Implementing Policies in Programs using Labelled Transition Systems Tim Owen Julian Rathke Ian Wakeman Des Watson June 29, 2002 1 Introduction The pervasive computing infrastructure, envisaged in [13], consists of many net- worked devices operating and communicating with minimal human interaction. In such a distributed environment, programs may be executed on devices to which the programmer has no direct authority — the idea of third-party com- putation. Similarly, a device may execute code which provides a service to other programs. Again, some of these client programs may originate from potentially untrusted third parties. Faced with this situation, it is reasonable for device owners to seek to impose restrictions on the behaviour of programs that either run on their device or use services provided by their device. These restrictions can be expressed in the form of a policy, which may then be enforced in some way to ensure that programs adhere to the policy. This paper describes our current work on programming language support for policy specification and implementation. The aim of this work is to design lan- guage mechanisms that enable program behaviour to be controlled by policies, and to develop tools that implement these features as extensions of a general purpose programming language. Our approach is to extend a typical object-oriented language such as Java with a mechanism to declare a set of states within a class, and annotations on methods to declare in which states they can be called. Those classes containing a set of states are termed modal, to reflect the fact that objects will be in different modes depending on their current state. A second area of language support is for separate policy specifications to be defined that determine the transitions between the states of a modal class. Each transition is labelled with a condition that specifies when a state change may occur. Therefore, we express each policy as a labelled transition system (a generalisation of finite state automata). At run-time, a modal object is associated with a particular policy, which then controls the object’s state changes. An important aspect of this design is that we intend to allow policies to be attached to objects dynamically. This separation enables device owners to decide which policy to attach to modal objects that are hosted by the device or using its services. 1