Efficient Runtime Enforcement Techniques for Policy Weaving
Richard Joiner, Thomas Reps, Somesh Jha, Mohan Dhawan, and Vinod Ganapathy
Policy weaving is a program-transformation method
that rewrites a program so that it is guaranteed to be safe with respect
to a stateful security policy. It utilizes (i) static analysis
to identify points in the program at which policy violations might
occur, and (ii) runtime checks inserted at such points to monitor policy
state and prevent violations from occurring. The power and flexibility
of policy weaving arises from its ability to blend the best aspects of
the static and runtime components. Therefore, a successful instantiation
requires careful balance and coordination between the two.
In this paper, we examine the strategy of using a combination of
transaction-based introspection and callsite indirection
to implement
runtime enforcement in a policy-weaving system. In particular,
(Click here to access the paper:
PDF.)
We describe our implementation of transaction-based introspection and
callsite indirection for policy weaving, and report experimental results
that show the viability of the approach in the context of real-world
JavaScript programs running in a browser.