Graduation Year


Document Type




Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Computer Science and Engineering

Major Professor

Jay Ligatti, Ph.D.

Committee Member

Adriana Iamnitchi, Ph.D.

Committee Member

Yicheng Tu, Ph.D.

Committee Member

Sean Barbeau, Ph.D.

Committee Member

Brendan Nagle, Ph.D.


Security, Policy Composition, Obligations, Policy specification


Existing security-policy specification languages allow users to specify obligations, but open challenges remain in the composition of complex obligations, including effective approaches for resolving conflicts between policies and obligations and allowing policies to react to the obligations of other policies.

An atomic obligation requires that either all or none of the included actions are executed. Atomicity can be extended to include the decision to permit or deny an event after the obligation executes. For many practical policies, obligation atomicity is necessary for correctness. Executing only the parts of such an obligation violates its atomicity which can lead to an undesirable result.

Presented here in this dissertation is PoCo, a policy Specification language and enforcement system for the principled composition of atomic-obligation policies. PoCo enables policies to interact meaningfully with the obligations of other policies, thus preventing the unexpected and insecure behaviors that can arise due to partially executed obligations or obligations that execute actions in violation of other policies. As far as we are aware, PoCo is the first system that supports the composition of atomic obligations, including conflict resolution between policies and obligations as well as allowing a policy to react to obligations of other policies.