The core component of an extensible software system must protect its resources from being
abused by untrusted software extensions. The access control policies of extensible software
systems are traditionally enforced by some form of reference monitors. Recent studies of access
control policies advocate the use of obligation policies, which impose behavioural constraints on
the future actions of the accessor even after the access is granted. It is argued that obligation
policies provide continuous protection to the system.
We envision the workflow of developing an obligation policy for program monitoring to involve
three stages: specification, implementability check and implementation. In this work, we
develop a series of tools to facilitate each stage of the workflow. First, we propose a policy
language for formulating obligation policies. Second, we devise a type system for syntactically
identifying if an obligation policy is enforceable or not. The type checker guides the policy
developer in refining an obligation policy into an enforceable one. Finally, we design a compilation
algorithm, which compiles well-typed obligation policies to a representation of reference
monitors, called Obligation Monitor (OM). The OM is designed to facilitate monitor inlining.