On the Automated Synthesis of Proof-Carrying Temporal Reference Monitors Simon Winwood 1,2 , Gerwin Klein 1,2 , and Manuel M. T. Chakravarty 1 1 University of New South Wales School of Computer Science & Engineering Sydney, Australia 2 National ICT Australia ⋆ {sjw,chak}@cse.unsw.edu.au gerwin.klein@nicta.com.au Abstract. We extend the range of security policies that can be guar- anteed with proof carrying code from the classical type safety, control safety, memory safety, and space/time guarantees to more general secu- rity policies, such as general resource and access control. We do so by means of (1) a specification logic for security policies, which is the past- time fragment of LTL, and (2) a synthesis algorithm generating reference monitor code and accompanying proof objects from formulae of the spec- ification logic. To evaluate the feasibility of our approach, we developed a prototype implementation producing proofs in Isabelle/HOL. 1 Introduction Proof carrying code (PCC) [1] is inherently trustworthy, independent of its origin or previous opportunities for tampering. The guarantees provided by PCC are, however, not universal: they are relative to a security policy agreed upon by the code producer and consumer. It is the code producer’s obligation to annotate the code with a proof object that establishes the code’s compliance with the security policy. This proof object, consisting of steps in a formal logic, can be checked with a simple proof checker. Thus, the trustworthiness of the code can be established with mathematical rigour. Existing research into the generation of proof-carrying code focuses on secu- rity policies which can be derived from properties of high-level languages and their type systems, such as type safety [2], control and memory safety [3], and space/time guarantees [4]. The contribution of this paper is to extend the ap- proach to more general security policies, such as general resource and access control. An example of such a policy is one where “a user may perform an op- eration only if they have been granted a capability for that operation and that capability hasn’t been revoked.” Such properties are beyond the semantic guar- antees of high-level languages; hence, we need (1) a formal device to express such policies and (2) a method for generating proof-carrying code for these policies. ⋆ National ICT Australia is funded through the Australian Government’s Backing Australia’s Ability initiative, in part through the Australian Research Council. G. Puebla (Ed.): LOPSTR 2006, LNCS 4407, pp. 111–126, 2007. © Springer-Verlag Berlin Heidelberg 2007