Enforcing security policies with runtime monitors

Le monitorage (monitoring) est une approche pour la sécurisation du code qui permet l'exécution d’un code potentiellement malicieux en observant son exécution, et en intervenant au besoin pour éviter une violation d’une politique de sécurité. Cette méthode a plusieurs applications prometteuses, notamment en ce qui a trait à la sécurisation du code mobile. Les recherches académiques sur le monitorage se sont généralement concentrées sur deux questions. La première est celle de délimiter le champ des politiques de sécurité applicables par des moniteurs opérant sous différentes contraintes. La seconde question est de construire des méthodes permettant d’insérer un moniteur dans un programme, ce qui produit un nouveau programme instrumenté qui respecte la politique de sécurité appliquée par ce moniteur. Mais malgré le fait qu’une vaste gamme de moniteurs a été étudiée dans la littérature, les travaux sur l’insertion des moniteurs dans les programmes se sont limités à une classe particulière de moniteurs, qui sont parmi les plus simples et les plus restreint quant à leur champ de politiques applicables. Cette thèse étend les deux avenues de recherches mentionnées précédemment et apporte un éclairage nouveau à ces questions. Elle s’attarde en premier lieu à étendre le champ des politiques applicables par monitorage en développabt une nouvelle approche pour l’insertion d’un moniteur dans un programme. En donnant au moniteur accès à un modèle du comportement du programme, l’étude montre que le moniteur acquiert la capacité d’appliquer une plus vaste gamme de politiques de sécurité. De plus, les recherches ont aussi d´emontré qu’un moniteur capable de transformer l’exécution qu’il surveille est plus puissant qu’un moniteur qui ne possède pas cette capacité. Naturellement, des contraintes doivent être imposées sur cette capacité pour que l’application de la politique soit cohérente. Autrement, si aucune restriction n’est imposée au moniteur, n’importe quelle politique devient applicable, mais non d’une manière utile ou désirable. Dans cette étude, nous proposons deux nouveaux paradigmes d’application des politiques de sécurité qui permettent d’incorporer des restrictions raisonnables imposées sur la capacité des moniteurs de transformer les exécutions sous leur contrôle. Nous étudions le champ des politiques applicables avec ces paradigmes et donnons des exemples de politiques réelles qui peuvent être appliquées à l’aide de notre approche.Execution monitoring is an approach that seeks to allow an untrusted code to run safely by observing its execution and reacting if need be to prevent a potential violation of a user-supplied security policy. This method has many promising applications, particularly with respect to the safe execution of mobile code. Academic research on monitoring has generally focused on two questions. The first, relates to the set of policies that can be enforced by monitors under various constraints and the conditions under which this set can be extended. The second question deals with the way to inline a monitor into an untrusted or potentially malicious program in order to produce a new instrumented program that provably respects the desired security policy. This study builds on the two strands of research mentioned above and brings new insights to this study. It seeks, in the first place, to increase the scope of monitorable properties by suggesting a new approach of monitor inlining. By drawing on an a priori model of the program’s possible behavior, we develop a monitor that can enforce a strictly larger set of security properties. Furthermore, longstanding research has showed that a monitor that is allowed to transform its input is more powerful than one lacking this ability. Naturally, this ability must be constrained for the enforcement to be meaningful. Otherwise, if the monitor is given too broad a leeway to transform valid and invalid sequences, any property can be enforced, but not in a way that is useful or desirable. In this study, we propose two new enforcement paradigms which capture reasonable restrictions on a monitor’s ability to alter its input. We study the set of properties enforceable if these enforcement paradigms are used and give examples of real-life security policies that can be enforced using our approach

Environmental taxes and policies for developing countries

Increasing urbanization and industrialization can exacerbate pollution problems in developing countries. Tax revenues in developing countries are too low to support adequate infrastructure for treating and disposing of wastes, but the problem is also attributable to the classic problem of externalities in productiion and consumption."Externalities"means that the costs of environmental degradation are not considered by the private decisionmakers undertaking the activities that cause the problems. Two types of policies are commonly considered to correct this market failure and improve the allocation of resources: command-and-control policies (such as emmission and abatement standards) and market-based incentive policies (such as emissions charges, taxes on production and consumption, and marketable pollution quotas), which raise the price of such activities for the perpetrators. Market based incentives theoretically reduce pollution at least cost and increase government revenues, but may require costly monitoring to be effective, and are usually implemented in an environment of imperfect information about the costs of abatement. Sometimes command and control policies make more economic sense in this environment. Efficiency gains from curbing pollution in developing countries may be large. Some polluting activities are subsidized, so curtailing them brings both fiscal and environmental benefits. Taxing polluting inputs and outputs is a particularly attractive policy in developing countries which often lack experience in administering and enforcing other types of environmental regulation. Corrective taxes make use of existing administrative structures and increase tax revenues, which can be spent on public goods to improve environmental quality (including treatment facilities for water and sewage, waste disposal, and sanitation) or can be used to reduce other taxes (which are often highly distortionary in countries with a narrow tax base). Which goods and inputs to single out for corrective taxation depends on the main sources of pollution, which varies from country to country. Air pollution from vehicles is growing in many countries where increased fuel taxes, perhaps coupled with improved regulations for vehicle maintenance, may be desirable. Higher taxes on high sulphur coal would curb both industiral and household emissions of sulphur dioxide. Charges can be implemented for fixed site easy to monitor industrial emissions. Subsidies to industries that cause pollution should be phased out and those industries should be subjected to higher than average tax rates.Water and Industry,Economic Theory&Research,Urban Services to the Poor,Urban Services to the Poor,Environmental Economics&Policies

Cost-aware Runtime Enforcement of Security Policies

In runtime enforcement of security policies, the classic requirements on monitors in order to enforce a security policy are soundness and transparency. However, there are many monitors that successfully pass this specification but they differ in complexity of both their implementation and the output they produce. In order to distinguish and compare these monitors we propose to associate cost with enforcement. We present a framework where the cost of enforcement of a trace is determined by the cost of operations the monitor uses to edit the trace. We explore cost-based order relations on sound monitors. We investigate cost-optimality of monitors which allows considering the most cost-efficient monitors that soundly enforce a property

Trade Update Notes: Report of the Task Force on The Comprehensive Proposals for Negotiations in Agriculture

International Relations/Trade,

International Rules, Food Safety and the Poor Developing Country Livestock Producer

The present study is a part of the PPLPI effort to identify significant political and institutional factors and processes that currently hinder or prevent the poor in developing countries from taking greater advantage of opportunities to benefit from their livestock resources. The rapid development of international sanitary and phytosanitary standards have been identified as an important factor and further research is needed in this area. This study focuses on what can be done to make international rule-making friendlier to poor livestock producer interests. To identify strategic entry points for those wishing to make international rule-making friendlier to poor livestock producers this study: (a) describes and analyzes the international environment that states and other actors face when seeking to influence international food safety rules; (b) discusses the roles played by states and other actors in creating and enforcing those rules; and (c) analyzes a series of cases involving international rule-making for livestock food products. Recommendations for making international rule-making friendlier to poor producers consider two perspectives: that of the producer and that of the national delegates participating in the international rule-making process. From the perspective of poor producers and their advocates the primary route to influencing international rule-making is by influencing their own country's position in international organizations. However, developing country governments are not yet taking full advantage of the options for representing their own interests in international rule-making. Important activities they should engage in include: greater coordination at the national level among ministries and individuals responsible for developing policy positions in all international food safety organizations; improving the quality and quantity of delegations to international organizations; forming alliances with other similarly-situated countries on issues of particular concern; and lobbying for technical assistance to comply with international standards and with a goal of complying with private international standards as well. In general, the study concludes that developing countries can do much more to address the interests of their poor producers.Livestock Production/Industries,

Assembling an Experimentalist Regime: Transnational Governance Interactions in the Forest Sector

Transnational governance initiatives increasingly face the problem of regime complexity in which a proliferation of regulatory schemes operate in the same policy domain, supported by varying combinations of public and private actors. The literature suggests that such regime complexity can lead to forum-shopping and other self-interested strategies which undermine the effectiveness of transnational regulation. Based on the design principles of experimentalist governance, this paper identifies a variety of pathways and mechanisms which promote productive interactions in regime complexes. We use the case of the EU’s Forest Law Enforcement Governance and Trade (FLEGT) initiative, interacting with private certification schemes and public legal timber regulations, including those of third countries such as the US and China, to demonstrate how an increasingly comprehensive transnational regime can be assembled by linking together distinct components of a regime complex. We argue that it is the experimentalist features of this initiative and its regulatory interactions, which accommodate local diversity and foster recursive learning from decentralized implementation experience, that make it possible to build up a flexible and adaptive transnational governance regime from an assemblage of interconnected pieces, even in situations where interests diverge and no hegemon can impose its own will