1 / 49

A Formal Foundation for XrML

A Formal Foundation for XrML. Vicky Weissman Joint work with Joe Halpern. The big picture. A policy says that under certain conditions an action, such as downloading a file, is permitted or forbidden. Digital content providers want

mali
Download Presentation

A Formal Foundation for XrML

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Formal Foundation for XrML Vicky Weissman Joint work with Joe Halpern

  2. The big picture • A policy says that under certain conditions an action, such as downloading a file, is permitted or forbidden. • Digital content providers want • to write policies about how their works may be accessed, and • they want their policies enforced.

  3. Diverse apps – same need Because we can’t regulate access to online content with precision: • Digital libraries can’t put certain content online; it might violate IP laws. • The Greek Orthodox Archdiocese of America is wary of defamation. • Cultural traditions aren’t respected. (Australian Aboriginal communities often restrict access to a clan or gender.)

  4. XrML to the rescue • XrML is a language for writing policies. • Syntax is XML-based. • Semantics is given in 2 ways. • An English interpretation of the syntax. • An English description of an algorithm that says if a set of XrML policies imply a permission. • Bottom line: write policies in XrML, enforce using the algorithm.

  5. Industry likes XrML • XrML endorsed by Adobe, Hewlett-Packard, Microsoft, Xerox, Barnesandnoble.com, MPEG International Standards Committee… • Microsoft and others plan to make XrML-compliant products. • Will tomorrow’s OS, DVD player, … enforce XrML policies?

  6. XrML Shortcomings • No formal semantics. • Policies can be ambiguous. • The interpretation of the syntax doesn’t quite match the algorithm. • The algorithm’s behavior on some (realistic) input is unintuitive and unintended by language designers. • E.g. If Alice is a student and every student may eat lunch, may Alice? Alg. says no.

  7. Improving XrML • Fix the algorithm to match developers’ intent. • Translate XrML policies to formulas in modal first-order logic. • Lets us compare XrML with languages in CS literature, borrow complexity results, extensions,… • Formal semantics given in a fairly standard way. • Prove our translation matches the algorithm. • Algorithm says policies imply a permission iff translated policies imply translated permission.

  8. First step: Choose a version • Options: • XrML published by ContentGuard, • XrML modified by MPEG standards committee, • 2003 version, or • Wait for 2004 release, an ISO standard. • We chose the 2003 version. • Bugs we find can be fixed. • We refer to the 2003 version as XrML.

  9. XrML syntax • XrML is an XML-based language. • XrML policies are verbose. • So, we present a syntax that is • more concise and • easy to map to XrML syntax.

  10. Syntax • Principals • Agents (e.g., Alice, Bob) • Resources • Digital content (e.g., a movie, an article) • Rights • Actions (e.g., play, edit) • Properties • Describe a principal (e.g., adult, trusted)

  11. Syntax (cont.) • Statements • Stmt ::= Pr(p) | Perm(p, r, s) | true • Pr(p) means principal p has property Pr. • Perm(p, r, s) means p is permitted to exercise right r over resource s.

  12. Syntax (cont.) • Statements • Stmt ::= Pr(p) | Perm(p, r, s) | true • Pr(p) means principal p has property Pr. • Perm(p, r, s) means p is permitted to exercise right r over resource s.

  13. Syntax (cont.) • Statements • Stmt ::= Pr(p) | Perm(p, r, s) | true • Pr(p) means principal p has property Pr. • Perm(p, r, s) means p is permitted to exercise right r over resource s.

  14. Syntax (cont.) • Statements • Stmt ::= Pr(p) | Perm(p, r, s) | true • Pr(p) means principal p has property Pr. • Perm(p, r, s) means p is permitted to exercise right r over resource s.

  15. Stmt ::= Pr(p) | Perm(p, r, s) | true Syntax (cont.) • grant ::=x1…xn(Stmt … Stmt  Stmt) • If condition holds, then conclusion holds. • In our fragment, grants are closed (no free variables). • license ::= (grant, principal) • (g, p) means p issues/says g. condition conclusion

  16. Examples • Can write: • `Joe is a professor’ as true  Prof(Joe) and • Vicky says `Every professor who gives a talk may have a cookie’ as (x (Prof(x)  GivesTalk(x)  Perm(x, eat, cookie)), Vicky).

  17. Examples • Can write: • `Joe is a professor’ as true  Prof(Joe) and • Vicky says `Every professor who gives a talk may have a cookie’ as (x (Prof(x)  GivesTalk(x)  Perm(x, eat, cookie)), Vicky).

  18. Examples • Can write: • `Joe is a professor’ as true  Prof(Joe) and • Vicky says `Every professor who gives a talk may have a cookie’ as (x (Prof(x)  GivesTalk(x)  Perm(x, eat, cookie)), Vicky).

  19. Principals – in some detail • Set of principals is the set of primitive principals (e.g., Alice, Bob) closed under union. E.g., Alice  Bob is a principal. • Often written as {Alice, Bob}. • According to the XrML doc, {p1,.., pn} represents p1, …, pn “acting together as one holistic identified entity”. • But what does this mean?

  20. Groups/members relationship • Suppose that Alice has property PrA and the group {Alice, …} has property Prg. • What should we infer? • Option 1: nothing. • Option 2: {Alice, …} has property PrA. • Option 3: Alice has property Prg.

  21. Groups/members relationship • Suppose that Alice has property PrA and group {Alice, …} has property Prg. • What should we infer? • Option 1: nothing. • Option 2: {Alice, …} has property PrA. • Option 3: Alice has property Prg. • XrML chooses each of these options (at different points in the specification).

  22. Groups/members relationship • Suppose that Alice has property PrA and group {Alice, …} has property Prg. • What should we infer? • Option 1: nothing. • Option 2: {Alice, …} has property PrA. • Option 3: Alice has property Prg. • XrML chooses each of these options (at different points in the specification). No formal semantics  language is inconsistent!

  23. Our fix • Since XrML is inconsistent… • We do not assume that a group has the properties of its members or vice-versa. • But can easily write policies to force either relationship (or both).

  24. The syntax given here is a fragment of XrML. (See paper for details.)

  25. XrML Algorithm • Query(s,L,G) algorithm • s is a closed statement. • L is a set of licenses. • G is a set of grants that implicitly hold. • Returns true if s “follows” from L and G. • Query calls Auth and Holds.

  26. Auth Algorithm • Recall • s is a closed statement. • L is a set of licenses. • G is a set of grants that implicitly hold. • A condition is a conjunction of statements. • Auth(s, L, G) returns a set D of closed conditions; s “follows” from L and G if a condition in D “holds”.

  27. Holds Algorithm • Holds(d,L) algorithm • d is a closed condition. • L is a set of licenses. • Returns true if d “follows” from L.

  28. Query(s, L, G) overview Query(s, L, G) Set D to the output of Auth(s, L, G) Return dD Holds(d, L) • s is a closed statement, L is a set of licenses, and G is a set of grants that hold implicitly. • s “follows” from L and G if a condition in the output of Auth(s, L, G) “holds”. • Holds(d, L) returns true if d “follows” from L.

  29. Problem • Let g = true  Student(Alice), g’ = x(Student(x)  Perm(x, eat, lunch)) • May Alice eat lunch? • Query(Perm(Alice, eat, lunch), , {g, g’})

  30. Problem • Let g = true  Student(Alice), g’ = x(Student(x)  Perm(x, eat, lunch)) • May Alice eat lunch? • Query(Perm(Alice, eat, lunch), , {g, g’}) • Query calls Auth(Perm(Alice, eat, lunch), , {g, g’}). • Auth returns {Student(Alice)}.

  31. Problem • Let g = true  Student(Alice), g’ = x(Student(x)  Perm(x, eat, lunch)) • May Alice eat lunch? • Query(Perm(Alice, eat, lunch), , {g, g’}) • Query calls Auth(Perm(Alice, eat, lunch), , {g, g’}). • Auth returns {Student(Alice)}. • Query calls Holds(Student(Alice), ). lost g!

  32. Problem • Let g = true  Student(Alice), g’ = x(Student(x)  Perm(x, eat, lunch)) • May Alice eat lunch? • Query(Perm(Alice, eat, lunch), , {g, g’}) • Query calls Auth(Perm(Alice, eat, lunch), , {g, g’}). • Auth returns {Student(Alice)}. • Query calls Holds(Student(Alice), ). • Holds returns false; so, Query returns false. lost g!

  33. The fix • To correct the problem, pass G to Holds and modify Holds to use the new info. • Bug is easy to find and easy to fix, but still made it into the released March 2003 version of the spec.

  34. Another bug • Query(s, , {x(Perm(p, issue, x)  s)}) • Query calls Auth on same input. • Auth returns {Perm(p, issue, g) | g is a grant}. • Recall: Auth output is a set of closed conditions. • Query calls Holds on each returned condition.

  35. Another bug • Query(s, , {x(Perm(p, issue, x)  s)}) • Query calls Auth on same input. • Auth returns {Perm(p, issue, g) | g is a grant}. • Recall: Auth output is a set of closed conditions. • Query calls Holds on each returned condition. • The set of grants is infinite. • g0 = true  Student(Alice) • gi = true  Perm(Bob, issue, gi-1), i = 1, … • D is an infinite set; so, Query doesn’t terminate.

  36. Our fix • Restrict the grants in the language. • If a grant g has a condition d, d mentions a resource variable x, and x is free in d, then x is free in g’s conclusion. • Easy to prove that if the restriction is met, then Auth always returns a finite set. • Can make an empirical argument for why this restriction is okay.

  37. But that’s not all… In this small fragment of XrML, there are 2 other bugs. See paper for details.

  38. The translation • The translation is fairly straightforward. • Two points worth noting: • Query assumes that a grant g holds, if it’s issued by some trusted principal (i.e., a principal whose permitted to issue g). • Holds(d, L, G) returns true iff d logically follows from L and G. So, a condition d holds iff d logically follows from L and G. • The translation depends on L and G.

  39. Correctness • Thm: the fixed Query(s, L, G) returns true iff lLl L,G gGgL,G sL,G is true in every model that satisfies the union properties (p1p2 = p2p1, …). • tL,G is the translation of t wrt L and G.

  40. Complexity • The XrML alg. runs in exponential time. • The XrML document says that the language implementers are responsible for optimizations. • But using the translation, we can prove that…

  41. Complexity • Determining if a set of XrML grants imply a statement is NP-hard. • This is because the language supports sets of primitive principals. • If we remove  from the language… • XrML translates (essentially) to Datalog, which is a well-known tractable language. • Given the translation, finding a tractable, fairly expressive fragment is easy.

  42. Summary • Industry wants to implement XrML but … • XrML has no formal semantics • and needs them! • We give formal semantics to a representative fragment of XrML. • Even a small fragment is intractable. • We can leverage results in the CS literature to find fairly expressive, tractable options. • Next step: Add negation to XrML. • This is critical for merging policies.  Two minor bugs in paper (don’t effect results); corrected version online.

  43. talk ends on preceding slide

  44. Sample XrML policy • Consider the policy `anyone may play the movie `Big Hit’ for $2 (per use)’. • We could write this policy in XrML as…

  45. <license> <grant><forAllvarName="anyone" /> <!--This is saying that anyone can use this grant.--> <principalvarRef="anyone" /> <!--The right to play the movie is granted--> <cx:play/> <!--This is the movie that we are giving access to. --> <cx:digitalWork> <cx:title>Big Hit </cx:title> </cx:digitalWork> <!--$2.00 each--> <sx:fee> <sx:paymentPerUse> <sx:rate currency="USD">2.00</ sx:rate> </sx:paymentPerUse </sx:fee> </grant> </license>

  46. The translation • We now translate XrML licenses and grants to “equivalent” formulas in modal first-order logic. • The translation relies on which licenses have been issued and which grants implicitly hold. • Let sL,G be the translation of any string s wrt the input parameters L and G.

  47. Translation (cont.) • Except for licenses and grants, translation is easy. • We assume a constant cg for each grant g • Perm(p, issue, g)L,G = Perm(p, issue, cg) • (d1 d2)L,G = d1L,G d2L,G, • Pr(p)L,G = Pr(p), and • trueL,G = true

  48. Translating licenses • Recall: (g, p) means p said g. • According to Query, • if p may issue g, then (g,p) means that g holds • otherwise, (g, p) is meaningless • Option 1: (g, p)L,G = Said(p, cg), • restrict to models satisfying the axiom scheme Said(p, cg)  Perm(p, issue, cg)  gL,G • Option 2: (g, p)L,G = Perm(p, issue, cg)  gL,G

  49. Translating grants • x1…xn(d e)L,G = x1…xn (Holds(d, L, G)  eL,G) • Holds(d, L, G) returns true iff d is a logical consequence of L and G. • Define a modal operator Val, where Val() is true in a model m iff  is true in all models. Holds(d, L, G)=Val(lL l L,G gGgL,G dL,G )

More Related