examine the sequence of program actions and transform the sequence
when it deviates from the specified policy. The simplest such automaton
truncates the action sequence by terminating a program. Such automata
are commonly known as security automata, and they enforce Schneider's
EM class of security policies. We define automata with more powerful
transformational abilities, including the ability to insert a sequence of actions into the event stream and to suppress actions in the event stream
without terminating the program. We give a set-theoretic characterization
of the policies these new automata are able to enforce and show that
they are a superset of the EM policies.
Download the paper in PDF format here.