The specification and compilation of obligation policies for program monitoring

Abstract

An extensible software system must protect its resources from being abused by untrusted software extensions. The access control policies of such systems are traditionally enforced by reference monitors. Recent study of access control policies advocates the use of obligation policies, which impose behavioural constraints to the future actions of the accessor after the access is granted. It is argued that obligation policies provide continuous protection to the system. Not all obligation policies can be enforced by reference monitors. We argue that humans have long recognized the unenforceability of naively formulated obligation policies, and have devised standard policy idioms to cope with the issue. We therefore developed tool support to assist a policy developer in using such policy idioms. First, we designed a policy language to capture the idiomatic elements of obligation policies, in such a way that the elements are modular and composeable. Second, we designed a type system for capturing patterns of policy composition that preserve enforceability, such that well-typed policies are enforceable. Third, we designed a compilation algorithm that compiles well-typed policies into reference monitors. Such a framework helps policy developers articulate obligation policies and refine them into enforceable ones.