home button
header image


Existing security-policy specification languages allow users to specify obligations, but open challenges remain in the composition of complex obligations, including effective approaches for resolving conflicts between policies and obligations and allowing policies to react to the obligations of other policies.

This project presents PoCo, short for policy composition. PoCo is a policy specification language and enforcement system that allows composed obligations to maintain their atomicity and enables policies to interact meaningfully with the obligations of other policies. Controlling obligations in this way prevents unexpected behaviors and security breaches due to partially executed obligations or obligations that execute actions in violation of other policies.


Danielle Ferguson

Yan Albright

Daniel Lomsak

Tyler Hanks

Kevin Orr

Jay Ligatti


Composition of Atomic-Obligation Security Policies. Danielle Ferguson, Yan Albright, Daniel Lomsak, Tyler Hanks, Kevin Orr, and Jay Ligatti. USF Technical Report CSE-SEC-021719. February 2019.

PoCo Source Code. Yan Albright and Danielle Ferguson. February 2018.