Generating InLine Monitors For Rabin Automata


 Roxanne Campbell
 4 years ago
 Views:
Transcription
1 Generting InLine Monitors For Rin Automt Hugues Chot, Rphel Khoury, nd Ndi Twi Lvl University, Deprtment of Computer Science nd Softwre Engineering, Pvillon AdrienPouliot, 1065, venue de l Medecine Queec City, Cnd Astrct. A promising solution to the prolem of securing potentilly mlicious moile code lies in the use of progrm monitors. Such monitors cn e inlined into n untrusted progrm to produce n instrumented code tht provly stisfies the security policy. It is well known tht enforcement mechnisms sed on Schneider s security utomt only enforce sfety properties [1]. Yet susequent studies show tht wider rnge of properties thn those implemented so fr could e enforced using monitors. In this pper, we present n pproch to produce model of n instrumented progrm from security requirement represented y Rin utomton nd model of the progrm. Bsed on n priori knowledge of the progrm ehvior, this pproch llows to enforce, in some cses, more thn sfety properties. We provide theorem stting tht trunction enforcement mechnism considering only the set of possile executions of specific progrm is strictly more powerful thn mechnism considering ll the executions over n lphet of ctions. Key words: Computer Security, Dynmic Anlysis,Monitoring Softwre Sfety 1 Introduction Execution monitoring is n pproch to code sfety tht seeks to llow n untrusted code to run sfely y oserving its execution nd recting if need e to prevent potentil violtion of usersupplied security policy. This method hs mny promising pplictions, prticulrly with respect to the sfe use of moile code. Acdemic reserch on monitoring hs generlly focused on two questions. The first reltes to the set of policies tht cn e enforced y monitors nd the conditions under which this set could e extended. The second question dels with the wy to inline monitor into n untrusted or potentilly mlicious progrm in order to produce new instrumented progrm tht provly respects the desired security policy. While studies on security policy enforcement mechnisms show tht n priori knowledge of the trget progrm s ehvior would increse the power of these mechnisms [2, 3], no further investigtions hve een pursued in order to tke full dvntge of this ide in the context of runtime monitoring. In this pper, we present n pproch to generte sfe instrumented progrm, from security policy nd n untrusted progrm in which the monitor drws on n priori knowledge of the progrm s possile ehvior. The policy is stted s deterministic Rin utomton, model which cn recognize the sme clss of lnguges s non deterministic Büchi utomt [4].
2 2 H. Chot, R. Khoury nd N. Twi In our frmework progrm execution my e of infinite length representing the executions of progrms such s demons or servers. Finite executions re mde infinite y ttching t their end n infinite repetition of void ction. The use of Rin utomton is motivted y the need for determinism in order to simplify our method nd the ssocited proofs. Our pproch drws on dvnces in discrete events system control y [5] nd on relted susequent reserch y Lngr nd Mejri [6] nd consists in comining two models vi the utomt product opertor: model representing the system s ehvior nd nother one representing the property to e enforced. In our pproch, the model representing the system s ehvior is represented y LTS nd the property to e enforced is stted s Rin utomton. The LTS representing the progrm could e uilt directly from the control flow grph fter control flow nlysis [7, 8]. To sum up, our pproch either returns n instrumented progrm, modeled s leled trnsition system, which provly respects the input security policy or termintes with n error messge. While the ltter cse sometimes occurs, it is importnt to stress tht this will never occur if the desired property is sfety property which cn e enforced using existing pproches. Our pproch is thus strictly more expressive. The rest of this pper is orgnized s follows. Section 2 presents review of relted work. In Section 3, we define some concepts tht re used throughout the pper. The elorted method is presented in Section 4. In Section 5, we discuss the theoreticl underpinnings of our method. Some concluding remrks re finlly drwn in Section 6 together with n outline of possile future work. 2 Relted Work Schneider, in his seminl work [1], ws the first to investigte the question of which security policies could e enforced y monitors. He focused on specific clsses of monitors, which oserve the execution of trget progrm with no knowledge of its possile future ehvior nd with no ility to ffect it, except y orting the execution. Under these conditions, he found tht monitor could enforce the precise security policies tht re identified in the literture s sfety properties, nd re informlly chrcterized y prohiiting certin d thing from occurring in given execution. These properties cn e modeled y security utomton nd their representtion hs formed the sis of severl prcticl s well s theoreticl monitoring frmeworks. Schneider s study lso suggested tht the set of properties enforcele y monitors could e extended under certin conditions. Building on this insight, Ligtti, Buer nd Wlker [3, 9] exmined the wy the set of policies enforcele y monitors would e extended if the monitor hd some knowledge of its trget s possile ehvior or if its ility to lter tht ehvior were incresed. The uthors modified the ove definition of monitor long three xes, nmely (1) the mens on which the monitor relies in order to respond to possile violtion of the security policy; (2) whether the monitor hs ccess to informtion out the progrm s possile ehvior; (3) nd how strictly the monitor is required to enforce the security policy. Consequently, they were le to provide rich txonomy of clsses of security policies, ssocited with the pproprite
3 Generting InLine Monitors 3 model needed to enforce them. Severl of these models re strictly more powerful thn the security utomt developed y Schneider nd re used in prctice. Evolving long this line of inquiry, Ligtti et l. [10] gve more precise definition of the set of properties enforcele y the most powerful monitors, while Fong [11] nd Tlhi et l. [12] expounded on the cpilities of monitors operting under memory constrints. Hmlen et l. [2], on the other hnd showed tht inlined monitors, (whose opertion is injected into the trget progrm s code, rther thn working in prllel), cn lso enforce more properties thn those modeled y security utomton. In [13], method is given to enforce oth sfety nd cosfety properties y monitoring. The first prcticl ppliction using this frmework ws developed y Erlingsson nd Schneider in [14]. In tht project, security utomton is merged into oject code, nd sttic nlysis is used to reduce the runtime overhed incurred y the policy enforcement. Similr pproches, working on source code, were developed y Colcomet nd Frdet [15], y Lngr nd Mejri [6] nd y Kim et l. [16 19]. All these methods re limited to enforcing sfety properties, which must e included either s security utomton, or stted in custom logic developed for this ppliction. The first two focus on optimizing the instrumenttion introduced in the code. 3 Preliminries Before moving on, let us riefly strt with some preliminry definitions. We express the desired security property s Rin utomton. A Rin utomton R, over lphet A is tuple (Q, q 0, δ, C) such tht A is finite or countly infinite set of symols; Q is finite set of sttes; q 0 Q is the initil stte; δ Q A Q is trnsition function; C = {(L j, U j ) j J} is the cceptnce set. It is set of couples (L j, U j ) where L j Q nd U j Q for ll j J nd J N. Let R stnd for Rin utomton defined over lphet A. A suset Q Q is dmissile if nd only if there exists j J such tht Q L j = nd Q U j. For the ske of simplicity, we refer to the elements defining n utomton or model following formlism: the set of sttes Q of utomton R is referred to s R.Q nd we leve it s Q when it is cler in the context. A pth π, is finite (respectively infinite) sequence of sttes q 1, q 2,..., q n (respectively q 1, q 2,... ) such tht there exists finite (respectively infinite) sequence of symols 1, 2,..., n (respectively 1, 2,...) clled the lel of π such tht δ(q i, i ) = q i+1 for ll i {0,..., n} (respectively i 0). In fct, pth is sequence of sttes consisting of possile run of the utomton, nd the lel of this pth is the input sequence tht genertes this run. A pth is sid to e empty if its lel is the empty sequence ǫ. We denote y set(π) the set of sttes visited y the pth π. The first stte of π is clled the origin of π. If π is finite, the lst stte it visits is clled its end; otherwise, if it is infinite, we write inf (π) for the set of sttes tht re visited infinitely often in π. A
4 4 H. Chot, R. Khoury nd N. Twi pth π is initil if nd only if its origin is q 0, the initil stte of the utomton, nd it is finl if nd only if it is infinite nd inf (π) is dmissile. A pth is successful if nd only if it is oth initil nd finl. The property of successfulness of pth determines, in fct, the cceptnce condition of Rin utomt. A sequence is ccepted y Rin utomton iff it is the lel of successful pth. The set of ll ccepted sequences of R is the lnguge recognized y R, noted L R. Let q Q e stte of R. We sy tht q is ccessile iff there exists n initil pth (possily the empty pth) tht visits q. We sy tht q is coccessile iff it is the origin of finl pth. Executions re modeled s sequences of tomic ctions tken from finite or countly infinite set of ctions A. The empty sequence is noted ǫ, the set of ll finite length sequences is noted A, tht of ll infinite length sequences is noted A ω, nd the set of ll possile sequences is noted A = A ω A. Let τ A nd σ A e two sequences of ctions. We write τ; σ for the conctention of τ nd σ. We sy tht τ is prefix of σ noted τ σ iff τ A nd there exists sequence σ such tht τ; σ = σ. Let A e n ction symol. A stte q Q is n successor of q if δ(q, ) = q. Conversely, stte q is successor of q if there exists symol such tht δ(q, ) = q. Let π = q 1, q 2,..., q n e finite pth in R. This pth is cycle if q 1 = q n. The cycle π is dmissile iff set(π) is dmissile. It is ccessile iff there is stte q in set(π) such tht q is ccessile, nd likewise, it is coccessile iff there is stte q in set(π) such tht q is coccessile. 2 3 {, } 2 end end C = {({3}, {4}),(, {5})} Fig. 1. A Rin Automton with cceptnce Condition C Fig. 2. Exmple Leled trnsition system Let us consider Figure 1. It represents Rin utomton. In this figure, ll the sttes re ccessile nd coccessile. The pths 3, 4, 3, 4, 3, 3, 4, 3 nd 2, 2 re indmissile cycles, while 5, 5 is n dmissile cycle nd oth infinite pths 1, 2, 3, 4, 5, 5,... nd 1, 2, 3, 4, 3, 4, 4,... re initil nd finl nd therefore oth re successful.
5 Generting InLine Monitors 5 Finlly security property ˆP is predicte on executions. An execution σ is sid to e vlid or to respect the property if ˆP(σ). A Rin utomton R represents security policy ˆP iff L R = {σ ˆP(σ)}, the set of executions tht stisfy the security policy. Ausing the nottion, we extend the ppliction of ˆP to set of sequences, thus if Σ is set of sequences ˆP(Σ) mens tht ll the sequences of Σ stisfy ˆP. 4 Method In this section we explin our pproch in more detil nd illustrte its opertion with n exmple. The min lgorithm tkes s input Rin utomton R, which represents security Policy ˆP nd leled trnsition system (LTS) M, which models progrm. The lgorithm either returns model of n instrumented progrm tht enforces ˆP on M or returns n error messge. The ltter cse occurs when it is not possile to produce n instrumented progrm tht oth enforces the desired security property nd genertes ll vlid sequences of M. Following [20, 2, 9], we consider tht n enforcement mechnism successfully, enforces the property if the two following conditions re stisfied. First, the enforcement mechnism must e trnsprent; mening tht ll possile progrm executions tht respect the property must e emitted, i.e. the enforcement mechnism cnnot prevent the execution of sequence stisfying the property. Second, the enforcement mechnism must e sound, mening tht it must ensure tht ll oservle output respects the property. We revisit nd expnd these ides in Sections 4.3 nd 5.We illustrte ech step of our pproch using n exmple progrm nd security policy. 4.1 Property Encoding As mentioned erlier, the desired security property is stted s Rin utomton. The security property ˆP to which we seek to conform the trget progrm is modeled y the Rin utomton in Figure 1, over the lphet A { end } with A = {, }. The symol end is specil token dded to A to cpture the end of finite sequence, since the Rin utomton only ccepts infinite length sequences. The finite sequence σ is thus modeled s σ; ( end ) ω. The lnguge ccepted y this utomton is the set of executions tht contining only finite nonempty numer of ctions nd such tht finite executions end with ction. For the ske of simplicity, if sequence σ = τ; ( end ) ω with τ A is such tht ˆP(σ) we sy tht ˆP(τ). 4.2 Progrm Astrction The progrm is strcted s leled trnsition system (LTS). This is conservtive strction, widely used in model checking nd sttic nlysis, in which progrm is strcted s grph, whose nodes represent progrm points, nd whose edges re leled with instructions (or strctions of instructions, or ctions). Formlly, LTS M, over lphet A is deterministic grph (Q, q 0, δ) such tht: A is finite or countly infinite set of ctions;
6 6 H. Chot, R. Khoury nd N. Twi Q is finite set of sttes; q 0 is the initil stte; δ : Q A Q is trnsition function. For ech q Q, there must e t lest one A for which δ(q, ) is defined. Here lso finite sequence σ is extended with the suffix ( end ) ω yielding the infinite sequence σ; ( end ) ω. In generl, sttic nlysis tools do not lwys generte deterministic LTSs. Yet, this restriction cn e imposed with no loss of generlity. Indeed, nondeterministic LTS M over lphet A cn e represented y n equivlent deterministic LTS M over lphet A N, which is equivlent to M if we ignore the numers i N ssocited with the ctions. Ech occurrence of n ction is ssocited with unique index in N so s to distinguish it from other occurrences of the sme ction. In wht follows, we cn thus consider only deterministic LTSs. Furthermore, we focus exclusively on infinite length executions. The exmple progrm tht we use to illustrte our pproch is modeled y the LTS in Figure 2, over the lphet A. The issue consisting of how to strct progrm into LTS is eyond the scope of this pper. As with the Rin Automt, we define pth π s finite or infinite sequence of sttes q 1, q 2,... such tht there exists corresponding sequence of ctions ( 1, 2...) clled the lel of π, for which the δ(q i, i ) = q i+1. The set of ll lels of infinite pths strting in q 0 is the lnguge generted or emitted y M nd is noted L M. 4.3 Algorithm The lgorithm s input consists of the progrm model M nd Rin utomton R which encodes the property. The output is trunction utomton T representing model of n inlined monitored progrm cting exctly identiclly to the input progrm for ll the executions stisfying the property nd hlting d execution fter producing vlid prefix of this execution. A high level description of the lgorithm is s follows: 1. Build product utomton R P whose recognized lnguge is exctly : L R P = L R L M. 2. Build R T from R P y the ppliction of trnsformtion llowing it to ccept prtil executions of the progrm modeled y M tht stisfy the property ˆP. 3. Check if R T could e used s trunction utomton nd produce LTS T modeling the progrm instrumented y trunction mechnism otherwise produce error. The following sections give more detils on ech step. Automt Product The first phse of the trnsformtion is to construct R P, Rin utomton tht ccepts the intersection of the lnguge ccepted y the utomton R nd the lnguge emitted y M. This is exctly the product of these two utomt. Thus
7 Generting InLine Monitors 7 R P ccepts the set of executions tht oth respect the property nd represent executions of the trget progrm. Given property utomton R = (R.Q, R.q 0, R.δ, R.C) nd Leled Trnsition system M = (M.Q, M.q 0, M.δ) the utomton R P is constructed s follows: R P.Q = R.Q M.Q R P.q 0 = (R.q 0, M.q 0 ) q R.Q, q M.Q (A { end }) (R.δ(q, ), M.δ(q, )) if R.δ(q, ) nd M.δ(q, ) R P.δ((q, q re defined ), ) = undefined otherwise R P.C = (L,U) R.C{(L M.Q, U M.Q)} The utomton uilt for our exmple using the property in Figure 1 nd the progrm model presented in Figure 2 is given in Figure 3. (3, 2) (4,2) (3, 3) (3, 2) (4,2) (3, 3) (1,1) (2, 4) (3,5) (4, 5) (2, 6) (3,7) (4, 6) C = {( {(3, 2),(3,3),(3,5),(3,7)}, {(4, 2),(4,5),(4,6)} )} Fig. 3. Exmple  Rin utomton R P (1, 1) h hlt hlt (2, 4) (3,5) (4, 5) h (2, 6) (3,7) (4, 6) h C ={({(3,2),(3, 3),(3, 5),(3,7)}, {(4, 2),(4, 5),(4, 6)}),(, {h})} hlt hlt hlt hlt Fig. 4. Trnsformed Product Automton Since R P ccepts the intersection of the lnguges ccepted y the utomton R nd M, it would seem n idel strction from which to uild the instrumented progrm. However, there is no known wy to trnsform such n utomton into progrm. Indeed, since the cceptnce condition of the Rin utomton is uilt round the notion of infinite trces reching some sttes infinitely often, dynmic monitoring system uilt from such n utomton with no help provided y prior sttic nlysis, my never e le to determine if given execution is vlid or not.
8 8 H. Chot, R. Khoury nd N. Twi Insted, we extrct deterministic utomton, T = (T.Q, T.q 0, T.δ), from the Rin utomton R P. This utomton is the leled trnsition system which is returned. It forms in turn the sis of the instrumented progrm we seek to construct. The instrumented progrm is expected to work s progrm monitored y trunction utomton mening tht its model T hs to stisfy the following conditions: (1) T emits ech execution of M stisfying the security property without ny modifiction, (2) for ech execution tht does not stisfy the property, T sfely hlts it fter producing vlid prtil execution, nd (3) T does not emit nything else prt those executions descried in (1) nd (2). The next step towrd this gol is to pply trnsformtion tht llows R P to ccept prtil executions of M which stisfy the property. Indeed, ll finite initil pths in R P represent prtil executions of M, only some of them stisfy the security property. We dd trnsition, leled hlt, to new stte h to every stte in R P where the execution could e orted fter producing prtil execution stisfying the property, i.e. stte (q 1, q 2 ) for which R.δ(q 1, end ) is defined. The stte h is mde dmissile y dding the trnsition (h, hlt, h) to the set of trnsitions nd the pir (, {h}) to the cceptnce set. We hve to e creful in choosing h nd hlt such tht h R.Q M.Q nd hlt A the lphet of ctions. We refer to this updted version of R P s R T, uilt from R P s follows : R T.Q = R P.Q {h} R T.q 0 = R P.q 0 R T.δ = R P.δ {(q, hlt, h) R P.δ(q, end ) is defined } {(h, hlt, h)}. R T.C = R P.C {(, {h})} After this trnsformtion our exmple product utomton ecomes the utomton depicted in Figure 4. The hlt stte h hs een duplicted three times in order to void cross edging. The lnguge recognized y R T is L R T = (L R L M ) {τ; ( hlt ) ω (τ A ) ( σ L M : τ σ) (τ; ( end ) ω L R )}. Extrcting Model of the Instrumented Progrm The next phse consists in extrcting, if possile, leled trnsition system T = (Q, q 0, δ), from the Rin utomton R T. This utomton is expected to ehve s the originl progrm monitored y trunction utomton. To understnd the need for this step, first note tht the cceptnce condition of Rin utomton could not e checked dynmiclly due to its infinite nture. Should we uild n instrumented progrm directly from R T, y ignoring its cceptnce condition, nd treting it like simple LTS, the resulting progrm would still generte ll trces of M tht verify the property ˆP ut it would lso generte the invlid sequences of M representing lels of infinite pths in R T trpped in non dmissile cycles. In other words, the enforcement of the property would e trnsprent ut not sound. In order to generte T, we prune R T of some of its sttes nd trnsitions, eliminting indmissile cycles while tking cre to preserve the ility to generte ll the vlid
9 Generting InLine Monitors 9 sequences of L M. Furthermore, we need to scertin tht T orts the execution of every sequence of L M not stisfying ˆP nd tht T genertes only executions stisfying ˆP. We cn now restte the correctness requirements of our pproch. In the formultion of these requirements, the ctions end nd hlt re ignored, s they merely model the end of finite sequence. ( σ L M : ( τ L T : ((τ = σ) (τ σ)) ˆP(τ) ( ˆP(σ) = (τ = σ)))) (4.1) τ L T : (( σ L M : ((τ = σ) (τ σ))) ˆP(τ) (4.2) Note tht the requirements 4.1 nd 4.2 re not only sufficient to ensure the respect of soundness nd trnsprency requirements introduced t the eginning of Section 4 following [20, 2, 9], ut lso tht of more restrictive requirement. Indeed, requirement 4.1 lso sttes tht the mechnism is trunction mechnism. It ensures the complince to the security property y orting the execution efore security violtion occurs whenever this is needed. We cn thus prove tht for ny invlid sequence present in the originl model, the instrumented progrm outputs vlid prefix of tht sequence. Our enforcement mechnism is not llowed to generte sequences tht re not relted to sequences in L M either y equlity or prefix reltion. Furthermore these sequences must stisfy ˆP. This is stted in requirement 4.2. Requirements 4.1 nd 4.2 give the guidelines for constructing T from R T. The trnsformtions tht re performed on R T to ensure meeting these requirements re elorted round the following intuition. The utomton R T hs to e pruned so s to ensure tht it represents sfety property even though R is not. Note tht this is not possile in the generl cse without violting the requirements. The ide is tht dmissile cycles re visited infinitely often y executions stisfying ˆP nd must thus e included in T. Likewise, ny other stte or trnsition tht cn rech n dmissile cycle my e prt of such n execution nd must e included. On the other hnd, indmissile cycles cnnot e included in T s the property is violted y ny trce tht goes through such cycle infinitely often. In some cses their elimintion cnnot occur without the loss of trnsprency nd our pproch fils, returning error. The underlying ide of the susequent mnipultion is thus to check whether we cn trim R T y removing d cycles ut without lso removing the sttes nd trnsitions required to ensure trnsprency. The following steps show how we perform the trim procedure. The nest step is to determine the strongly connected components (scc) in the grph representing R T using Trjn s lgorithm [21]. We then exmine ech scc nd mrk it s contining either only dmissile cycles, only indmissile cycles, oth types of cycles, or no cycles (in the trivil cse).to perform this lst opertion, we hve developed heuristics sed on the notion tht grphs which model progrms re structured. A discussion of these heuristics is however eyond the scope of this pper. The next step is to construct the quotient grph of R T in which ech node represents scc nd n edge connecting two scc c 1 nd c 2 indictes tht there exists stte q 1 in scc c 1 nd stte q 2 in scc c 2 nd n ction such tht R T.δ(q 1, ) = q 2. We ssume, without loss of generlity, tht ll the scc sttes re ccessile from the initil node, the scc contining q 0.
10 10 H. Chot, R. Khoury nd N. Twi The nodes of the quotient grph R T re then visited in reverse topologicl ordering. We determine for ech one whether it should e kept intct, ltered or removed. In the wht follows the scc contining the hlting stte h is referred to s H. A scc with no cycle t ll is removed with its incident edges if it cnnot rech nother scc. In Figure 4 the scc consisting of the stte (3, 3) would thus e eliminted. A scc contining only dmissile cycles should e kept, since ll the executions reching it stisfy ˆP. Eliminting it would prevent the enforcement mechnism from eing trnsprent. In our exmple in Figure 4 the scc consisting of the single stte (4, 2) hs only dmissile cycles nd should e kept. A scc contining only non dmissile cycles cn e removed if it cnnot rech nother scc with only dmissile cycles. Otherwise, we re generlly forced to return error. However, in some cses, we cn either rek the indmissile cycles or prevent them from reching H y removing some trnsitions nd keeping the reminder of the scc. This occurs when the only successor, hving dmissile cycles, of this scc is H. In our exmple, the scc contining the sttes (3, 7) nd (4, 6) hs only non dmissile cycles nd H is its only successor. We cn eliminte this scc nd hlt with error t this point. Yet, if we oserve tht eliminting the trnsition ((4, 6),, (3, 7)) would rek the indmissile cycle, we cn eliminte tht trnsition nd keep the rest of the scc. A trnsition cn only e removed if its origin hs h s immedite successor. This is ecuse, should the instrumented progrm ttempt to perform the ction tht corresponds to this trnsition, its execution would e orted. However, prtil execution only stisfies the property if it ends in stte tht hs h s n immedite successor. A scc contining dmissile nd non dmissile cycles my cuse good or d ehvior. Actully, n execution reching this scc my e trpped in n indmissile cycle for ever or my leve it to rech n dmissile cycle thus stisfying the property ˆP. We hve no mens to dynmiclly check whether the execution is going to leve cycle or not. Thus, in this cse we must ort with error. In the exmple given in Figure 4 the scc consisting of the two sttes (3, 5) nd (4, 5) hve one dmissile cycle, (4, 5), (4, 5) nd one indmissile cycle (3, 5), (4, 5), (3, 5). This lst cycle is visited if the invlid sequence () ω is eing generted. Note tht the utomton ccepts n infinite numer of vlid trces of the form () ω, nd tht no trunction utomton cn oth ccept these trces nd reject the invlid trce descried ove. Hence we hve to ort the lgorithm with error in such cses. After removing ll the scc with indmissile cycles nd provided we hve not orted, we cn e sure tht n instrumented progrm uilt from T would not contin ny infinite length execution which does not respect the security property. We must still verify tht whenever the execution is hlted, the prtil sequence emitted stisfies ˆP. The lst step is to check whether the eliminted sttes nd trnsitions could not llow invlid prtil executions to e emitted. This verifiction is sed on the following oservtion: if removed trnsition hs n origin stte tht is not n immedite predecessor of h this would then llow to emit prtil execution tht does not stisfy ˆP. Hence, the verifiction merely consists in checking whether we hve removed trnsitions from sttes tht re not immedite predecessors of h; if such is the cse we hve to ort with error. More precisely, for stte q = (q 1, q 2 ) in T we hve to check
11 Generting InLine Monitors 11 whether it is possile from q 2 in M to perform ctions tht re not possile from q; if this is the cse, q must hve h s immedite successor; otherwise, we hve no other option thn to terminte the lgorithm without returning suitle LTS nd with n error messge. We my lso remove the trnsitions of the form (h, hlt, h) nd (q, end, q), where q R T.Q. 5 Mechnism s Enforcement power In this section, we show tht nonuniform enforcement mechnisms, which occur when the set of possile executions Σ is suset if A ω, re more powerful thn uniform enforcers, i.e. those for which Σ = A ω, in the sense tht they re le to enforce lrger clss of security properties. This demonstrtion will revel tht monitors tht re tilored to specific progrms my e le to enforce wide set of properties nd rgues for the use of sttic nlysis in conjunction with monitoring. Let us egin with more forml definition of the concepts we discussed in the previous sections, following the nottions dopted in [3, 9]. We specify the enforcement mechnism ehvior of security utomton S y judgments of the form (q, σ) τ S (q, σ ) where q is the current stte of the utomton; σ is the ttempted execution; q is the stte the utomton rech fter one execution step; σ is the remining execution trce to e performed; nd τ is the execution trce consisting of one ction t most tht is emitted y the security utomton fter one step. The execution of the security utomton is generlized with the multistep judgments defined through reflexivity nd trnsitivity rules s follows. Definition 1 (Multistep semntics). Let S e security utomton. The multistep reltion (q, σ) = τ S (q, σ ) is inductively defined s follows. For ll q, q, q Q, σ, σ, σ A nd τ, τ A we hve (q, σ) ε = S (q, σ) (5.1) if (q, σ) τ = S (q, σ ) nd (q, σ ) τ S (q, σ ) then (q, σ) τ;τ = S (q, σ ) (5.2) We re now le to give the definition of wht security enforcement mechnism is. Intuitively, we cn think of security enforcement mechnisms s sequence trnsformers, utomt tht tke progrm s ctions sequence s input, nd output new sequence of ctions tht respects the security property. This intuition is formlized s follows: Definition 2 (Trnsformtion). A security utomton S = (Q, q 0, δ) trnsforms n execution trce σ A into n execution τ A, noted (q 0, σ) S τ, if nd only if q Q, σ A, τ A : ((q 0, σ) τ = S (q, σ )) = τ τ (5.3) τ τ : q Q, σ A : (q 0, σ) τ = S (q, σ ) (5.4)
12 12 H. Chot, R. Khoury nd N. Twi We hve seen tht security enforcement mechnism must respect two properties nmely soundness nd trnsprency. The former requires tht no invlid execution e permitted, while the ltter sttes tht ll vlid executions must e trnsformed into semnticlly equivlent executions. But for enforcement to e meningful, the notion of equivlence must e constrined. Otherwise, one might rgue, for instnce, tht the empty sequence ǫ is equivlent to every vlid execution, nd enforce ny property y orting every execution t its onset. Insted, we rgue tht two executions τ, σ A re equivlent if there exists reflexive, symmetric nd trnsitive, equivlence reltion = s.t. τ = σ. We cn now stte formlly wht it mens for n enforcement mechnism to effectively enforce security property Definition 3 (effective Σ = Enforcement). Let Σ A e set of execution trces. A security utomton S = (Q, q 0, δ) enforces effectively = security property ˆP for Σ if nd only if for ll input trce σ Σ there exists n output trce τ A such tht (q 0, σ) S τ (5.5) ˆP(τ) (5.6) ˆP(σ) = σ = τ (5.7) Informlly, security utomton enforces effectively = property for Σ iff for ech execution trce σ Σ, it outputs trce τ such tht τ is vlid, with respect to the property, nd if the input trce σ is itself vlid then σ = τ. Definition 4 (S Σ = enforcele). Let Σ A e set of execution trces nd S e clss of security utomt. The clss S Σ = enforcele is the set of security properties such tht for ech property in this set, there exists security utomton S S tht effectively = enforces this property for the trces in Σ. Our pproch is uilt round the ide, first suggested y Ligtti et l. in [3, 9], tht the set of properties enforcele y monitor could sometimes e extended if the monitor hs some knowledge of the progrm s possile ehvior nd thus cn rule out some executions s impossile. We cn now stte this ide more formlly. Theorem 1. Let S e clss of security utomt nd let Σ, Σ A e two sets of execution trces Σ Σ then we hve S Σ = enforcele SΣ = enforcele (5.8) The proof is quite strightforwrd, nd sed upon the intuition tht security mechnism possessing certin knowledge out its trget my discrd it, nd then ehve s n enforcement mechnisms lcking this knowledge.the proof hs een omitted for spce considertion.
13 Generting InLine Monitors 13 Corollry 1. Let S e clss of security utomton. For ll execution trce set Σ A we hve S A = enforcele SΣ = enforcele (5.9) Corollry 1 indictes tht ny security property tht is effectively = enforcele y security utomton in uniform context (Σ = A ) is lso enforcele in the nonuniform context (Σ A ). It follows tht our pproch is t lest s powerful s those previously suggested in the literture tht we uilt round tht lst frmework. It would e interesting to prove tht for ll security utomton clsses, S nd for ll equivlence reltions =, we hve S A = enforcele SΣ = enforcele. This is unfortuntely not the cse, s there exists t lest one clss of security utomton (ex. S = ), nd one equivlence reltion (ex. τ = σ τ, σ A ) such tht S A = enforcele = SΣ = enforcele for ll set of trces Σ A. However in our pproch, we focus oth on specific clss of security utomt nd on specific equivlence reltion. In our prticulr cse, the set of policies enforcele in nonuniform context is strictly greter thn the one tht is enforcele in the uniform context. The monitors used in this pper re trunction utomt, first descried in [1]. These re monitors which, when presented with potentilly invlid sequence, hve no option ut to ort the execution. Definition 5 (Trunction Automton). A trunction utomton is security utomton where δ : Q A Q {hlt} nd hlt Q. Furthermore, we use syntctic equivlence (=) s the equivlence reltion etween vlid trces. We cn now stte the centrl theorem of this pper, tht the enforcement power of the trunction utomton is strictly greter in the nonuniform context thn in the uniform context, when we consider =enforcement. Theorem 2. For ll set of trces Σ A we hve T A = enforcele TΣ = enforcele (5.10) The proof is sed on the following oservtions. First, it hs een shown in [1, 3] tht property is T A = enforcele iff it is sfety property. Second. Let ˆP e security property, ˆP is trivilly enforcele on Σ iff for every sequence σ Σ, ˆP(σ). The proof thus consists in showing tht for ny Σ A, nonsfety property cn e stted, nd trivilly enforced.more specificlly, this proof seeks to demonstrte for sequence υ A s. t. υ / Σ the nonsfety security property ˆP(σ) (σ υ) for ll σ A is T Σ = enforcele. The proof hs een omitted for spce considertion. 6 Conclusion nd Future Work The min contriution of this pper is the elortion of method iming t inlining security enforcement mechnism in n untrusted progrm. The security property to e
14 14 H. Chot, R. Khoury nd N. Twi enforced is expressed y Rin utomton nd the progrm is modeled y LTS. The inlined monitoring mechnism is ctully trunction mechnism llowing vlid executions to run normlly while hlting d executions efore they violte the property. In our pproch, the monitor s enforcement power is extended y giving it ccess to stticlly gthered informtion out the progrm s possile ehvior. This llows us to enforce nonsfety properties for some progrms. Nevertheless, severl cses still exist where our pproch fils to find suitle instrumented code. These re cses where n execution my lternte etween stisfying the property or not nd could hlt in n invlid stte, or cses where n invlid execution contins no vlid prefixes where the execution could e orted without lso ruling out some vlid executions. Another contriution of this study is to provide proof tht trunction mechnism tht effectively enforces security property under the equlity s n equivlence reltion is strictly more powerful in non uniform context thn in uniform one. A more elorte prdigm deling with wht constitutes monitor could llow us to ensure the stisfction of the security property in t lest some cses where doing so in currently not fesile. For exmple, the monitor could suppress susequence of the progrm, nd keep it under oservtion until it is stisfied tht the progrm ctully stisfies the property nd output it ll t once. Alterntively, the monitor my e llowed to insert some ctions t the end of n invlid sequence in order to gurntee tht the sequence is orted in vlid stte. Such monitors re suggested in [3], their use would extend this pproch to more powerful frmework. Another question tht remins open is to determine how often the lgorithm will succeed in finding suitle instrumented code when tested on rel progrms. We re currently developing n implementtion to investigte this question further nd hope to gin insights s to which of the ove suggested extensions would provide the gretest increse in the set of enforcele properties. Finlly, distinctive spect of the method under considertion is tht unlike other code instrumenttion methods, ours induces no dded runtime overhed. However, the size of the instrumented progrm is incresed in the order O(m n), where m is the size of the originl progrm nd n is the size of the property. The instrumenttion lgorithm itself runs in time O(p c), where p is the size of the utomton s cceptnce condition nd c is the numer of cycles in the product utomton. In prctice, grphs tht strct progrms hve comprtively smll numer of cycles. References 1. F. B. Schneider, Enforcele security policies, Informtion nd System Security, vol. 3, no. 1, pp , K. W. Hmlen, G. Morrisett, nd F. B. Schneider, Computility clsses for enforcement mechnisms, ACM Trnsctions on Progrmming Lnguges nd Systems (TOPLAS), vol. 28, no. 1, pp , L. Buer, J. Ligtti, nd D. Wlker, More enforcele security policies, in proceedings of th Foundtions of Computer Security Workshop, Copenhgen, Denmrk, Jul D. Perrin nd J.E. Pin, Infinite Words, ser. Pure nd Applied Mthemtics. Elsevier, 2004, vol. 141, ISBN
15 Generting InLine Monitors P. J. Rmdge nd W. M. Wonhm, The control of discrete event systems, IEEE Proceedings: Specil issue on Discrete Event Systems, vol. 77, no. 1, pp , Jn M. Lngr nd M. Mejri, Optimizing enforcement of security policies, in proceedings of the Foundtions of Computer Security Workshop (FCS 05) ffilited with LICS 2005 (Logics in Computer Science), JuneJuly A. V. Aho, R. Sethi, nd J. D. Ullmn, Compilers, Principles, Techniques, nd Tools. AddisonWesley, D. Beyer, T. A. Henzinger, R. Jhl, nd R. Mjumdr, The softwre model checker BLAST: Applictions to softwre engineering, Interntionl Journl on Softwre Tools for Technology Trnsfer (STTT), vol. 9, no. 56, pp , J. Ligtti, L. Buer, nd D. Wlker, Edit utomt: Enforcement mechnisms for runtime security policies, Interntionl Journl of Informtion Security, , Enforcing nonsfety security policies with progrm monitors, in proceedings of the 10th Europen Symposium on Reserch in Computer Security (ESORICS), Miln, Sep P. Fong, Access control y trcking shllow execution history, in proceedings of the 2004 IEEE Symposium on Security nd Privcy, Oklnd,Cliforni, USA, My C. Tlhi, N. Twi, nd M. Dei, Execution monitoring enforcement under memorylimittions constrints, Informtion nd Computtion, vol. 206, no. 1, pp , A. Buer, M. Leucker, nd C. Schllhrt, Monitoring of reltime properties, in FSTTCS 2006: Foundtions of Softwre Technology nd Theoreticl Computer Science, ser. Lecture Notes in Computer Science, 2006, pp U. Erlingsson nd F. B. Schneider, SASI enforcement of security policies: A retrospective, in proceedings of the WNSP: New Security Prdigms Workshop. ACM Press, T. Colcomet nd P. Frdet, Enforcing trce properties y progrm trnsformtion, in proceedings of the 27th ACM SIGPLANSIGACT Symposium on Principles of Progrmming Lnguges, Jn M. Kim, Informtion extrction for runtime forml nlysis, Ph.D. disserttion, University of Pennsylvni, M. Kim, M. Viswnthn, S. Knnn, I. Lee, nd O. Sokolsky, Jvmc: A runtime ssurnce pproch for jv progrms, Forml Methods in Systems Design, vol. 24, no. 2, pp , I. Lee, S. Knnn, M. Kim, O. Sokolsky, nd M. Viswnthn, Runtime ssurnce sed on forml specifictions, in proceedings of the Interntionl Conference on Prllel nd Distriuted Processing Techniques nd Applictions, O. Sokolsky, S. Knnn, M. Kim, I. Lee, nd M. Viswnthn, Steering of reltime systems sed on monitoring nd checking, in proceedings of the Fifth Interntionl Workshop on OjectOriented RelTime Dependle Systems, WORDS 99. Wshington, DC, USA: IEEE Computer Society, 1999, p U. Erlingsson, The inlined reference monitor pproch to security policy enforcement, Ph.D. disserttion, Cornell University, Ithc, NY, USA, R. E. Trjn, Depthfirst serch nd liner grph lgorithms, SIAM Journl on Computing, vol. 1, no. 2, pp , 1972.
Regular Sets and Expressions
Regulr Sets nd Expressions Finite utomt re importnt in science, mthemtics, nd engineering. Engineers like them ecuse they re super models for circuits (And, since the dvent of VLSI systems sometimes finite
More informationHomework 3 Solutions
CS 341: Foundtions of Computer Science II Prof. Mrvin Nkym Homework 3 Solutions 1. Give NFAs with the specified numer of sttes recognizing ech of the following lnguges. In ll cses, the lphet is Σ = {,1}.
More informationEQUATIONS OF LINES AND PLANES
EQUATIONS OF LINES AND PLANES MATH 195, SECTION 59 (VIPUL NAIK) Corresponding mteril in the ook: Section 12.5. Wht students should definitely get: Prmetric eqution of line given in pointdirection nd twopoint
More informationOne Minute To Learn Programming: Finite Automata
Gret Theoreticl Ides In Computer Science Steven Rudich CS 15251 Spring 2005 Lecture 9 Fe 8 2005 Crnegie Mellon University One Minute To Lern Progrmming: Finite Automt Let me tech you progrmming lnguge
More informationReasoning to Solve Equations and Inequalities
Lesson4 Resoning to Solve Equtions nd Inequlities In erlier work in this unit, you modeled situtions with severl vriles nd equtions. For exmple, suppose you were given usiness plns for concert showing
More informationModular Generic Verification of LTL Properties for Aspects
Modulr Generic Verifiction of LTL Properties for Aspects Mx Goldmn Shmuel Ktz Computer Science Deprtment Technion Isrel Institute of Technology {mgoldmn, ktz}@cs.technion.c.il ABSTRACT Aspects re seprte
More informationAppendix D: Completing the Square and the Quadratic Formula. In Appendix A, two special cases of expanding brackets were considered:
Appendi D: Completing the Squre nd the Qudrtic Formul Fctoring qudrtic epressions such s: + 6 + 8 ws one of the topics introduced in Appendi C. Fctoring qudrtic epressions is useful skill tht cn help you
More informationPolynomial Functions. Polynomial functions in one variable can be written in expanded form as ( )
Polynomil Functions Polynomil functions in one vrible cn be written in expnded form s n n 1 n 2 2 f x = x + x + x + + x + x+ n n 1 n 2 2 1 0 Exmples of polynomils in expnded form re nd 3 8 7 4 = 5 4 +
More informationOutline of the Lecture. Software Testing. Unit & Integration Testing. Components. Lecture Notes 3 (of 4)
Outline of the Lecture Softwre Testing Lecture Notes 3 (of 4) Integrtion Testing Topdown ottomup igng Sndwich System Testing cceptnce Testing istriution of ults in lrge Industril Softwre System (ISST
More information2 DIODE CLIPPING and CLAMPING CIRCUITS
2 DIODE CLIPPING nd CLAMPING CIRCUITS 2.1 Ojectives Understnding the operting principle of diode clipping circuit Understnding the operting principle of clmping circuit Understnding the wveform chnge of
More informationBayesian Updating with Continuous Priors Class 13, 18.05, Spring 2014 Jeremy Orloff and Jonathan Bloom
Byesin Updting with Continuous Priors Clss 3, 8.05, Spring 04 Jeremy Orloff nd Jonthn Bloom Lerning Gols. Understnd prmeterized fmily of distriutions s representing continuous rnge of hypotheses for the
More information9 CONTINUOUS DISTRIBUTIONS
9 CONTINUOUS DISTIBUTIONS A rndom vrible whose vlue my fll nywhere in rnge of vlues is continuous rndom vrible nd will be ssocited with some continuous distribution. Continuous distributions re to discrete
More informationSection 54 Trigonometric Functions
5 Trigonometric Functions Section 5 Trigonometric Functions Definition of the Trigonometric Functions Clcultor Evlution of Trigonometric Functions Definition of the Trigonometric Functions Alternte Form
More informationLINEAR TRANSFORMATIONS AND THEIR REPRESENTING MATRICES
LINEAR TRANSFORMATIONS AND THEIR REPRESENTING MATRICES DAVID WEBB CONTENTS Liner trnsformtions 2 The representing mtrix of liner trnsformtion 3 3 An ppliction: reflections in the plne 6 4 The lgebr of
More informationPROF. BOYAN KOSTADINOV NEW YORK CITY COLLEGE OF TECHNOLOGY, CUNY
MAT 0630 INTERNET RESOURCES, REVIEW OF CONCEPTS AND COMMON MISTAKES PROF. BOYAN KOSTADINOV NEW YORK CITY COLLEGE OF TECHNOLOGY, CUNY Contents 1. ACT Compss Prctice Tests 1 2. Common Mistkes 2 3. Distributive
More informationAssumption Generation for Software Component Verification
Assumption Genertion for Softwre Component Verifiction Dimitr Ginnkopoulou Corin S. Păsărenu RIACS/USRA Kestrel Technologies LLC NASA Ames Reserch Center Moffett Field, CA 940351000, USA {dimitr, pcorin}@emil.rc.ns.gov
More informationRegular Repair of Specifications
Regulr Repir of Specifictions Michel Benedikt Oxford University michel.enedikt@coml.ox.c.uk Griele Puppis Oxford University griele.puppis@coml.ox.c.uk Cristin Riveros Oxford University cristin.riveros@coml.ox.c.uk
More informationFAULT TREES AND RELIABILITY BLOCK DIAGRAMS. Harry G. Kwatny. Department of Mechanical Engineering & Mechanics Drexel University
SYSTEM FAULT AND Hrry G. Kwtny Deprtment of Mechnicl Engineering & Mechnics Drexel University OUTLINE SYSTEM RBD Definition RBDs nd Fult Trees System Structure Structure Functions Pths nd Cutsets Reliility
More informationProtocol Analysis. 17654/17764 Analysis of Software Artifacts Kevin Bierhoff
Protocol Anlysis 17654/17764 Anlysis of Softwre Artifcts Kevin Bierhoff TkeAwys Protocols define temporl ordering of events Cn often be cptured with stte mchines Protocol nlysis needs to py ttention
More informationPentominoes. Pentominoes. Bruce Baguley Cascade Math Systems, LLC. The pentominoes are a simplelooking set of objects through which some powerful
Pentominoes Bruce Bguley Cscde Mth Systems, LLC Astrct. Pentominoes nd their reltives the polyominoes, polycues, nd polyhypercues will e used to explore nd pply vrious importnt mthemticl concepts. In this
More informationOr more simply put, when adding or subtracting quantities, their uncertainties add.
Propgtion of Uncertint through Mthemticl Opertions Since the untit of interest in n eperiment is rrel otined mesuring tht untit directl, we must understnd how error propgtes when mthemticl opertions re
More informationSolving the String Statistics Problem in Time O(n log n)
Solving the String Sttistics Prolem in Time O(n log n) Gerth Stølting Brodl 1,,, Rune B. Lyngsø 3, Ann Östlin1,, nd Christin N. S. Pedersen 1,2, 1 BRICS, Deprtment of Computer Science, University of Arhus,
More information0.1 Basic Set Theory and Interval Notation
0.1 Bsic Set Theory nd Intervl Nottion 3 0.1 Bsic Set Theory nd Intervl Nottion 0.1.1 Some Bsic Set Theory Notions Like ll good Mth ooks, we egin with definition. Definition 0.1. A set is welldefined
More informationAll pay auctions with certain and uncertain prizes a comment
CENTER FOR RESEARC IN ECONOMICS AND MANAGEMENT CREAM Publiction No. 12015 All py uctions with certin nd uncertin prizes comment Christin Riis All py uctions with certin nd uncertin prizes comment Christin
More informationRTL Power Optimization with Gatelevel Accuracy
RTL Power Optimiztion with Gtelevel Accurcy Qi Wng Cdence Design Systems, Inc Sumit Roy Clypto Design Systems, Inc 555 River Oks Prkwy, Sn Jose 95125 2903 Bunker Hill Lne, Suite 208, SntClr 95054 qwng@cdence.com
More informationJava CUP. Java CUP Specifications. User Code Additions You may define Java code to be included within the generated parser:
Jv CUP Jv CUP is prsergenertion tool, similr to Ycc. CUP uilds Jv prser for LALR(1) grmmrs from production rules nd ssocited Jv code frgments. When prticulr production is recognized, its ssocited code
More informationConcept Formation Using Graph Grammars
Concept Formtion Using Grph Grmmrs Istvn Jonyer, Lwrence B. Holder nd Dine J. Cook Deprtment of Computer Science nd Engineering University of Texs t Arlington Box 19015 (416 Ytes St.), Arlington, TX 760190015
More informationExample 27.1 Draw a Venn diagram to show the relationship between counting numbers, whole numbers, integers, and rational numbers.
2 Rtionl Numbers Integers such s 5 were importnt when solving the eqution x+5 = 0. In similr wy, frctions re importnt for solving equtions like 2x = 1. Wht bout equtions like 2x + 1 = 0? Equtions of this
More informationPointed Regular Expressions
Pointed Regulr Expressions Andre Asperti 1, Cludio Scerdoti Coen 1, nd Enrico Tssi 2 1 Deprtment of Computer Science, University of Bologn sperti@cs.unio.it scerdot@cs.unio.it 2 INRIAMicorsoft tssi@cs.unio.it
More informationAntiSpyware Enterprise Module 8.5
AntiSpywre Enterprise Module 8.5 Product Guide Aout the AntiSpywre Enterprise Module The McAfee AntiSpywre Enterprise Module 8.5 is n ddon to the VirusScn Enterprise 8.5i product tht extends its ility
More informationA.7.1 Trigonometric interpretation of dot product... 324. A.7.2 Geometric interpretation of dot product... 324
A P P E N D I X A Vectors CONTENTS A.1 Scling vector................................................ 321 A.2 Unit or Direction vectors...................................... 321 A.3 Vector ddition.................................................
More informationFactoring Polynomials
Fctoring Polynomils Some definitions (not necessrily ll for secondry school mthemtics): A polynomil is the sum of one or more terms, in which ech term consists of product of constnt nd one or more vribles
More informationBypassing Space Explosion in Regular Expression Matching for Network Intrusion Detection and Prevention Systems
Bypssing Spce Explosion in Regulr Expression Mtching for Network Intrusion Detection n Prevention Systems Jignesh Ptel, Alex Liu n Eric Torng Dept. of Computer Science n Engineering Michign Stte University
More informationBasic Research in Computer Science BRICS RS0213 Brodal et al.: Solving the String Statistics Problem in Time O(n log n)
BRICS Bsic Reserch in Computer Science BRICS RS0213 Brodl et l.: Solving the String Sttistics Prolem in Time O(n log n) Solving the String Sttistics Prolem in Time O(n log n) Gerth Stølting Brodl Rune
More informationOn decidability of LTL model checking for process rewrite systems
Act Informtic (2009) 46:1 28 DOI 10.1007/s0023600800823 ORIGINAL ARTICLE On decidbility of LTL model checking for process rewrite systems Lur Bozzelli Mojmír Křetínský Vojtěch Řehák Jn Strejček Received:
More informationFORMAL LANGUAGES, AUTOMATA AND THEORY OF COMPUTATION EXERCISES ON REGULAR LANGUAGES
FORMAL LANGUAGES, AUTOMATA AND THEORY OF COMPUTATION EXERCISES ON REGULAR LANGUAGES Introduction This compendium contins exercises out regulr lnguges for the course Forml Lnguges, Automt nd Theory of Computtion
More informationCS99S Laboratory 2 Preparation Copyright W. J. Dally 2001 October 1, 2001
CS99S Lortory 2 Preprtion Copyright W. J. Dlly 2 Octoer, 2 Ojectives:. Understnd the principle of sttic CMOS gte circuits 2. Build simple logic gtes from MOS trnsistors 3. Evlute these gtes to oserve logic
More informationIn addition, the following elements form an integral part of the Agency strike prevention plan:
UNITED STTES DEPRTMENT OF GRICULTURE Wshington, DC 20250 Federl Grin Inspection Service FGIS Directive 4711.2 6/16/80 STRIKE PREVENTION ND STRIKE CONTINGENCY PLNS I PURPOSE This Instruction: Estlishes
More informationScalable Mining of Large Diskbased Graph Databases
Sclle Mining of Lrge Disksed Grph Dtses Chen Wng Wei Wng Jin Pei Yongti Zhu Bile Shi Fudn University, Chin, {chenwng, weiwng1, 2465, shi}@fudn.edu.cn Stte University of New York t Bufflo, USA & Simon
More informationAutomated Grading of DFA Constructions
Automted Grding of DFA Constructions Rjeev Alur nd Loris D Antoni Sumit Gulwni Dileep Kini nd Mhesh Viswnthn Deprtment of Computer Science Microsoft Reserch Deprtment of Computer Science University of
More informationNovel Methods of Generating SelfInvertible Matrix for Hill Cipher Algorithm
Bibhudendr chry, Girij Snkr Rth, Srt Kumr Ptr, nd Sroj Kumr Pnigrhy Novel Methods of Generting SelfInvertible Mtrix for Hill Cipher lgorithm Bibhudendr chry Deprtment of Electronics & Communiction Engineering
More information. At first sight a! b seems an unwieldy formula but use of the following mnemonic will possibly help. a 1 a 2 a 3 a 1 a 2
7 CHAPTER THREE. Cross Product Given two vectors = (,, nd = (,, in R, the cross product of nd written! is defined to e: " = (!,!,! Note! clled cross is VECTOR (unlike which is sclr. Exmple (,, " (4,5,6
More informationT H E S E C U R E T R A N S M I S S I O N P R O T O C O L O F S E N S O R A D H O C N E T W O R K
Z E S Z Y T Y N A U K O W E A K A D E M I I M A R Y N A R K I W O J E N N E J S C I E N T I F I C J O U R N A L O F P O L I S H N A V A L A C A D E M Y 2015 (LVI) 4 (203) A n d r z e j M r c z k DOI: 10.5604/0860889X.1187607
More informationOnline Multicommodity Routing with Time Windows
KonrdZuseZentrum für Informtionstechnik Berlin Tkustrße 7 D14195 BerlinDhlem Germny TOBIAS HARKS 1 STEFAN HEINZ MARC E. PFETSCH TJARK VREDEVELD 2 Online Multicommodity Routing with Time Windows 1 Institute
More information1.00/1.001 Introduction to Computers and Engineering Problem Solving Fall 2011  Final Exam
1./1.1 Introduction to Computers nd Engineering Problem Solving Fll 211  Finl Exm Nme: MIT Emil: TA: Section: You hve 3 hours to complete this exm. In ll questions, you should ssume tht ll necessry pckges
More information5.2. LINE INTEGRALS 265. Let us quickly review the kind of integrals we have studied so far before we introduce a new one.
5.2. LINE INTEGRALS 265 5.2 Line Integrls 5.2.1 Introduction Let us quickly review the kind of integrls we hve studied so fr before we introduce new one. 1. Definite integrl. Given continuous relvlued
More informationBabylonian Method of Computing the Square Root: Justifications Based on Fuzzy Techniques and on Computational Complexity
Bbylonin Method of Computing the Squre Root: Justifictions Bsed on Fuzzy Techniques nd on Computtionl Complexity Olg Koshelev Deprtment of Mthemtics Eduction University of Texs t El Pso 500 W. University
More informationSmall Businesses Decisions to Offer Health Insurance to Employees
Smll Businesses Decisions to Offer Helth Insurnce to Employees Ctherine McLughlin nd Adm Swinurn, June 2014 Employersponsored helth insurnce (ESI) is the dominnt source of coverge for nonelderly dults
More informationflex Regular Expressions and Lexical Scanning Regular Expressions and flex Examples on Alphabet A = {a,b} (Standard) Regular Expressions on Alphabet A
flex Regulr Expressions nd Lexicl Scnning Using flex to Build Scnner flex genertes lexicl scnners: progrms tht discover tokens. Tokens re the smllest meningful units of progrm (or other string). flex is
More informationIntegration by Substitution
Integrtion by Substitution Dr. Philippe B. Lvl Kennesw Stte University August, 8 Abstrct This hndout contins mteril on very importnt integrtion method clled integrtion by substitution. Substitution is
More informationAn Undergraduate Curriculum Evaluation with the Analytic Hierarchy Process
An Undergrdute Curriculum Evlution with the Anlytic Hierrchy Process Les Frir Jessic O. Mtson Jck E. Mtson Deprtment of Industril Engineering P.O. Box 870288 University of Albm Tuscloos, AL. 35487 Abstrct
More information1. Introduction. 1.1. Texts and their processing
Chpter 1 3 21/7/97 1. Introduction 1.1. Texts nd their processing One of the simplest nd nturl types of informtion representtion is y mens of written texts. Dt to e processed often does not decompose into
More informationSolution to Problem Set 1
CSE 5: Introduction to the Theory o Computtion, Winter A. Hevi nd J. Mo Solution to Prolem Set Jnury, Solution to Prolem Set.4 ). L = {w w egin with nd end with }. q q q q, d). L = {w w h length t let
More informationRegular Languages and Finite Automata
N Lecture Notes on Regulr Lnguges nd Finite Automt for Prt IA of the Computer Science Tripos Mrcelo Fiore Cmbridge University Computer Lbortory First Edition 1998. Revised 1999, 2000, 2001, 2002, 2003,
More informationBasic Analysis of Autarky and Free Trade Models
Bsic Anlysis of Autrky nd Free Trde Models AUTARKY Autrky condition in prticulr commodity mrket refers to sitution in which country does not engge in ny trde in tht commodity with other countries. Consequently
More informationVectors 2. 1. Recap of vectors
Vectors 2. Recp of vectors Vectors re directed line segments  they cn be represented in component form or by direction nd mgnitude. We cn use trigonometry nd Pythgors theorem to switch between the forms
More informationUnambiguous Recognizable Twodimensional Languages
Unmbiguous Recognizble Twodimensionl Lnguges Mrcell Anselmo, Dor Gimmrresi, Mri Mdoni, Antonio Restivo (Univ. of Slerno, Univ. Rom Tor Vergt, Univ. of Ctni, Univ. of Plermo) W2DL, My 26 REC fmily I REC
More informationSource Code verification Using Logiscope and CodeReducer. Christophe Peron Principal Consultant Kalimetrix
Source Code verifiction Using Logiscope nd CodeReducer Christophe Peron Principl Consultnt Klimetrix Agend Introducing Logiscope: Improving confidence nd developer s productivity Bsed on stteofthert
More informationNew Internet Radio Feature
XXXXX XXXXX XXXXX /XWSMA3/XWSMA4 New Internet Rdio Feture EN This wireless speker hs een designed to llow you to enjoy Pndor*/Internet Rdio. In order to ply Pndor/Internet Rdio, however, it my e necessry
More informationUse Geometry Expressions to create a more complex locus of points. Find evidence for equivalence using Geometry Expressions.
Lerning Objectives Loci nd Conics Lesson 3: The Ellipse Level: Preclculus Time required: 120 minutes In this lesson, students will generlize their knowledge of the circle to the ellipse. The prmetric nd
More information9.3. The Scalar Product. Introduction. Prerequisites. Learning Outcomes
The Sclr Product 9.3 Introduction There re two kinds of multipliction involving vectors. The first is known s the sclr product or dot product. This is soclled becuse when the sclr product of two vectors
More informationLearning to Search Better than Your Teacher
KiWei Chng University of Illinois t Urbn Chmpign, IL Akshy Krishnmurthy Crnegie Mellon University, Pittsburgh, PA Alekh Agrwl Microsoft Reserch, New York, NY Hl Dumé III University of Mrylnd, College
More informationIntroducing Kashef for Application Monitoring
WextWise 2010 Introducing Kshef for Appliction The Cse for Reltime monitoring of dtcenter helth is criticl IT process serving vriety of needs. Avilbility requirements of 6 nd 7 nines of tody SOA oriented
More information1.2 The Integers and Rational Numbers
.2. THE INTEGERS AND RATIONAL NUMBERS.2 The Integers n Rtionl Numers The elements of the set of integers: consist of three types of numers: Z {..., 5, 4, 3, 2,, 0,, 2, 3, 4, 5,...} I. The (positive) nturl
More informationCOMPONENTS: COMBINED LOADING
LECTURE COMPONENTS: COMBINED LOADING Third Edition A. J. Clrk School of Engineering Deprtment of Civil nd Environmentl Engineering 24 Chpter 8.4 by Dr. Ibrhim A. Asskkf SPRING 2003 ENES 220 Mechnics of
More informationDecision Rule Extraction from Trained Neural Networks Using Rough Sets
Decision Rule Extrction from Trined Neurl Networks Using Rough Sets Alin Lzr nd Ishwr K. Sethi Vision nd Neurl Networks Lbortory Deprtment of Computer Science Wyne Stte University Detroit, MI 48 ABSTRACT
More informationExperiment 6: Friction
Experiment 6: Friction In previous lbs we studied Newton s lws in n idel setting, tht is, one where friction nd ir resistnce were ignored. However, from our everydy experience with motion, we know tht
More informationTechniques for Requirements Gathering and Definition. Kristian Persson Principal Product Specialist
Techniques for Requirements Gthering nd Definition Kristin Persson Principl Product Specilist Requirements Lifecycle Mngement Elicit nd define business/user requirements Vlidte requirements Anlyze requirements
More informationHelicopter Theme and Variations
Helicopter Theme nd Vritions Or, Some Experimentl Designs Employing Pper Helicopters Some possible explntory vribles re: Who drops the helicopter The length of the rotor bldes The height from which the
More informationRecognition Scheme Forensic Science Content Within Educational Programmes
Recognition Scheme Forensic Science Content Within Eductionl Progrmmes one Introduction The Chrtered Society of Forensic Sciences (CSoFS) hs been ccrediting the forensic content of full degree courses
More informationDAGmaps: Space Filling Visualization of Directed Acyclic Graphs
Journl of Grph Algorithms nd Applictions http://jg.info/ vol. 13, no. 3, pp. 319 347 (2009) DAGmps: Spce Filling Visuliztion of Directed Acyclic Grphs Vssilis Tsirs 1,2 Sofi Trintfilou 1,2 Ionnis G. Tollis
More informationTool Support for FeatureOriented Software Development
Tool Support for FetureOriented Softwre Development FetureIDE: An EclipseBsed Approch Thoms Leich leich@iti.cs.unimgdeurg.de Sven Apel pel@iti.cs.unimgdeurg.de Lur Mrnitz mrnitz@cs.unimgdeurg.de ABSTRACT
More informationDrawing Diagrams From Labelled Graphs
Drwing Digrms From Lbelled Grphs Jérôme Thièvre 1 INA, 4, venue de l Europe, 94366 BRY SUR MARNE FRANCE Anne VerroustBlondet 2 INRIA Rocquencourt, B.P. 105, 78153 LE CHESNAY Cedex FRANCE MrieLuce Viud
More informationand thus, they are similar. If k = 3 then the Jordan form of both matrices is
Homework ssignment 11 Section 7. pp. 24925 Exercise 1. Let N 1 nd N 2 be nilpotent mtrices over the field F. Prove tht N 1 nd N 2 re similr if nd only if they hve the sme miniml polynomil. Solution: If
More informationMathematics. Vectors. hsn.uk.net. Higher. Contents. Vectors 128 HSN23100
hsn.uk.net Higher Mthemtics UNIT 3 OUTCOME 1 Vectors Contents Vectors 18 1 Vectors nd Sclrs 18 Components 18 3 Mgnitude 130 4 Equl Vectors 131 5 Addition nd Subtrction of Vectors 13 6 Multipliction by
More informationGene Expression Programming: A New Adaptive Algorithm for Solving Problems
Gene Expression Progrmming: A New Adptive Algorithm for Solving Prolems Cândid Ferreir Deprtmento de Ciêncis Agráris Universidde dos Açores 9701851 TerrChã Angr do Heroísmo, Portugl Complex Systems,
More informationPHY 140A: Solid State Physics. Solution to Homework #2
PHY 140A: Solid Stte Physics Solution to Homework # TA: Xun Ji 1 October 14, 006 1 Emil: jixun@physics.ucl.edu Problem #1 Prove tht the reciprocl lttice for the reciprocl lttice is the originl lttice.
More informationRevisions published in the University of Innsbruck Bulletin of 18 June 2014, Issue 31, No. 509
Plese note: The following curriculum is for informtion purposes only nd not leglly inding. The leglly inding version is pulished in the pertinent University of Innsruck Bulletins. Originl version pulished
More informationLearning Workflow Petri Nets
Lerning Workflow Petri Nets Jvier Esprz, Mrtin Leucker, nd Mximilin Schlund Technische Universität München, Boltzmnnstr. 3, 85748 Grching, Germny {esprz,leucker,schlund}@in.tum.de Abstrct. Workflow mining
More informationHillsborough Township Public Schools Mathematics Department Computer Programming 1
Essentil Unit 1 Introduction to Progrmming Pcing: 15 dys Common Unit Test Wht re the ethicl implictions for ming in tody s world? There re ethicl responsibilities to consider when writing computer s. Citizenship,
More informationLecture 3 Gaussian Probability Distribution
Lecture 3 Gussin Probbility Distribution Introduction l Gussin probbility distribution is perhps the most used distribution in ll of science. u lso clled bell shped curve or norml distribution l Unlike
More informationAlgebra Review. How well do you remember your algebra?
Algebr Review How well do you remember your lgebr? 1 The Order of Opertions Wht do we men when we write + 4? If we multiply we get 6 nd dding 4 gives 10. But, if we dd + 4 = 7 first, then multiply by then
More informationSPECIAL PRODUCTS AND FACTORIZATION
MODULE  Specil Products nd Fctoriztion 4 SPECIAL PRODUCTS AND FACTORIZATION In n erlier lesson you hve lernt multipliction of lgebric epressions, prticulrly polynomils. In the study of lgebr, we come
More informationA formal model for databases in DNA
A forml model for dtses in DNA Joris J.M. Gillis nd Jn Vn den Bussche Hsselt University nd trnsntionl University of Limurg Astrct Our gol is to etter understnd, t theoreticl level, the dtse spects of DNA
More informationYour duty, however, does not require disclosure of matter:
Your Duty of Disclosure Before you enter into contrct of generl insurnce with n insurer, you hve duty, under the Insurnce Contrcts Act 1984 (Cth), to disclose to the insurer every mtter tht you know, or
More informationOperations with Polynomials
38 Chpter P Prerequisites P.4 Opertions with Polynomils Wht you should lern: Write polynomils in stndrd form nd identify the leding coefficients nd degrees of polynomils Add nd subtrct polynomils Multiply
More informationRIGHT TRIANGLES AND THE PYTHAGOREAN TRIPLETS
RIGHT TRIANGLES AND THE PYTHAGOREAN TRIPLETS Known for over 500 yers is the fct tht the sum of the squres of the legs of right tringle equls the squre of the hypotenuse. Tht is +b c. A simple proof is
More information5 a LAN 6 a gateway 7 a modem
STARTER With the help of this digrm, try to descrie the function of these components of typicl network system: 1 file server 2 ridge 3 router 4 ckone 5 LAN 6 gtewy 7 modem Another Novell LAN Router Internet
More informationIntegration. 148 Chapter 7 Integration
48 Chpter 7 Integrtion 7 Integrtion t ech, by supposing tht during ech tenth of second the object is going t constnt speed Since the object initilly hs speed, we gin suppose it mintins this speed, but
More informationDATABASDESIGN FÖR INGENJÖRER  1056F
DATABASDESIGN FÖR INGENJÖRER  06F Sommr 00 En introuktionskurs i tssystem http://user.it.uu.se/~ul/tsommr0/ lt. http://www.it.uu.se/eu/course/homepge/esign/st0/ Kjell Orsorn (Rusln Fomkin) Uppsl Dtse
More informationBinary Representation of Numbers Autar Kaw
Binry Representtion of Numbers Autr Kw After reding this chpter, you should be ble to: 1. convert bse rel number to its binry representtion,. convert binry number to n equivlent bse number. In everydy
More informationRedistributing the Gains from Trade through Nonlinear. Lumpsum Transfers
Redistributing the Gins from Trde through Nonliner Lumpsum Trnsfers Ysukzu Ichino Fculty of Economics, Konn University April 21, 214 Abstrct I exmine lumpsum trnsfer rules to redistribute the gins from
More informationA Visual and Interactive Input abb Automata. Theory Course with JFLAP 4.0
Strt Puse Step Noninverted Tree A Visul nd Interctive Input Automt String ccepted! 5 nodes generted. Theory Course with JFLAP 4.0 q0 even 's, even 's q2 even 's, odd 's q1 odd 's, even 's q3 odd 's, odd
More informationA Study on Autonomous Cooperation between Things in Web of Things
A Study on Autonomous Coopertion etween Things in We of Things Jehk Yu, Hyunjoong Kng, HyoChn Bng, MyungNm Be 2 Electronics nd Telecommunictions Reserch Institute, 38 Gjeongno, Yuseonggu, Dejeon, 305700,
More informationGFI MilArchiver 6 vs C2C Archive One Policy Mnger GFI Softwre www.gfi.com GFI MilArchiver 6 vs C2C Archive One Policy Mnger GFI MilArchiver 6 C2C Archive One Policy Mnger Who we re Generl fetures Supports
More informationSection 74 Translation of Axes
62 7 ADDITIONAL TOPICS IN ANALYTIC GEOMETRY Section 74 Trnsltion of Aes Trnsltion of Aes Stndrd Equtions of Trnslted Conics Grphing Equtions of the Form A 2 C 2 D E F 0 Finding Equtions of Conics In the
More informationEuropean Convention on Certain International Aspects of Bankruptcy
Europen Trety Series  No. 136 Europen Convention on Certin Interntionl Aspects of Bnkruptcy Istnul, 5.VI.1990 Premle The memer Sttes of the Council of Europe, signtories hereto, Considering tht the im
More informationAnswer, Key Homework 10 David McIntyre 1
Answer, Key Homework 10 Dvid McIntyre 1 This printout should hve 22 questions, check tht it is complete. Multiplechoice questions my continue on the next column or pge: find ll choices efore mking your
More informationModel Checking for Software Architectures
Model Checking for Softwre Architectures position pper Rdu Mteescu INRIA RhôneAlpes / VASY 655, venue de l Europe F38330 Montbonnot Sint Mrtin http://www.inrilpes.fr/vsy 1 Outline Introduction Constructing
More information