Composing expressive runtime security policies

Lujo Bauer, Jay Ligatti, David Walker

Research output: Contribution to journalArticlepeer-review

28 Scopus citations


Program monitors enforce security policies by interposing themselves into the control flow of untrusted software whenever that software attempts to execute security-relevant actions. At the point of interposition, a monitor has authority to permit or deny (perhaps conditionally) the untrusted software's attempted action. Program monitors are common security enforcement mechanisms and integral parts of operating systems, virtual machines, firewalls, network auditors, and antivirus and antispyware tools. Unfortunately, the runtime policies we require program monitors to enforce grow more complex, both as the monitored software is given new capabilities and as policies are refined in response to attacks and user feedback. We propose dealing with policy complexity by organizing policies in such a way as to make them composable, so that complex policies can be specified more simply as compositions of smaller subpolicy modules. We present a fully implemented language and system called Polymer that allows security engineers to specify and enforce composable policies on Java applications. We formalize the central workings of Polymer by defining an unambiguous semantics for our language. Using this formalization, we state and prove an uncircumventability theorem which guarantees that monitors will intercept all security-relevant actions of untrusted software.

Original languageEnglish (US)
Article number9
JournalACM Transactions on Software Engineering and Methodology
Issue number3
StatePublished - May 1 2009

All Science Journal Classification (ASJC) codes

  • Software


  • Policy composition
  • Policy enforcement
  • Policy-specification language


Dive into the research topics of 'Composing expressive runtime security policies'. Together they form a unique fingerprint.

Cite this