a logic for reasoning about digital rights riccardo pucella, vicky weissman...
Post on 21-Dec-2015
220 views
TRANSCRIPT
![Page 1: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/1.jpg)
A logic for reasoning about digital rights
Riccardo Pucella, Vicky Weissman{riccardo,vickyw}@cs.cornell.eduCornell University
![Page 2: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/2.jpg)
2
Licenses
A license states the exact conditions under which a resource may be used. Examples:
The client must sign a waiver before downloading beta-version software.
The client must sign a lease and either pay $490 on the first day or $500 on the second day of each month to live in an apartment.
![Page 3: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/3.jpg)
3
Reasoning about licenses-Properties
Examples of properties include: `A religious work may never be viewed
after sunset.’ `If a client uses a resource, then the client
is obligated to pay for the use at some time.’
Depending on the licenses, a property may or may not be easy to check.
Does a property hold for a given set of licenses, regardless of the client’s actions?
![Page 4: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/4.jpg)
4
Reasoning about licenses-Specifications
Examples of specifications include: The client never uses a resource illegally. The client is never obligated to pay
interest on any debts. Specifications may or may not be easy
to check, depending on the given info.
Does a property hold for a given set of licenses and client behavior?
![Page 5: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/5.jpg)
5
Our goal
To design a logic that we can use to:1. easily state interesting
properties and specifications;2. prove that a property holds (or
a specification is met) for a given license set (and client behavior).
![Page 6: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/6.jpg)
6
Logic features
The logic needs to talk about: licenses, client behavior wrt a license, time – temporal operators, permission and obligation.
![Page 7: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/7.jpg)
7
Licenses Follow lead from Gunter, Weeks, Wright
‘Models and languages for digital rights’, 2001. Licenses are sets of traces. Each trace describes an action sequence
that the client could do to fulfill the license. Can write licenses in various
languages. We’ll use regular expressions.
l ::= a | l1 l2 | l* | l1 U l2 where a is an action.
![Page 8: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/8.jpg)
8
Licenses Follow lead from Gunter, Weeks, Wright
‘Models and languages for digital rights’, 2001. Licenses are sets of traces. Each trace describes an action sequence
that the client could do to fulfill the license. Can write licenses in various
languages. We’ll use regular expressions.
l ::= a | l1 l2 | l* | l1 U l2 where a is an action.
![Page 9: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/9.jpg)
9
Licenses Follow lead from Gunter, Weeks, Wright
‘Models and languages for digital rights’, 2001. Licenses are sets of traces. Each trace describes an action sequence
that the client could do to fulfill the license. Can write licenses in various
languages. We’ll use regular expressions.
l ::= a | l1 l2 | l* | l1 U l2 where a is an action.
![Page 10: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/10.jpg)
10
Lease ExampleRecall the lease example:
The client must sign a lease and either pay $490 on the first day or $500 on the second day of each month to live in an apartment.
sign lease
pay $500
to
sign lease
t1
pay $490
… t30
t2
nothing ()
t3
Viewed as a set of traces:
![Page 11: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/11.jpg)
11
Encoding action sequences
License:
sign lease
pay $500
to
sign lease
t1
pay $490
… t30
t2
nothing ()
t3
Traces:
l1 = pay $490 …
l2 = pay $500 …
l = sign lease (l1 U l2)*
![Page 12: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/12.jpg)
12
What a client can do
(a,n) |
(a,n) |
Client can do any action of the form: ::=
do action a wrt license named n
do not do action a wrt license n
E.g. The client does not pay $490 for the
lease is written: (pay $490, lease).
![Page 13: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/13.jpg)
13
Writing properties and specs.
P() n:l
A formula f has the form:f ::=
| |
|
client does action expression client permitted to do license l with name n is issued
f | �f | f1 U f2 next time, always, until
f1 f2 | f
![Page 14: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/14.jpg)
14
Obligation
Can capture obligation using permission.
A client is obligated to do (a, n), if she isn’t permitted to do any other action, including the do-nothing action , wrt license n.
The client is obligated to do (a, n) if P(a, n) P(a, n) holds.
In our logic, client is always permitted to do something, possibly , wrt each license. So, P(a, n) P(a, n) = P(a, n)
![Page 15: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/15.jpg)
15
Obligation
Can capture obligation using permission.
A client is obligated to do (a, n), if she isn’t permitted to do any other action, including the do-nothing action , wrt license n.
The client is obligated to do (a, n) if P(a, n) P(a, n) holds.
In our logic, client is always permitted to do something, possibly , wrt each license. So, P(a, n) P(a, n) = P(a, n)
![Page 16: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/16.jpg)
16
Obligation
Can capture obligation using permission.
A client is obligated to do (a, n), if she isn’t permitted to do any other action, including the do-nothing action , wrt license n.
The client is obligated to do (a, n) if P(a, n) P(a, n) holds.
In our logic, client is always permitted to do something, possibly , wrt each license. So, P(a, n) P(a, n) = P(a, n)
![Page 17: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/17.jpg)
17
Obligation
Can capture obligation using permission.
A client is obligated to do (a, n), if she isn’t permitted to do any other action, including the do-nothing action , wrt license n.
The client is obligated to do (a, n) if P(a, n) P(a, n) holds.
In our logic, client is always permitted to do something, possibly , wrt each license. So, P(a, n) P(a, n) = P(a, n)
![Page 18: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/18.jpg)
18
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [(� P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 19: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/19.jpg)
19
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [(� P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 20: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/20.jpg)
20
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [(� P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 21: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/21.jpg)
21
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [� ( P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 22: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/22.jpg)
22
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [� ( P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 23: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/23.jpg)
23
Examples Property: When the lease is issued,
the client must sign it.lease:l => P((sign, lease))
Spec.: The client doesn’t violate the lease. This means that once the lease is issued, the client meets all obligations and only does what’s permitted. For all actions a:lease:l => [(� P((a, lease)) => (a, lease)) ((a, lease) => P((a, lease)))]
l = sign (pay $490 … U pay $500 … )*
![Page 24: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/24.jpg)
24
Semantics Idea from Halpern and Meyden ‘A logic
for SDSI’s linked local name spaces’, 2001.
We have: a run r that says what happens at any time t.
Specifically, r(t) = (L, A) where L are the licenses issued and A are the client’s actions done at time t.
a permission interpretation Pr(t) says what’s allowed at time t, based on the run r.
![Page 25: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/25.jpg)
25
Example
Suppose that at time t in run r the following lease is issued:l = sign (pay $490 … U pay $500 … )*,
the client signs the lease, and the client ignores the credit card.
In this case r(t) = (( {lease:l }, {(sign, lease), (, cc)})
and Pr(t) = {(sign, lease)…}.
![Page 26: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/26.jpg)
26
Truth conditions
Let r(t) = (L, A)
r, t |= (a, n) iff (a, n) Ar, t |= (a, n) iff b a such that (b, n) A
r, t |= P((a, n)) iff (a, n) Pr(t)
r, t |= P((a, n)) iff b a such that (b, n) Pr(t)
r, t |= n:l iff (n:l) L
f , �f , f1 U f2, f1 f2, f have standard meanings.
![Page 27: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/27.jpg)
27
How hard is reasoning?We reduce satisfiability for our logic to that for Linear Temporal Logic (LTL).
Difference between logics: Our logic has n:l, , and P() LTL has a set of primitives.
Easy to encode our `extras’ as primitives. E.g. lease:l becomes the primitive issued(lease, l)’.
Also, easy to convert the runs.
But this isn’t quite enough….
![Page 28: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/28.jpg)
28
Encoding implied facts
No name refers to more than one license.
All the permissions and obligations implied by an issued license.
The encoding is given in the paper.
Our logic has implicit notions that must be made explicit in LTL. These include:
![Page 29: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/29.jpg)
29
Complexity
Given our translation to LTL, we can use well-known results for LTL to show that:
Validity checking in our logic is PSPACE-complete.
Determining if a formula holds at a particular time t in a given run r takes polynomial time wrt the size of r(t) and exponential time wrt the size of .
![Page 30: A logic for reasoning about digital rights Riccardo Pucella, Vicky Weissman {riccardo,vickyw}@cs.cornell.edu Cornell University](https://reader036.vdocuments.mx/reader036/viewer/2022062516/56649d615503460f94a42f5c/html5/thumbnails/30.jpg)
30
Conclusions and future work
We have introduced a formal framework for reasoning about licenses. Small specifications can be analyzed efficiently.
Framework can be modified easily to handle different license languages that have trace-based semantics.
Where do we go from here? Use framework to compare different license
languages. Compare our framework to other approaches
that talk about permissions. Provide an axiomatization for our logic.