using first-order logic to reason about policies vicky weissman joint work with: joseph halpern and...
Post on 21-Dec-2015
216 views
TRANSCRIPT
Using First-order Logic to Reason about Policies
Vicky Weissman
Joint work with:Joseph Halpern and Carl Lagoze
What is a policy? A policy says that an individual
may (or may not) do an action if certain conditions hold.
Examples include `All information on this site may
be copied.’1
`A student shall in no way misrepresent his or her work.’2
2 http://cuinfo.cornell.edu/Academic/AIC.html
1 http://www.afrl.af.mil/secdis.htm
Questions about policies Users want to know what’s allowed
and what’s not. Policy makers want to know if their
policies are consistent with those already made. E.g. Alice writes a set of policies for her
university’s new outreach program. Do her policies contradict those of the university?
Problem: Ambiguity Consider the policy
`All information on this site may be copied’, Interpretation 1: The policy allows any part of
the site to be copied. (`All information’ stresses that there are no restrictions on what may be copied.)
Interpretation 2: The policy allows the entire site to be copied (i.e. all of the information).
May Alice copy a paragraph that is on the site? We don’t know.
Solution: Write policies in first-order logic
Good News: Formal semantics no ambiguity. Fol seems to be sufficiently expressive.
Bad News: Many problems for fol are undecidable. Many policy writers are not well-versed in
logic.We’ll discuss these issues later in the talk.
Encoding policies A policy says that an individual may (or
may not) do an action if certain conditions hold.
A policy has the form: x1,…, xm (f () Permitted(tag, tac))
Encoding policies A policy says that an individual may (or
may not) do an action if certain conditions hold.
A policy has the form: x1,…, xm (f () Permitted(tag, tac))
Permitted(tag, tac) means that agent tag may do
action tag where tag and tac are terms.
E.g. Permitted(Alice, play) means Alice may play.
Encoding policies A policy says that an individual may (or
may not) do an action if certain conditions hold.
A policy has the form: x1,…, xm (f () Permitted(tag, tac))
f is a conjunction of literals where each literal encodes a condition.
E.g. f = Vegetable(x1) Ate(Alice, x1) Scowl(Alice)
Encoding policies A policy says that an individual may (or
may not) do an action if certain conditions hold.
A policy has the form: x1,…, xm (f () Permitted(tag, tac))
A permitting policy has a positive conclusion, a denying policy has a negative conclusion.
Encoding policies A policy says that an individual may (or may
not) do an action if certain conditions hold. A policy has the form:
x1,…, xm (f () Permitted(tag, tac))
A permitting policy has a positive conclusion, a denying policy has a negative conclusion.
E.g.:x1 (Vegetable(x1) Ate(Alice, x1) Scowl(Alice) Permitted(Alice, play))
Environments Does the policy
x1 (Vegetable(x1) Ate(Alice, x1) Scowl(Alice) Permitted(Alice, play))
allow Alice to play? To answer the question we need to know if
she ate a vegetable and if she’s scowling. This information, along with other facts
about the world, are stored in the environment.
Environments for policies
1. Basic facts (ground literals) Captures attributes of individuals. E.g. Vegetable(carrot), Vegetable(carrot
cake)2. Constraints (universal formulas)
Captures relationships between attributes. E.g. x (Private(x) Public(x)),
x (Freshmen(x) Student(x))
Policies seem to refer to 2 types of facts:
Assumption: Environment doesn’t talk about what’s permitted; policies do that.
Encoding the questions in first-order logic
Assume an environment E and a policy set {p1,…, pn}.
`Is c1 allowed to do c2?’ = `Is E p1 … pn Permitted(c1, c2) valid?’
`Are the policies consistent in E?’`Is E p1 … pn satisfiable?’
Encoding the questions in first-order logic
Assume an environment E and a policy set {p1,…, pn}.
`Is c1 allowed forbidden to do c2?’ =
`Is E p1 … pn Permitted(c1, c2) valid?’
`Are the policies consistent in E?’`Is E p1 … pn satisfiable?’
Can we answer the questions? No. These questions are
undecidable. But the game’s not over yet!
We can restrict the language so that the questions are tractable AND interesting policies are still expressible.
One solution: Datalog Datalog is negation-free, function-free Horn
clauses; queries can be answered in PTime. Some extensions have been considered.
Safe, stratified Datalog: Binder [DeTreville 02] , RT [Li, Mitchell, Winsborough 02] and SD3 [Trevor 01] .
Datalog with constraints: RTc [Li and Mitchell 03] . With these extensions, Datalog is still PTime. But:
A policy’s conclusion must be a positive literal (no denying policies).
Support for functions is limited.
Denying policies are common.
Many applications explicitly forbid actions. `Smoking is prohibited in the dining areas of
all restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act.
`The tickets may not be refunded’ is a policy of many airline fares, theaters, …
These policies cannot be captured explicitly in (the extended versions of) Datalog.
Datalog solution What isn’t explicitly permitted is
forbidden. Problem: Can’t distinguish forbidden
actions from unregulated ones. E.g. A university’s policies talk about
who’s permitted to get tenure. The policies for Alice’s new outreach program don’t. Alice’s policies contradict the university’s.
We may want functions too.
Functions often occur naturally when translating English policies to first-order logic.
E.g. `All information on the site may be copied’
translates to either: x1, x2 (OnSite(x1) Permitted(x2, copy(x1))) x1, x2 (EntireSite(x1) Permitted(x2,
copy(x1)))
Another solution We want a language that
doesn’t restrict functions and allows us to capture denying policies.
To get this in a tractable language, some restrictions are necessary.
Key idea: Restrict bipolars.
What is a bipolar? A literal l is bipolar in a formula f (in CNF) if
1. the literal l is in f and 2. there is another literal l’ in f such that l = l’’
for some variable substitutions and ’. Consider
f = x, y (Can(Alice, x) Can(y, sing))Can(Alice, x) is bipolar in f, because
1. the literal Can(Alice, x) is in f and2. the literal Can(Alice, x) = l’’ where
l’ = Can(y, sing), = [x/sing], and ’ = [y/Alice].
Why is bipolarity interesting?
If E is an environment and {p1, …, pn} is a set of policies such that
1. every variable on the lhs of a policy also appears on the rhs,
2. E is a conjunction of ground literals, and3. there are no bipolar literals in p1 … pn.
Then our questions can be answered in time (|E|+|P|) log|E| where P = p1 … pn.
|f| is the length of f viewed as a string of symbols.
Language with functions + denying policies is tractable!
When is every variable on the lhs also on the rhs?
Recall: A policy’s lhs states the conditions under which the permission on the rhs is granted/denied.
Variable restriction is met if what you’re allowed/forbidden to do is based solely on your attributes and the attributes of the regulated action.
Our problems are NP in the number of variables in a single policy that violate the restriction.
When is E a conjunction of ground literals?
This restriction is met if E is derived from databases and certificates.
If the E has constraints (e.g. anything private is not public), then Our problems can be answered in quadratic
time, if no more than 1 bipolar per clause. More than one bipolar per clause is common if
there are definitions (e.g. a senior citizen is someone over 65), but it’s easy to deal with definitions; they’re just macros.
When are there no bipolar literals in p1 … pn?
Suppose Permitted is not in any policy’s premise and all policies are permitting (or all denying).
Then The restriction holds if meeting a condition can
only add or remove privileges (but not both). If each policy has at most 1 bipolar in p1 … pn,
then answering queries takes quadratic time.
But what if some policies are permitting and others denying?
Big idea We want permissions (prohibitions)
to follow solely from the permitting (denying) policies.
If this were true, then we could answer a query by looking at the permitting and denying policies separately.
Want we want doesn’t come for free.
Denying policies can affect permissions
Consider 2 permitting policies: p1 = `anyone who is not faculty may
nap.’ p2 = `faculty may chair committees.’
If Alice is a student, may she take a nap?
Denying policies can affect permissions
Consider 2 permitting policies: p1 = `anyone who is not faculty may
nap.’ p2 = `faculty may chair committees.’
If Alice is a student, may she take a nap? No, because Alice could be a student
who is also a faculty member.
Denying policies can affect permissions
Consider 3 policies: p1 = `anyone who is not faculty may nap.’ p2 = `faculty may chair committees.’ p3 = `students may not chair committees.’
If Alice is a student, may she take a nap?
Denying policies can affect permissions
Consider 3 policies: p1 = `anyone who is not faculty may nap.’ p2 = `faculty may chair committees.’ p3 = `students may not chair committees.’
If Alice is a student, may she take a nap? Yes, because p2 and p3 together imply that
students aren’t faculty.
Moral: Permitting and denying policies together can imply environment facts, so we can’t separate the policies, unless…
Separating policies
Thm: If implied information is made explicit, then a positive conclusion follows from all the policies iff it follows from the permitting policies. If there are n policies and there is only one bipolar
per policy that involves Permitted, then at most n2 clauses are added and no added clause is more than twice the length of the longest original clause.
Bottom line: Under reasonable assumptions, we can answer our queries in quadratic time.
Expressive power
The fragment can capture a number of policy sets including the ones we collected from libraries, the ones we collected from
government docs, most of the licenses that can be
written in XrML.
Why can’t we handle all XrML licenses?
XrML allows Permitted in the antecedent of policies. Permitted can be a bipolar a clause can have multiple bipolars.
But, XrML does not support negation. Our fragment can express some
policies that XrML can’t and vice-versa.
Are we done yet?
We have found a language that is expressive enough to capture many policies of practical interest AND for which we can answer questions efficiently.
But we haven’t shown that it’s accessible to the many policy makers and administrators who are not logicians.
The architecture
GUI
translator
user input
data-base
formulas
answersquestions
answers in English
GUI Lets non-logicians enter policies and relevant facts; ask questions.
translatorTranslates between user input/ English and first-order formulas in our restricted form.
analyzerAnswer questions such as `Can Alice edit the website?’ and `Are the policies consistent?’.
Interface User selects a task such as:
Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden.
User completes the task by filling in a form.
E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…
Interface User selects a task such as:
Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden.
User completes the task by filling in a form.
E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…
Form: Describe a person, item, or action
Who or what is being described?
What is the characteristic?
Does the person, item, or action have the characteristic?
Yes No
When does this description apply?
From: To:
Form: Describe a person, item, or action
Who or what is being described?
Alice
What is the characteristic?
IEEE Member
Does the person, item, or action have the characteristic?
Yes No
When does this description apply?
From: 1/1/03 To: 1/1/04
Conclusion Completed work
Found a tractable fragment of first-order logic that can express many (almost all?) policies of interest.
Work in progress Investigating the extent to which we can
capture the social security database. Building a prototype to demonstrate the
language’s usability. Applying the same techniques to
formalizing XrML.
For more information… The paper`Using First-order Logic to
Reason about Policies’ is available: at
http://www.cs.cornell.edu/People/vickyw.
in the proceedings of this year’s Computer Security Foundations Workshop (CSFW).
Describe a person, item, or action We tell you what’s allowedand what’s not sign in | help
Home
Facts Describe a person, item, or action.
Relate one person, item, or action to another.
Record an event.
Modify the fact database.
PoliciesGive permission.
Deny permission.
Modify the policy database.
QueriesIs an event allowed?
Is an event forbidden?
What are the known facts?
What are the known policies?
Who or what is being described?
What is the characteristic?
Does the person, item, or action have the characteristic?
When does this description apply?
…
yes no
…
From:
dd/mm/yy or now
To:
dd/mm/yy or unknown
or always
Done
(e.g. George Smith, Rhodes Hall)
(e.g. librarian, building)
Riccardo Focardi
Program Chair
Abort
26/06/02 26/06/04
Give Permission We tell you what’s allowedand what’s not sign in | help
Home
FactsDescribe a person, item, or action.
Relate one person, item, or action to another.
Record an event.
Modify the fact database.
Policies Give permission.
Deny permission.
Modify the policy database.
QueriesIs an event allowed?
Is an event forbidden?
What are the known facts?
What are the known policies?
Who is being given permission?Anyone who meets the following description:
<policy applies to everyone>
Right-click in scrollbars to add/remove requirements.
Which actions are being regulated? Any action that meets the following description:
<policy applies to every action>
Are there other conditions that must hold for the policy to apply?
<no other conditions apply>
Done Abort