Sound and Complete Runtime Security Monitor for Application Software
We present a run-time security monitor that detects both known and unknown cyber attacks by checking that the run-time behavior of the application is consistent with the expected behavior modeled by an application specification. This is crucial because, even if the implementation is consistent with its specification, the application may still be vulnerable due to flaws in the supporting infrastructure. This run-time security monitor is sound and complete, eliminating false alarms, as well as efficient, so that it does not limit run-time application performance and so that it supports real-time systems. Importantly, this monitor is readily applicable to both legacy and new system platforms.The security monitor takes as input the application specification and the application implementation, which may be expressed in different languages. The security monitor detects attacks by systematically comparing the application execution and specification behaviors at run-time, even though they operate at two different levels of abstraction. We define the denotational semantics of the specification language and prove that the monitor is sound and complete, i.e. if the application is consistent with its specification, the security monitor will produce no false alarms (soundness) and that it will detect any deviation of the application from the behavior sanctioned by the specification language (completeness). Importantly, the application specification language enables the description of known or potential attack plans, enabling not only attack detection but attack characterization as well.