Graduation Year


Document Type




Degree Name

Doctor of Philosophy (Ph.D.)

Degree Granting Department

Computer Science and Engineering

Major Professor

Jay Ligatti, Ph.D.

Co-Major Professor

Hao Zheng, Ph.D.

Committee Member

Xinming Ou, Ph.D.

Committee Member

Nasir Ghani, Ph.D.

Committee Member

Dmytro Savchuk, Ph.D.


Enforceability theory, Ethnography, Monitors, Policies, Secure software development lifecycle, Security automata, Safety, Liveness


Computer Security has been a pressing issue that affects our society in multiple ways. Although a plethora of security solutions have been proposed and implemented throughout the years, security continues to be a problem for at least two important reasons, (1) implementations of runtime enforcement mechanisms have not been modeled rigorously and thus may not be enforcing the policies that are expected to enforce, and (2) there are conflicting tensions in the software development process that hinder the implementation and maintenance of secure software. To investigate these issues, this dissertation is divided into two parts.

The first part of this dissertation takes the lessons learned from earlier models of runtime enforcement---developed over the past nearly twenty years---and proffers a new general model called Stream-Monitoring Automata (SMAs). SMAs unify previous models and is suitable for modeling security mechanisms that operate over infinite event streams, which are now widespread and have been previously left out. SMAs enable the constraints and analyses of interest in previous models to be encoded, and overcomes several shortcomings of existing models with respect to expressiveness. Further, SMAs capture the practical abilities of mechanisms to monitor infinite event streams, execute even in the absence of event inputs, enforce non-safety policies, and operate an enforcement model in which extraneous constraints such as transparency and uncontrollable events may be specified as meta-policies.

The second part of this dissertation presents the results of an ethnographic study of secure software development processes in a software company using the anthropological research method of participant observation. Two Ph.D. students in computer science trained in qualitative methods worked as software developers in a company for almost two years of total research time, collecting all kinds of information about the development process. The researchers participated in everyday work activities such as coding and meetings, and observed software (in)security phenomena as the software was being developed. They observed developers' reactions to several vulnerabilities that were found by code inspection and pen-testing, and further investigated the issues by interviewing participants and analyzing historical data (code repositories, ticketing system records, internal wikis, and customer-facing documentation). The study found that (1) vulnerability discoveries produce different reactions in developers, often contrary to what a security researcher would predict; (2) security vulnerabilities are sometimes introduced and/or overlooked due to the difficulty in managing the various stakeholders' responsibilities in an economic ecosystem, and cannot be simply blamed on developers' lack of knowledge or skills.

These findings highlight the nuanced nature of the root causes of software vulnerabilities and indicate the need to take into account a significant amount of contextual information to understand how and why software vulnerabilities emerge during software development.

Rather than simply addressing deficits in developer knowledge or practice, this research sheds light onto at times forgotten human factors that significantly impact the security of software developed by actual companies. An analysis of the data also shows that improving software security in the development process can benefit from a co-creation model, where security experts work side by side with software developers to better identify security concerns and provide tools that are readily applicable within the specific context of the software development workflow.