680 likes | 764 Views
Formal methods for rights management. Vicky Weissman. The big picture. Digital content providers want to write policies about their works. A policy says that under certain conditions an action is permitted or forbidden.
E N D
Formal methods for rights management Vicky Weissman
The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.
The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.
The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.
Example • Miramax spends $100 million to make the movie `Big Hit’. • A warehouse employee `borrows’ a DVD and puts the movie on the web. • Without appropriate policy writing and enforcement, people can download the movie for free, instead of buying it. • If enough people do this, then Miramax is in trouble.
It’s not just movies • Music industry voices same concern. (Our IP is being stolen!) • Digital libraries can’t put certain resources online, because of IP laws. • The Greek Orthodox Archdiocese of America wants to put resources online, but is wary of defamation.
XrML to the rescue • XrML is an XML-based language for writing policies. • Semantics is given in 2 ways. • An English interpretation of the syntax. • An English description of an algorithm that says if a set of XrML policies imply a permission. • Bottom line: write policies in XrML, enforce using the algorithm.
Industry likes XrML • XrML endorsed by Adobe, Hewlett-Packard, Microsoft, Xerox, Barnesandnoble.com, MPEG International Standards Committee… • Microsoft and others plan to make XrML compliant products. • Will tomorrow’s DVD player enforce XrML policies?
XrML Shortcomings • No formal semantics. • Policies can be ambiguous. • The interpretation of the syntax doesn’t quite match the algorithm. • The algorithm’s behavior on some (realistic) input is unintuitive and unintended by language designers. • E.g. If Alice is a student and any student may eat lunch, may Alice? Alg. says no.
Joint Work with Joe Halpern CSFW ‘04 Improving XrML • Fix the algorithm to match developers’ intent. • Translate XrML policies to formulas in first-order logic. • Prove our translation matches the algorithm. • Algorithm says policies imply permission iff translated policies imply translated permission. • Why translate? • Lets us compare XrML with languages in CS literature, borrow complexity results, extensions,… • Gives XrML formal semantics (no ambiguity).
Consider complexity • Show that determining if a permission follows from a set of XrML policies is NP-hard. • Find tractable fragments that are almost as expressive.
First step: Present XrML syntax • XrML is an XML-based language. • XrML policies are verbose. • So, we present a syntax that is • more concise and • easy to map to XrML syntax.
Basic components • Principals • Agents (e.g., Alice, the University). • Resources • Digital content (e.g., CS431 Syllabus) • Rights • Actions (e.g., download, play, edit) • Properties • Describe a principal (e.g., student, smart).
Syntax Princ ::= p | vp | Princ Princ. Rsrc ::= s | vs Right ::= r | vr Prop ::= pr • p, s, r, and pr are application-defined, vp, vs, and vr are variables, is the union operator.
Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots.
Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it?
Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes.
Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes. • Suppose that Alice is quiet, is {Alice, Bob} quiet?
Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes. • Suppose that Alice is quiet, is {Alice, Bob} quiet? Not necessarily.
Question • Does a set of principals have the properties of its members? • XrML interpretation of doesn’t say. • XrML algorithm makes the assumption in one routine, but not in another. • Since XrML doesn’t answer question… • We don’t make assumption. • But, can easily write policies to force it.
Syntax (cont.) • grant ::= cond conc. • If cond holds, then conc holds.
Syntax (cont.) • grant ::= cond conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.
Syntax (cont.) • grant ::= cond conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.
Syntax (cont.) • grant ::= cond conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.
Syntax (cont.) • grant ::= cond conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s. • cond ::= true | conc | cond cond.
Examples • Can write: • `Alice is nice’ as true Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x) Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x) Pay$1(x) Perm(x, play, `Big Hit’).
Examples • Can write: • `Alice is nice’ as true Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x) Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x) Pay$1(x) Perm(x, play, `Big Hit’).
Examples • Can write: • `Alice is nice’ as true Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x) Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x) Pay$1(x) Perm(x, play, `Big Hit’).
Examples • Can write: • `Alice is nice’ as true Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x) Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x) Pay$1(x) Perm(x, play, `Big Hit’).
The syntax given here is a fragment of XrML.
XrML Algorithm • Let G be a set of grants. • Auth algorithm • Input: G and e, where e is var-free conc. • Output: true iff e follows from G. • Auth calls CondMet algorithm • CondMet input: d, which is a var-free cond. • Output: true iff d holds.
Auth algorithm Auth(G, e) • Find the set D of var-free conds s.t. dD gG, . g = d e. (In other words, find D s.t. if any dD holds, then a grant in G implies e.) • Return dD CondMet(d).
CondMet algorithm CondMet(d) • If d is true, Return true. • If d is a conc, Return Auth(, d). • If d is e1 ... en, where E is the set of conc in d, Return eE Auth(, e).
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch))
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice), ?}
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) g is lost!
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) Calls Auth(, Student(Alice))
Example • Let g = true Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) Calls Auth(, Student(Alice)) Finds D = Returns false
Algorithm Fix • Let G be a set of grants. • Auth algorithm • Input: G and e, where e is var-free conc. • Output: true iff e follows from G. • Auth calls CondMet algorithm • CondMet input: G and d, where d is a var-free cond. • Output: true iff d holds.
Auth algorithm Auth(G, e) • Find the set D of var-free conds s.t. dD gG, . g = d e. (In other words, find D s.t. if any dD holds, then a grant in G implies e.) • Return dD CondMet(G, d).
CondMet algorithm CondMet(G, d) • If d is true, Return true. • If d is a conc, Return Auth(G, d). • If d is e1 ... en, where each ei is a conc, Return i n Auth(G, ei).
Problem: Termination • Auth does not terminate on all inputs. • E.g., g = e e, where e is var-free. Auth({g}, e) Finds D = {e} Calls CondMet({g}, e) CondMet calls Auth({g}, e)
Termination Fix Keep track of conc given as input to Auth. Auth({g}, e, ) Finds D = {e} Calls CondMet({g}, e, {e}) CondMet calls Auth({g}, e, {e}) Auth({g}, e, {e}) detects loop Returns false
The fixed algorithm is correct. • Auth(G, e) should return true only if there is a sequence S of grants d1 e1, …, dn en, where • each grant is a grant in G under some substitution; • di follows from e1, …, ei-1; and • en in e. • Corrected alg finds S, if it exists.
Translation Let sT be the translation of any string s. • Grants are a bit tricky. • (d e)T = x1, …, xn (dT eT), where x1, …, xn are the vars in d and e. • If a grant g is a resource (like a certificate): gT is a constant. • Everything else translates to itself. • E.g., R(Bob)T= R(Bob); (p1p2)T = p1p2
Translation is correct. • Definition: A good model satisfies the union properties (p1p2 = p2p1, …). • Theorem: For every set G of grants and every var-free conc e in XrML, (fixed) Auth(G, e) returns true iff gGgT eT is true in every good model.
Complexity • Determining if a set of XrML grants imply a conc is NP-hard. • Given the translation, this is easy to prove. • Given the proof, it’s easy to see that the result depends on the operator. • Suppose we remove from grammar. • XrML translates to Datalog, which is a well-known tractable fragment of first-order logic. • Given the translation, finding a tractable, fairly expressive fragment is easy.