Rights management Vicky Weissman Vickyw@cs

  • View
    213

  • Download
    0

Embed Size (px)

Text of Rights management Vicky Weissman Vickyw@cs

  • Slide 1
  • Rights management Vicky Weissman Vickyw@cs.cornell.edu
  • Slide 2
  • Policies A policy is a set of a conditions under which an action is permitted or forbidden. Simple examples: CS 502 students cannot edit the course website. A student can only modify a course web page with the instructors permission. More complicated examples: To borrow a book from the library, you must have a library card and you must either bring the book back in 2 weeks or pay a fine. A license is a type of policy; it says what a client needs to do to access a resource legitimately.
  • Slide 3
  • Goals Write policies unambiguously. Reason about the policies in a provably correct way. Is a particular action such as Alice editing the CS 502 web site allowed? Forbidden? Are the policies consistent? In other words,do they allow and forbid the same action? Enforce the policies in a provably correct way. We want to: A policy is a set of a conditions under which an action is permitted or forbidden.
  • Slide 4
  • Writing unambiguous policies Policies written in natural languages, like English, are often ambiguous. Ex: A student can only modify a course web page with the instructors permission.
  • Slide 5
  • Writing unambiguous policies Policies written in natural languages, like English, are often ambiguous. Ex: A student can only modify a course web page with the instructors permission. If the student has the instructors permission, can the student edit the page?
  • Slide 6
  • Writing unambiguous policies Policies written in natural languages, like English, are often ambiguous. Ex: A student can only modify a course web page with the instructors permission. If the student has the instructors permission, can the student edit the page? Does the policy apply to courses with multiple instructors? If so, whose permission do you need?
  • Slide 7
  • Isnt this an old problem? Well, yes. But policies for digital objects can be more complex. Consider a library patron borrowing a book If its a digital object, pictures can be blurred or hidden, according to a policy agreement. Certain portions of the text can be blocked out. If its a physical book, the library either needs a copy for each type of policy or can only regulate who sees the book as a single unit.
  • Slide 8
  • Automatic enforcement Digital works typically are protected by automatic means (e.g. software), so theres no person we can trust. We can tell a librarian what the policies are and, if we havent considered a scenario, then the librarian can do something reasonable. If a computer program gets input that it wasnt expecting, whats the likelihood that it will do something reasonable?
  • Slide 9
  • Bottom line We want to state, reason, and enforce policies. The policies were interested in are more complex than weve had before. The standard solution of relying on a trusted person to act reasonably is no longer an option.
  • Slide 10
  • Current solutions in industry Make policies VERY simple. For example, digital libraries often only have digital objects that are in the public domain. Alternatively, many libraries only differentiate between subscribers and non- subscribers. Use a commercial rights language (eg. XrML, ODRL, ).
  • Slide 11
  • XrML Looks like HTML. Has tons of predefined tags like: Allows people to make new tags for their specific needs.
  • Slide 12
  • Benefits of using XrML Popular. Policy makers dont have to learn too much new lingo when going from app to app. Allows common enforcement mechanisms across apps. Fairly easy to use. Extremely flexible.
  • Slide 13
  • Disadvantages of XrML No formal semantics. Semantics tell us what the symbols in a language mean. The only meaning Ive found given to the predefined tags are in English which weve already argued is ambiguous. If we dont have unambiguous semantics, then we cannot hope to reason about policies or enforce them in a provably correct way. People who use XrML are writing policies that seem right without anyone knowing precisely what is intended or exactly what is allowed.
  • Slide 14
  • Other options- use logic Policies can be expressed in first-order logic. Example: students cannot edit the website i (student(i) => Permitted(i, edit website))
  • Slide 15
  • Pros and Cons of using logic Benefits Well-understood. Extremely flexible. Has formal semantics. Disadvantages Not user-friendly -> needs intuitive GUI. Most interesting questions are provably undecidable -> need to find a fragment of first-order logic that is expressive and tractable. Semantics tell us what the symbols in a language mean.
  • Slide 16
  • Another option: Regular expressions Policies are captured by automatons. Start State give CUID use photocopier give acct # pay fee Above automaton says the photocopier can be used by anyone whose paid the fee or has given both a CUID and an acct number.
  • Slide 17
  • Pros and cons of reg. expr. Pros Well-understood. Easy to give formal semantics. Easy to reason about. Cons Not as expressive as first-order logic. Not as user-friendly as natural languages or commercial rights languages like XrML. Semantics tell us what the symbols in a language mean.
  • Slide 18
  • Reasoning about policies for policies written in any language without formal semantics this includes natural languages like English, XrML, ODRL reasoning requires a judge for policies written as regular expressions reasoning strategy depends on the chosen formal semantics.
  • Slide 19
  • Reasoning about policies in first-order logic Can Alice edit 502 web site? Given: policies p 1, , p n (written in fol) and facts about the world E (e.g. Senior(Alice) ( i (Senior(i) => Student(i))) ) Alice can edit if: E p 1 p n => Permitted(Alice, edit 502 site) is valid (i.e. if E and all the policies hold, then Alice may edit the site, regardless of any other policies and facts).
  • Slide 20
  • Enforcement There are lots of mechanisms to enforce policies. For an overview, take Prof. Schneiders CS 513: System Security course or read the courses notes. One interesting mechanism that is particularly well-suited to digital objects is in-line reference monitors (IRM).
  • Slide 21
  • IRM idea Suppose you wanted to write a code fragment A that could only be executed by students. You could write: if (student) {A} But if you did this, then the policy and real code are mushed together so its hard to see what either is doing and its hard to modify either component (e.g. change students to students and faculty). The IRM idea is to write and maintain the policy and code separately. Immediately before execution, the IRM monitor interleaves them.
  • Slide 22
  • Conclusion Policies are becoming increasingly complex and the solution in the physical world doesnt translate to cyberspace. There are a lot of ways to write policies, but none is a clear winner. Need formal semantics if youre going to reason and/or enforce policies in a provably correct way. Formal semantics may not be enough to do this. There are a ton of open questions, got research?