Lightweight Inlined Reference Monitors for Securing Extensible and Open Systems
Licentiatavhandling, 2008

This thesis studies an alternative implementation of a security reference monitor in the contexts of extensible and open systems. A security reference monitor is a classic approach to imposing a security policy on an otherwise untrusted system by using a trusted component which intercepts security-relevant resource requests and applies a security policy to decide whether to grant such requests. Recently, an application-level approach to implementing reference monitors has emerged. This is the so-called inlined reference monitor (IRM) approach where the software is rewritten to “embed” (inline) the policy within it. This thesis presents an alternative implementation of the IRM approach by using aspect-oriented programming. We call this the lightweight inlined reference monitor approach, since it does not require modification of the base system, and does not need an additional security policy language. The contexts of this thesis are extensible and open software systems in which software components are allowed to extend the functionality of others, and to integrate external, or third-party services. Firstly, we have studied such an extensible system in a vehicle software scenario, and analysed the safety-security characteristics for such a system. The analysis has resulted in guidelines for policy design for securing vehicle software systems. Secondly, we have proposed a lightweight IRM approach to provide vehicle software security. We have shown that the security assurance provided by the lightweight IRM approach is promising for deployment in an existing vehicle software system. Lastly, we have applied the lightweight IRM approach to the context of JavaScript (web browser) security, where we show how to control and modify the behaviour of JavaScript to make it self-protecting.


Inlined Reference Monitors


Vehicle Software Security

EE- ED-building, Rännvägen 6B
Opponent: Prof. Frank Piessens, Katholieke Universiteit Leuven, Belgium


Phu Phung

Chalmers, Data- och informationsteknik

Vehicle ECU Classification Based on Safety-Security Characteristics

Proceedings of 13th IET Road Transport Information and Control - RTIC2008, May 20-22, 2008, Manchester, UK,; (2008)

Paper i proceeding

Security Policy Enforcement for the OSGi Framework Using Aspect-Oriented Programming

Proceedings of the 32nd Annual International Computer Software and Applications Conference (COMPSAC 2008), 28 July - 01 August 2008, Turku, Finland. IEEE Computer Society 2008,; (2008)p. 1076-1082

Paper i proceeding



Datavetenskap (datalogi)

Technical report L - Department of Computer Science and Engineering, Chalmers University of Technology and Göteborg University: 59L

EE- ED-building, Rännvägen 6B

Opponent: Prof. Frank Piessens, Katholieke Universiteit Leuven, Belgium