Enforcing Obligation with Security Monitors

With the ubiquitous deployment of large scale networks more and more complex human interactions are supported by computer applications. This poses new challenges on the expressiveness of security policy design systems, often requiring the use of new security paradigms. In this paper we identify a restricted type of obligation which is useful to express new security policies. This type of obligation includes the following general situations: i) when the two actions involved oblige each other, and ii) when the obligatory action is causally dependent on some previous action. In addition, this type of obligation is enforceable by security monitors, thus enabling its use on a variety of different platforms. Using a security language and a compiler encompassing this type of obligation we also show how this type of obligation can be efficiently implemented by a security monitor. This is achieved with the help of the transaction concept: an action that is to be enforced in the future, because it is an obligation according to the defined policy, is part of a transaction that commits successfully only if the obligatory action has been done. To our knowledge this is the first proposal to implement a given type of obligation-based policy using a security monitor. We briefly describe the language and the system implementation and present very encouraging performance results.