180 likes | 191 Views
Learn how to prevent theft by following parental advice and trusting a law-abiding community. Explore the concept of law-governed interactions and the implementation of communal access control in preventing theft.
E N D
Preventing TheftByKeeping Good Company Naftaly Minsky Rutgers University
Outline • A real life example: the theft of theater seats. • Parental advice about avoiding theft. • How to realize the parental advice—over the internet.
Theft of Theater Seats—an Example • Suppose that a theater issues only one ticket for every seat, at any given performance; and that no one is admitted without a ticket. • A theater-ticket is transferable right to occupy a specified seat at a given performance, and may change many hand before it is purchased by one who attempts to use it. • But tickets can be forged, so one might find his seat occupied—stolen--when coming to the theater. • Question: what can one do to avoid such theft?
What did our Parents Tell Us? • “Associate only with honest, law-abiding, individuals”. • This must mean, in this case, to accept tickets from somebody you trust: • not to be a forger; • to have “good education”, i.e., to follow this parental advice. • So, one ends up trusting a whole, recursively defined, community to be law-abiding. • The theater goers constitute such a community—more or less. • Can such a law-abiding community be realized over the internet? • This should help prevent some thefts, and other mishaps.
But the conventional access-control is server-centric server Reference Monitor(RM) Access-Control to the Rescue
delegate The Need to Support Communal AC Policy Enterprise-wide (communal) policy P Enterprise
The Concept of Law-Governed Interaction (LGI) • LGI is a message exchange mechanism that enables a community of distributed agents to interact under an explicit and strictly enforced policy, called the “law” of this community. • Some characteristics of LGI: • Laws are about the interaction between agents—it is a generalized access-control mechanism. • Laws are about local behavior, but they have global, communal, implications, because everybody in the given community is subject to the same law. • Incremental deployment, and efficient execution • Enforcement is decentralized---for scalability. • To be released in May 2005, via:http://www.cs.rutgers.edu/moses/
v u m ==> x m L m’ m ==> y y x I S Reference monitor Legend: L---Explicit statement of a Law. I---Policy interpreter S---the interaction state of the community Centralized Enforcement of Communal Laws * The problems: potential congestion, and single point of failure * Replication does not help, if S changes rapidly enough
m ==> y m m v u L L I L I L m ==> y y Su Sy I x I Sx S L m’ I Sv m’’ Distributed Law-Enforcement under LGI
The local nature of LGI laws • Laws are defined locally, at each agent: • They deal explicitly only with local events—such as the sending or arrival of a message. • the ruling of a law for an event e at agent x is a function of e, and of the local control state CSX of x. • a ruling can mandate only local operations at x. • This localization does not reduce the expressive power of LGI laws, • and it provides scalability for many (not all) laws.
L I L m ==> y y CSy I x CSx [m’,hash(L)] Cx m’’ Cx Cy On the basis for trust between members of a community • For a member of an L-community to trust its interlocutors to comply with the same law, one needs to ensure: • that the exchange of L-messages is mediated by correctly implemented controllers . • that interacting controllers operate under the same law L. • Such assurances are provided, basically, via certification of controllers, and the exchange of the hash of the law.
controller server controller server I I I I I I m ==> y y x adopt(…) m’ L L adopt(L, name) adopt(L, name) adopt(…) m’’ Deployment of LGIVia Distributed TCB (DTCB)
L L L L L enter T release transfer transfer transfer enter A Law-Abiding Community of Theater-Goers T T T T Theater T T
A Qualification about “enforcement” • It is not possible to compel anybody to operate under any particular law, or to use LGI, for that matter. • Yet, an agent may be effectively compelled to exchange L-messages, if it needs services provided only under this law. • In our case, for example, if the theater admits only via L-message then theater goers, would have to use L-message to get tickets, and so would “street vendors”, if they want their tickets to be purchased.
The Theater Law(Written in prolog) • R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))). • R2. sent(H,releaseTicket(t(H,P)),Y):- role(theater)@CS, do(forward). • R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver). • R4. sent(X,transfer(t(H,P)),Y) :- t(H,P)@CS, do(-t(H,P)), do(forward). • R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver). • R6. sent(X,enter(t(H,P)),H) :- t(H,P)@CS, do(-t(H,P)), do(forward). • R7. arrived(X,enter(t(H,P)),H) :- do(deliver).
The Theater Law (part 1) • R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))). • An agent may claim the role of a theater by presenting an apptopriate certificate issued by cityHall. • R2. sent(H,releaseTicket(t(H,P)),Y):- role(theater)@CS, do(forward). • Only a theater can realse tickets, and only its own. • R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver). • An arriving ticket is maintained in the CS of the receiver.
The Theater Law (part 2) • R4. sent(X,transfer(t(H,P)),Y) :- t(H,P)@CS, do(-t(H,P)), do(forward). • Transferring a ticket to somebody else. • R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver). • Receiving a transferred ticket. • R6. sent(X,enter(t(H,P)),H) :- t(H,P)@CS, do(-t(H,P)), do(forward). • Entering a theater, with a valid ticket • R7. arrived(X,enter(t(H,P)),H) :- do(deliver).