EM Enforcing Information Flow Properties using Compensating Events

Deeply embedded infrastructures are pervasive systems that have significant cyber and physical components, interacting with each other in complex ways. These interactions can violate a system\´s security policy leading to unintended information flow. Execution monitor (EM) enforceability is the concept of monitoring a system during runtime for any security policy violations and terminating the execution if such violations occur. EM enforceable mechanisms require that the properties being enforced be restricted to safety properties. Information flow properties are considered non-EM enforceable because they can not be defined using safety properties. To bridge this gap, prior work has presented a monitor that predicts future possible events, then evaluates these as safety properties. Unfortunately, in a pervasive system, evaluating future possible events results in a physical, observable, change to the system. What is needed is a physical "undo" operation in which a physical setting can be explored, then undone in a way that no unintended information flow results. This paper presents the concepts of compensating events and a compensating couple which can be used to EM enforce information flow properties in pervasive systems.