Superpolicies test reactions of subpolicies Superpolicies test reactions of subpolicies
by calling their query() methodsby calling their query() methods– Superpolicies combine reactions in Superpolicies combine reactions in
meaningful waysmeaningful ways– Policies cannot assume suggestions will be Policies cannot assume suggestions will be
followedfollowed Effects postponed for Effects postponed for accept()accept() and and
result()result()
![Page 39: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/39.jpg)
12/03/0712/03/07 3939/51/51
A Simple Policy That A Simple Policy That Forbids Runtime.exec(..) Forbids Runtime.exec(..)
methodsmethodspublic class DisSysCalls extends Policy { public Sug query(Action a) { aswitch(a) { case <* java.lang.Runtime.exec(..)>: return new HaltSug(this, a); } return new IrrSug(this); } public void accept(Sug s) { if(s.isHalt()) { System.err.println(“Illegal method called”); System.err.println(“About to halt target.”); } } }
![Page 40: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/40.jpg)
12/03/0712/03/07 4040/51/51
Another Example:Another Example:public class ATMPolicy extends Policypublic class ATMPolicy extends Policy
public Suggestion query(Action a) { if(isInsert) return new IrrSug( ); aswitch(a) { case <void ex.ATM.logBegin(int n)>: if(transState==0) return new ReplSug(null, a); else return new HaltSug(a); case <void ex.ATM.dispense(int n)>: if(transState==1 && amt==n) return new ReplSug(null, a); else return new HaltSug(a); case <void ex.ATM.logEnd(int n)>: if(transState==2 && amt==n) return new OKSug(a); else return new HaltSug(a); default: if(transState>0) return new HaltSug(a); else return new IrrSug( ); } }
private boolean isInsert = false;private int transState = 0;private int amt = 0;public void accept(Sug s) { aswitch(s.getTrigger( )) { case <void ex.ATM.dispense(int n)>: transState = 2; break; case <void ex.ATM.logBegin(int n)>: transState = 1; amt = n; } if(s.isOK( )) { isInsert = true; ex.ATM.logBegin(amt); ex.ATM.dispense(amt); isInsert = false; transState = 0; amt = 0; }}
![Page 41: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/41.jpg)
12/03/0712/03/07 4141/51/51
Policy CombinatorsPolicy Combinators
Polymer provides library of generic Polymer provides library of generic superpolicies (superpolicies (combinatorscombinators))
Policy writers are free to create new Policy writers are free to create new combinatorscombinators
Standard form:Standard form:public class Conjunction extends Policy { private Policy p1, p2; public Conjunction(Policy p1, Policy p2) { this.p1 = p1; this.p2 = p2; } public Sug query(Action a) { Sug s1 = p1.query(a), s2 = p2.query(a); //return the conjunction of s1 and s2 …
![Page 42: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/42.jpg)
12/03/0712/03/07 4242/51/51
Conjunctive CombinatorConjunctive Combinator
Apply several policies at once, first making Apply several policies at once, first making any insertions suggested by subpoliciesany insertions suggested by subpolicies
When no subpolicy suggests an insertion, When no subpolicy suggests an insertion, obey most restrictive subpolicy suggestion obey most restrictive subpolicy suggestion
Irrelevant OK
Replace(v1)Replace(v2)
…Replace(v3)
Exception Halt
Least restrictive Most restrictive
Policy netPoly = new Conjunction(new FirewallPoly(), new LogSocketsPoly(), new WarnB4DownloadPoly());
![Page 43: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/43.jpg)
12/03/0712/03/07 4343/51/51
Selector CombinatorsSelector Combinators
Make some initial choice about which Make some initial choice about which subpolicy to enforce and forget about subpolicy to enforce and forget about the other subpoliciesthe other subpolicies
IsClientSignedIsClientSigned: Enforce first subpolicy : Enforce first subpolicy if and only if target is if and only if target is cryptographically signedcryptographically signed
Policy sandboxUnsigned = new IsClientSigned( new TrivialPolicy(), new SandboxPolicy());
![Page 44: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/44.jpg)
12/03/0712/03/07 4444/51/51
Unary CombinatorsUnary Combinators
Perform some extra operations while Perform some extra operations while enforcing a single subpolicyenforcing a single subpolicy
AutoUpdateAutoUpdate: Obey sole subpolicy but : Obey sole subpolicy but also intermittently check for also intermittently check for subpolicy updatessubpolicy updates
![Page 45: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/45.jpg)
12/03/0712/03/07 4545/51/51
Case StudyCase Study
Polymer policy for email clients that use the Polymer policy for email clients that use the JavaMail APIJavaMail API– Approx. 1800 lines of Polymer code, available atApprox. 1800 lines of Polymer code, available at
http://www.cs.princeton.edu/sip/projects/polymerhttp://www.cs.princeton.edu/sip/projects/polymer
Tested on Pooka Tested on Pooka [http://www.suberic.net/pooka][http://www.suberic.net/pooka]
– Approx. 50K lines of Java code + librariesApprox. 50K lines of Java code + libraries
(Java standard libraries, JavaMail, JavaBeans (Java standard libraries, JavaMail, JavaBeans Activation Framework, JavaHelp, The Knife mbox Activation Framework, JavaHelp, The Knife mbox provider, Kunststoff Look and Feel, and ICE JNI provider, Kunststoff Look and Feel, and ICE JNI library)library)
![Page 46: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/46.jpg)
12/03/0712/03/07 4646/51/51
Email Policy HierarchyEmail Policy Hierarchy
Related policyRelated policyconcerns areconcerns aremodularizedmodularized
=>=>1) Easier to 1) Easier to
create the create the policypolicy- Modules are - Modules are reusablereusable
- Modules can - Modules can be written in be written in isolationisolation
2) Easier to 2) Easier to understand understand the policythe policy
3) Easier to 3) Easier to update the update the policypolicy
![Page 47: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/47.jpg)
12/03/0712/03/07 4747/51/51
OutlineOutline
Motivation and GoalsMotivation and Goals– Program monitors are useful, so…Program monitors are useful, so…– What are their enforcement powers?What are their enforcement powers?– How can we cope with their complexity?How can we cope with their complexity?
Delineating the enforceable policiesDelineating the enforceable policies Conveniently specifying policies in Conveniently specifying policies in
practicepractice ConclusionsConclusions
![Page 48: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/48.jpg)
12/03/0712/03/07 4848/51/51
SummarySummary
Long-term research goal:Long-term research goal:Whenever possible, generate efficient and Whenever possible, generate efficient and provably effective mechanisms to enforce easily provably effective mechanisms to enforce easily specified policiesspecified policies
Results:Results:– Defined what it means for a monitor to enforce a Defined what it means for a monitor to enforce a
policypolicy– Analyzed which of the increasingly complex policies Analyzed which of the increasingly complex policies
that need to be enforced can be with monitorsthat need to be enforced can be with monitors– Made it easier to specify and generate complex Made it easier to specify and generate complex
monitorsmonitors
![Page 49: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/49.jpg)
12/03/0712/03/07 4949/51/51
Future Research Avenues Future Research Avenues (Specification Technologies)(Specification Technologies)
Develop languages for safely and Develop languages for safely and easily specifying many types of easily specifying many types of policiespolicies– Transactional policiesTransactional policies– Fault-tolerance policiesFault-tolerance policies
Create GUI tools for visualizing and Create GUI tools for visualizing and specifying policy compositions and specifying policy compositions and dynamic policy updatesdynamic policy updates
![Page 50: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/50.jpg)
12/03/0712/03/07 5050/51/51
Future Research AvenuesFuture Research Avenues(Policy Analysis and Enforcement)(Policy Analysis and Enforcement)
Generalize formal models for:Generalize formal models for:– Real-time policiesReal-time policies– ConcurrencyConcurrency– More “active” monitorsMore “active” monitors
(monitor triggers application, not vice (monitor triggers application, not vice versa)versa)
Place resource bounds on mechanismsPlace resource bounds on mechanisms Decompose general policies into Decompose general policies into
practically enforceable static and practically enforceable static and dynamic policiesdynamic policies
![Page 51: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/51.jpg)
12/03/0712/03/07 5151/51/51
EndEnd
Thanks / Questions?
![Page 52: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/52.jpg)
12/03/0712/03/07 5252/51/51
Extra SlidesExtra Slides
![Page 53: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/53.jpg)
12/03/0712/03/07 5353/51/51
Edit Automata Edit Automata EnforcementEnforcement
(Lower Bound)(Lower Bound) Theorem: Theorem: policies P such that policies P such that
1. P is a renewal policy, 1. P is a renewal policy, 2. P( 2. P(●●), and ), and 3. 3. ssA* A* :: P(s) is decidable, P(s) is decidable, an edit automaton that enforces P. an edit automaton that enforces P.
Edit automata can enforce any reasonable renewal policy
![Page 54: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/54.jpg)
12/03/0712/03/07 5454/51/51
Edit Automata Edit Automata EnforcementEnforcement
(Lower Bound)(Lower Bound) Proof idea: Technique of suppressing actions Proof idea: Technique of suppressing actions
until they are known to be safe causes every until they are known to be safe causes every valid prefix, and only valid prefixes, of the valid prefix, and only valid prefixes, of the input to be outputinput to be output– Given a renewal policy Given a renewal policy PP, construct an edit , construct an edit
automaton automaton XX that uses this technique that uses this technique– In all cases, In all cases, XX correctly enforces correctly enforces PP
If input If input ss has finite length, has finite length, XX outputs longest valid prefix outputs longest valid prefix of of ss
Else if Else if PP((ss), ), XX outputs the longest valid (finite) prefix of outputs the longest valid (finite) prefix of ss Else if Else if PP((ss), ), XX outputs every prefix of outputs every prefix of ss and only prefixes and only prefixes
of of ss
![Page 55: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/55.jpg)
12/03/0712/03/07 5555/51/51
Polymer ToolsPolymer Tools
Policy compilerPolicy compiler – Converts centralized monitor policies written in Converts centralized monitor policies written in
the Polymer language into Java source codethe Polymer language into Java source code– Then runs javac to compile the Java sourceThen runs javac to compile the Java source
Bytecode instrumenterBytecode instrumenter– Adds calls to the monitor to the core Java Adds calls to the monitor to the core Java
libraries and to the untrusted target applicationlibraries and to the untrusted target application
Total size = 30 core classes (approx. 2500 Total size = 30 core classes (approx. 2500 lines of Java) + JavaCC + Apache BCELlines of Java) + JavaCC + Apache BCEL
![Page 56: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/56.jpg)
12/03/0712/03/07 5656/51/51
Securing Targets in Securing Targets in PolymerPolymer
1.1. Create a listing of all security-relevant Create a listing of all security-relevant methods (methods (trigger actionstrigger actions))
2.2. Instrument trigger actions in core Java Instrument trigger actions in core Java librarieslibraries
3.3. Write and compile security policyWrite and compile security policy
4.4. Run target using instrumented Run target using instrumented libraries, libraries, instrumenting target classes as they instrumenting target classes as they loadload
![Page 57: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/57.jpg)
12/03/0712/03/07 5757/51/51
Securing Targets in Securing Targets in PolymerPolymer
Target Libraries… …
Original application
Instrumented target
Instrumentedlibraries
Compiled policy
… …
Secured application
![Page 58: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/58.jpg)
12/03/0712/03/07 5858/51/51
(Unoptimized) Polymer (Unoptimized) Polymer PerformancePerformance
Instrument all Java core libraries = Instrument all Java core libraries = 107s = 3.7 ms per method107s = 3.7 ms per method
Typical class loading time = 12 ms Typical class loading time = 12 ms (vs. 6 ms with default class loader) (vs. 6 ms with default class loader)
Monitored method call = 0.6 ms Monitored method call = 0.6 ms overheadoverhead
Policy code’s performance typically Policy code’s performance typically dominates costdominates cost
![Page 59: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/59.jpg)
12/03/0712/03/07 5959/51/51
““Transforms” DefinitionTransforms” Definition
Definition: Definition: Automaton X = ( Q,qAutomaton X = ( Q,q00,t ) ,t ) transformstransforms input s input sAA∞∞ into output u into output uAA∞∞ iff iff
1. 1. q’q’Q Q s’s’AA∞∞ u’u’AA* :* : if (qif (q00,s) ,s) XX u’u’ (q’,s’) then u’ ≤ u (q’,s’) then u’ ≤ u
(On input (On input ss, , XX outputs outputs onlyonly prefixes of prefixes of u)u)
2. 2. u’≤uu’≤uq’q’QQ s’s’AA∞∞ : : (q (q00,s) ,s) XX u’u’ (q’,s’) (q’,s’)(On input (On input ss, , XX outputs outputs everyevery prefix of prefix of uu))
((qq00,,ss) ) X X uu
![Page 60: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/60.jpg)
12/03/0712/03/07 6060/51/51
Edit Automata Edit Automata EnforcementEnforcement
Edit automata enforce Edit automata enforce exactlyexactly the set of the set of reasonable renewal policies, except for a reasonable renewal policies, except for a corner case that allows some valid infinite corner case that allows some valid infinite executions to have finitely many valid executions to have finitely many valid prefixesprefixes
ExampleExample– PP((ss) iff ) iff ss==aa11;;aa11;;aa11;…;…
– PP is not a renewal policy is not a renewal policy– Monitor enforces Monitor enforces PP by always entering an by always entering an
infinite loop to insert infinite loop to insert aa11;;aa11;;aa11;…;…
![Page 61: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/61.jpg)
12/03/0712/03/07 6161/51/51
Edit Automata Edit Automata EnforcementEnforcement
Enforcing an “almost renewal” policy Enforcing an “almost renewal” policy requires automaton having input requires automaton having input sequence sequence ss’ to decide:’ to decide:– only one extension only one extension ss of of ss’ is valid’ is valid– ss has infinite length has infinite length– how to compute the actions in how to compute the actions in ss
Aside from this situation, edit Aside from this situation, edit automata enforce automata enforce exactlyexactly the set of the set of renewal policiesrenewal policies
![Page 62: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/62.jpg)
12/03/0712/03/07 6262/51/51
Precedence CombinatorsPrecedence Combinators
Give one subpolicy precedence over Give one subpolicy precedence over anotheranother
DominatesDominates: Obey first subpolicy if it : Obey first subpolicy if it considers the action relevant; considers the action relevant; otherwise obey whatever second otherwise obey whatever second subpolicy suggestssubpolicy suggests
TryWithTryWith: Obey first subpolicy if and : Obey first subpolicy if and only if it returns an Irrelevant, OK, or only if it returns an Irrelevant, OK, or Insertion suggestionInsertion suggestion
![Page 63: 12/03/071/51 Monitoring Software to Enforce Run-time Policies Jay Ligatti, University of South Florida](https://reader036.vdocuments.site/reader036/viewer/2022062421/56649dac5503460f94a9c611/html5/thumbnails/63.jpg)
12/03/0712/03/07 6363/51/51
Decomposing the Example Decomposing the Example into Safety and Livenessinto Safety and Liveness
ATM must log before and after dispensing cashATM must log before and after dispensing cashand may only log before and after dispensing cash:and may only log before and after dispensing cash:Valid executions = (logBegin(n); dispense(n); logEnd(n))Valid executions = (logBegin(n); dispense(n); logEnd(n))∞∞
PPSS((ss) ) ss matches one of: matches one of:– (logBegin(n);dispense(n);logEnd(n))*;logBegin(n)(logBegin(n);dispense(n);logEnd(n))*;logBegin(n)– (logBegin(n);dispense(n);logEnd(n))*;logBegin(n);dispense((logBegin(n);dispense(n);logEnd(n))*;logBegin(n);dispense(
n)n)
– (logBegin(n);dispense(n);logEnd(n))(logBegin(n);dispense(n);logEnd(n))∞∞
PPLL((ss) ) ss≠≠ss’;logBegin(n) and ’;logBegin(n) and ss≠≠ss’logBegin(n);dispense(n)’logBegin(n);dispense(n)