Run-time enforcement of nonsafety policies

Jay Ligatti, Lujo Bauer, David Walker

Research output: Contribution to journalArticlepeer-review

138 Scopus citations


A common mechanism for ensuring that software behaves securely is to monitor programs at run time and check that they dynamically adhere to constraints specified by a security policy. Whenever a program monitor detects that untrusted software is attempting to execute a dangerous action, it takes remedial steps to ensure that only safe code actually gets executed. This article improves our understanding of the space of policies enforceable by monitoring the run-time behaviors of programs. We begin by building a formal framework for analyzing policy enforcement: we precisely define policies, monitors, and enforcement. This framework allows us to prove that monitors enforce an interesting set of policies that we call the infinite renewal properties. We show how to construct a program monitor that provably enforces any reasonable infinite renewal property. We also show that the set of infinite renewal properties includes some nonsafety policies, that is, that monitors can enforce some nonsafety (including some purely liveness) policies. Finally, we demonstrate concrete examples of nonsafety policies enforceable by practical run-time monitors.

Original languageEnglish (US)
Article number19
JournalACM Transactions on Information and System Security
Issue number3
StatePublished - Jan 1 2009

All Science Journal Classification (ASJC) codes

  • General Computer Science
  • Safety, Risk, Reliability and Quality


  • Liveness
  • Monitoring
  • Policy enforcement
  • Safety
  • Security automata
  • Security policies


Dive into the research topics of 'Run-time enforcement of nonsafety policies'. Together they form a unique fingerprint.

Cite this