Using First-order Logic to Reason about Policies

Vicky Weissman

Joint work with:Joseph Halpern and Carl Lagoze

What is a policy? A policy says that an individual

may (or may not) do an action if certain conditions hold.

Examples include `All information on this site may

be copied.’1

`A student shall in no way misrepresent his or her work.’2

2 http://cuinfo.cornell.edu/Academic/AIC.html

1 http://www.afrl.af.mil/secdis.htm

Questions about policies Users want to know what’s allowed

and what’s not. Policy makers want to know if their

policies are consistent with those already made. E.g. Alice writes a set of policies for her

university’s new outreach program. Do her policies contradict those of the university?

Problem: Ambiguity Consider the policy

`All information on this site may be copied’, Interpretation 1: The policy allows any part of

the site to be copied. (`All information’ stresses that there are no restrictions on what may be copied.)

Interpretation 2: The policy allows the entire site to be copied (i.e. all of the information).

May Alice copy a paragraph that is on the site? We don’t know.

Solution: Write policies in first-order logic

Good News: Formal semantics no ambiguity. Fol seems to be sufficiently expressive.

Bad News: Many problems for fol are undecidable. Many policy writers are not well-versed in

logic.We’ll discuss these issues later in the talk.

Encoding policies A policy says that an individual may (or

may not) do an action if certain conditions hold.

A policy has the form: x1,…, xm (f () Permitted(tag, tac))

Encoding policies A policy says that an individual may (or

may not) do an action if certain conditions hold.

A policy has the form: x1,…, xm (f () Permitted(tag, tac))

Permitted(tag, tac) means that agent tag may do

action tag where tag and tac are terms.

E.g. Permitted(Alice, play) means Alice may play.

Encoding policies A policy says that an individual may (or

may not) do an action if certain conditions hold.

A policy has the form: x1,…, xm (f () Permitted(tag, tac))

f is a conjunction of literals where each literal encodes a condition.

E.g. f = Vegetable(x1) Ate(Alice, x1) Scowl(Alice)

Encoding policies A policy says that an individual may (or

may not) do an action if certain conditions hold.

A policy has the form: x1,…, xm (f () Permitted(tag, tac))

A permitting policy has a positive conclusion, a denying policy has a negative conclusion.

Encoding policies A policy says that an individual may (or may

not) do an action if certain conditions hold. A policy has the form:

x1,…, xm (f () Permitted(tag, tac))

A permitting policy has a positive conclusion, a denying policy has a negative conclusion.

E.g.:x1 (Vegetable(x1) Ate(Alice, x1) Scowl(Alice) Permitted(Alice, play))

Environments Does the policy

x1 (Vegetable(x1) Ate(Alice, x1) Scowl(Alice) Permitted(Alice, play))

allow Alice to play? To answer the question we need to know if

she ate a vegetable and if she’s scowling. This information, along with other facts

about the world, are stored in the environment.

Environments for policies

1. Basic facts (ground literals) Captures attributes of individuals. E.g. Vegetable(carrot), Vegetable(carrot

cake)2. Constraints (universal formulas)

Captures relationships between attributes. E.g. x (Private(x) Public(x)),

x (Freshmen(x) Student(x))

Policies seem to refer to 2 types of facts:

Assumption: Environment doesn’t talk about what’s permitted; policies do that.

Encoding the questions in first-order logic

Assume an environment E and a policy set {p1,…, pn}.

`Is c1 allowed to do c2?’ = `Is E p1 … pn Permitted(c1, c2) valid?’

`Are the policies consistent in E?’`Is E p1 … pn satisfiable?’

Encoding the questions in first-order logic

Assume an environment E and a policy set {p1,…, pn}.

`Is c1 allowed forbidden to do c2?’ =

`Is E p1 … pn Permitted(c1, c2) valid?’

`Are the policies consistent in E?’`Is E p1 … pn satisfiable?’

Can we answer the questions? No. These questions are

undecidable. But the game’s not over yet!

We can restrict the language so that the questions are tractable AND interesting policies are still expressible.

One solution: Datalog Datalog is negation-free, function-free Horn

clauses; queries can be answered in PTime. Some extensions have been considered.

Safe, stratified Datalog: Binder [DeTreville 02] , RT [Li, Mitchell, Winsborough 02] and SD3 [Trevor 01] .

Datalog with constraints: RTc [Li and Mitchell 03] . With these extensions, Datalog is still PTime. But:

A policy’s conclusion must be a positive literal (no denying policies).

Support for functions is limited.

Denying policies are common.

Many applications explicitly forbid actions. `Smoking is prohibited in the dining areas of

all restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act.

`The tickets may not be refunded’ is a policy of many airline fares, theaters, …

These policies cannot be captured explicitly in (the extended versions of) Datalog.

Datalog solution What isn’t explicitly permitted is

forbidden. Problem: Can’t distinguish forbidden

actions from unregulated ones. E.g. A university’s policies talk about

who’s permitted to get tenure. The policies for Alice’s new outreach program don’t. Alice’s policies contradict the university’s.

We may want functions too.

Functions often occur naturally when translating English policies to first-order logic.

E.g. `All information on the site may be copied’

translates to either: x1, x2 (OnSite(x1) Permitted(x2, copy(x1))) x1, x2 (EntireSite(x1) Permitted(x2,

copy(x1)))

Another solution We want a language that

doesn’t restrict functions and allows us to capture denying policies.

To get this in a tractable language, some restrictions are necessary.

Key idea: Restrict bipolars.

What is a bipolar? A literal l is bipolar in a formula f (in CNF) if

1. the literal l is in f and 2. there is another literal l’ in f such that l = l’’

for some variable substitutions and ’. Consider

f = x, y (Can(Alice, x) Can(y, sing))Can(Alice, x) is bipolar in f, because

1. the literal Can(Alice, x) is in f and2. the literal Can(Alice, x) = l’’ where

l’ = Can(y, sing), = [x/sing], and ’ = [y/Alice].

Why is bipolarity interesting?

If E is an environment and {p1, …, pn} is a set of policies such that

1. every variable on the lhs of a policy also appears on the rhs,

2. E is a conjunction of ground literals, and3. there are no bipolar literals in p1 … pn.

Then our questions can be answered in time (|E|+|P|) log|E| where P = p1 … pn.

|f| is the length of f viewed as a string of symbols.

Language with functions + denying policies is tractable!

When is every variable on the lhs also on the rhs?

Recall: A policy’s lhs states the conditions under which the permission on the rhs is granted/denied.

Variable restriction is met if what you’re allowed/forbidden to do is based solely on your attributes and the attributes of the regulated action.

Our problems are NP in the number of variables in a single policy that violate the restriction.

When is E a conjunction of ground literals?

This restriction is met if E is derived from databases and certificates.

If the E has constraints (e.g. anything private is not public), then Our problems can be answered in quadratic

time, if no more than 1 bipolar per clause. More than one bipolar per clause is common if

there are definitions (e.g. a senior citizen is someone over 65), but it’s easy to deal with definitions; they’re just macros.

When are there no bipolar literals in p1 … pn?

Suppose Permitted is not in any policy’s premise and all policies are permitting (or all denying).

Then The restriction holds if meeting a condition can

only add or remove privileges (but not both). If each policy has at most 1 bipolar in p1 … pn,

then answering queries takes quadratic time.

But what if some policies are permitting and others denying?

Big idea We want permissions (prohibitions)

to follow solely from the permitting (denying) policies.

If this were true, then we could answer a query by looking at the permitting and denying policies separately.

Want we want doesn’t come for free.

Denying policies can affect permissions

Consider 2 permitting policies: p1 = `anyone who is not faculty may

nap.’ p2 = `faculty may chair committees.’

If Alice is a student, may she take a nap?

Denying policies can affect permissions

Consider 2 permitting policies: p1 = `anyone who is not faculty may

nap.’ p2 = `faculty may chair committees.’

If Alice is a student, may she take a nap? No, because Alice could be a student

who is also a faculty member.

Denying policies can affect permissions

Consider 3 policies: p1 = `anyone who is not faculty may nap.’ p2 = `faculty may chair committees.’ p3 = `students may not chair committees.’

If Alice is a student, may she take a nap?

Denying policies can affect permissions

Consider 3 policies: p1 = `anyone who is not faculty may nap.’ p2 = `faculty may chair committees.’ p3 = `students may not chair committees.’

If Alice is a student, may she take a nap? Yes, because p2 and p3 together imply that

students aren’t faculty.

Moral: Permitting and denying policies together can imply environment facts, so we can’t separate the policies, unless…

Separating policies

Thm: If implied information is made explicit, then a positive conclusion follows from all the policies iff it follows from the permitting policies. If there are n policies and there is only one bipolar

per policy that involves Permitted, then at most n2 clauses are added and no added clause is more than twice the length of the longest original clause.

Bottom line: Under reasonable assumptions, we can answer our queries in quadratic time.

Expressive power

The fragment can capture a number of policy sets including the ones we collected from libraries, the ones we collected from

government docs, most of the licenses that can be

written in XrML.

Why can’t we handle all XrML licenses?

XrML allows Permitted in the antecedent of policies. Permitted can be a bipolar a clause can have multiple bipolars.

But, XrML does not support negation. Our fragment can express some

policies that XrML can’t and vice-versa.

Are we done yet?

We have found a language that is expressive enough to capture many policies of practical interest AND for which we can answer questions efficiently.

But we haven’t shown that it’s accessible to the many policy makers and administrators who are not logicians.

The architecture

GUI

translator

user input

data-base

formulas

answersquestions

answers in English

GUI Lets non-logicians enter policies and relevant facts; ask questions.

translatorTranslates between user input/ English and first-order formulas in our restricted form.

analyzerAnswer questions such as `Can Alice edit the website?’ and `Are the policies consistent?’.

Interface User selects a task such as:

Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden.

User completes the task by filling in a form.

E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…

Interface User selects a task such as:

Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden.

User completes the task by filling in a form.

E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…

Form: Describe a person, item, or action

Who or what is being described?

What is the characteristic?

Does the person, item, or action have the characteristic?

Yes No

When does this description apply?

From: To:

Form: Describe a person, item, or action

Who or what is being described?

Alice

What is the characteristic?

IEEE Member

Does the person, item, or action have the characteristic?

Yes No

When does this description apply?

From: 1/1/03 To: 1/1/04

Conclusion Completed work

Found a tractable fragment of first-order logic that can express many (almost all?) policies of interest.

Work in progress Investigating the extent to which we can

capture the social security database. Building a prototype to demonstrate the

language’s usability. Applying the same techniques to

formalizing XrML.

For more information… The paper`Using First-order Logic to

Reason about Policies’ is available: at

http://www.cs.cornell.edu/People/vickyw.

in the proceedings of this year’s Computer Security Foundations Workshop (CSFW).

Describe a person, item, or action We tell you what’s allowedand what’s not sign in | help

Home

Facts Describe a person, item, or action.

Relate one person, item, or action to another.

Record an event.

Modify the fact database.

PoliciesGive permission.

Deny permission.

Modify the policy database.

QueriesIs an event allowed?

Is an event forbidden?

What are the known facts?

What are the known policies?

Who or what is being described?

What is the characteristic?

Does the person, item, or action have the characteristic?

When does this description apply?

…

yes no

…

From:

dd/mm/yy or now

To:

dd/mm/yy or unknown

or always

Done

(e.g. George Smith, Rhodes Hall)

(e.g. librarian, building)

Riccardo Focardi

Program Chair

Abort

26/06/02 26/06/04

Give Permission We tell you what’s allowedand what’s not sign in | help

Home

FactsDescribe a person, item, or action.

Relate one person, item, or action to another.

Record an event.

Modify the fact database.

Policies Give permission.

Deny permission.

Modify the policy database.

QueriesIs an event allowed?

Is an event forbidden?

What are the known facts?

What are the known policies?

Who is being given permission?Anyone who meets the following description:

<policy applies to everyone>

Right-click in scrollbars to add/remove requirements.

Which actions are being regulated? Any action that meets the following description:

<policy applies to every action>

Are there other conditions that must hold for the policy to apply?

<no other conditions apply>

Done Abort