Formal methods for rights management - PowerPoint PPT Presentation

About This Presentation
Title:

Formal methods for rights management

Description:

`Alice is nice' as true Nice(Alice) ... `Anyone who is nice and pays $1 may play `Big Hit'' as Nice(x) Pay$1(x) Perm(x, play, `Big Hit' ... – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 69
Provided by: vic54
Category:

less

Transcript and Presenter's Notes

Title: Formal methods for rights management


1
Formal methods for rights management
  • Vicky Weissman

2
The big picture
  • Digital content providers want to write policies
    about their works.
  • A policy says that under certain conditions an
    action is permitted or forbidden.
  • The ACM has a digital library and policies
    members may download articles members may not
    republish articles without explicit consent.
  • They want their policies enforced.

3
The big picture
  • Digital content providers want to write policies
    about their works.
  • A policy says that under certain conditions an
    action is permitted or forbidden.
  • The ACM has a digital library and policies
    members may download articles members may not
    republish articles without explicit consent.
  • They want their policies enforced.

4
The big picture
  • Digital content providers want to write policies
    about their works.
  • A policy says that under certain conditions an
    action is permitted or forbidden.
  • The ACM has a digital library and policies
    members may download articles members may not
    republish articles without explicit consent.
  • They want their policies enforced.

5
Example
  • Miramax spends 100 million to make the movie
    Big Hit.
  • A warehouse employee borrows a DVD and puts the
    movie on the web.
  • Without appropriate policy writing and
    enforcement, people can download the movie for
    free, instead of buying it.
  • If enough people do this, then Miramax is in
    trouble.

6
Its not just movies
  • Music industry voices same concern. (Our IP is
    being stolen!)
  • Digital libraries cant put certain resources
    online, because of IP laws.
  • The Greek Orthodox Archdiocese of America wants
    to put resources online, but is wary of
    defamation.

7
XrML to the rescue
  • XrML is an XML-based language for writing
    policies.
  • Semantics is given in 2 ways.
  • An English interpretation of the syntax.
  • An English description of an algorithm that says
    if a set of XrML policies imply a permission.
  • Bottom line write policies in XrML, enforce
    using the algorithm.

8
Industry likes XrML
  • XrML endorsed by Adobe, Hewlett-Packard,
    Microsoft, Xerox, Barnesandnoble.com, MPEG
    International Standards Committee
  • Microsoft and others plan to make XrML compliant
    products.
  • Will tomorrows DVD player enforce XrML policies?

9
XrML Shortcomings
  • No formal semantics.
  • Policies can be ambiguous.
  • The interpretation of the syntax doesnt quite
    match the algorithm.
  • The algorithms behavior on some (realistic)
    input is unintuitive and unintended by language
    designers.
  • E.g. If Alice is a student and any student may
    eat lunch, may Alice? Alg. says no.

10
Improving XrML
Joint Work with Joe Halpern CSFW 04
  • Fix the algorithm to match developers intent.
  • Translate XrML policies to formulas in
    first-order logic.
  • Prove our translation matches the algorithm.
  • Algorithm says policies imply permission iff
    translated policies imply translated permission.
  • Why translate?
  • Lets us compare XrML with languages in CS
    literature, borrow complexity results,
    extensions,
  • Gives XrML formal semantics (no ambiguity).

11
Consider complexity
  • Show that determining if a permission follows
    from a set of XrML policies is NP-hard.
  • Find tractable fragments that are almost as
    expressive.

12
First step Present XrML syntax
  • XrML is an XML-based language.
  • XrML policies are verbose.
  • So, we present a syntax that is
  • more concise and
  • easy to map to XrML syntax.

13
Basic components
  • Principals
  • Agents (e.g., Alice, the University).
  • Resources
  • Digital content (e.g., CS431 Syllabus)
  • Rights
  • Actions (e.g., download, play, edit)
  • Properties
  • Describe a principal (e.g., student, smart).

14
Syntax
  • Princ p vp Princ ? Princ.
  • Rsrc s vs
  • Right r vr
  • Prop pr
  • p, s, r, and pr are application-defined,
    vp, vs, and vr are variables, ?
    is the union operator.

15
Principals revisited
  • Set of principals is closed under union.
  • E.g. Principals include, Alice, Bob, and Alice,
    Bob
  • Who is Alice, Bob?
  • Alice, Bob is Alice and Bob in cahoots.

16
Principals revisited
  • Set of principals is closed under union.
  • E.g. Principals include, Alice, Bob, and Alice,
    Bob
  • Who is Alice, Bob?
  • Alice, Bob is Alice and Bob in cahoots.
  • Suppose Alice has a key, does Alice, Bob have
    it?

17
Principals revisited
  • Set of principals is closed under union.
  • E.g. Principals include, Alice, Bob, and Alice,
    Bob
  • Who is Alice, Bob?
  • Alice, Bob is Alice and Bob in cahoots.
  • Suppose Alice has a key, does Alice, Bob have
    it? Yes.

18
Principals revisited
  • Set of principals is closed under union.
  • E.g. Principals include, Alice, Bob, and Alice,
    Bob
  • Who is Alice, Bob?
  • Alice, Bob is Alice and Bob in cahoots.
  • Suppose Alice has a key, does Alice, Bob have
    it? Yes.
  • Suppose that Alice is quiet, is Alice, Bob
    quiet?

19
Principals revisited
  • Set of principals is closed under union.
  • E.g. Principals include, Alice, Bob, and Alice,
    Bob
  • Who is Alice, Bob?
  • Alice, Bob is Alice and Bob in cahoots.
  • Suppose Alice has a key, does Alice, Bob have
    it? Yes.
  • Suppose that Alice is quiet, is Alice, Bob
    quiet? Not necessarily.

20
Question
  • Does a set of principals have the properties of
    its members?
  • XrML interpretation of ? doesnt say.
  • XrML algorithm makes the assumption in one
    routine, but not in another.
  • Since XrML doesnt answer question
  • We dont make assumption.
  • But, can easily write policies to force it.

21
Syntax (cont.)
  • grant cond ? conc.
  • If cond holds, then conc holds.

22
Syntax (cont.)
  • grant cond ? conc.
  • If cond holds, then conc holds.
  • conc Pr(p) Perm(p, r, s).
  • Pr(p) means principal p has property pr. Perm(p,
    r, s) means p is permitted to exercise right r
    over resource s.

23
Syntax (cont.)
  • grant cond ? conc.
  • If cond holds, then conc holds.
  • conc Pr(p) Perm(p, r, s).
  • Pr(p) means principal p has property pr. Perm(p,
    r, s) means p is permitted to exercise right r
    over resource s.

24
Syntax (cont.)
  • grant cond ? conc.
  • If cond holds, then conc holds.
  • conc Pr(p) Perm(p, r, s).
  • Pr(p) means principal p has property pr. Perm(p,
    r, s) means p is permitted to exercise right r
    over resource s.

25
Syntax (cont.)
  • grant cond ? conc.
  • If cond holds, then conc holds.
  • conc Pr(p) Perm(p, r, s).
  • Pr(p) means principal p has property pr. Perm(p,
    r, s) means p is permitted to exercise right r
    over resource s.
  • cond true conc cond ? cond.

26
Examples
  • Can write
  • Alice is nice as true ? Nice(Alice).
  • Anyone who pays 2 may play Big Hit as
    Pay2(x) ? Perm(x, play, Big Hit).
  • Anyone who is nice and pays 1 may play Big
    Hit as Nice(x) ? Pay1(x) ? Perm(x, play,
    Big Hit).

27
Examples
  • Can write
  • Alice is nice as true ? Nice(Alice).
  • Anyone who pays 2 may play Big Hit as
    Pay2(x) ? Perm(x, play, Big Hit).
  • Anyone who is nice and pays 1 may play Big
    Hit as Nice(x) ? Pay1(x) ? Perm(x, play,
    Big Hit).

28
Examples
  • Can write
  • Alice is nice as true ? Nice(Alice).
  • Anyone who pays 2 may play Big Hit as
    Pay2(x) ? Perm(x, play, Big Hit).
  • Anyone who is nice and pays 1 may play Big
    Hit as Nice(x) ? Pay1(x) ? Perm(x, play,
    Big Hit).

29
Examples
  • Can write
  • Alice is nice as true ? Nice(Alice).
  • Anyone who pays 2 may play Big Hit as
    Pay2(x) ? Perm(x, play, Big Hit).
  • Anyone who is nice and pays 1 may play Big
    Hit as Nice(x) ? Pay1(x) ? Perm(x, play,
    Big Hit).

30
The syntax given here is a fragment of XrML.
31
XrML Algorithm
  • Let G be a set of grants.
  • Auth algorithm
  • Input G and e, where e is var-free conc.
  • Output true iff e follows from G.
  • Auth calls CondMet algorithm
  • CondMet input d, which is a var-free cond.
  • Output true iff d holds.

32
Auth algorithm
  • Auth(G, e)
  • Find the set D of var-free conds s.t.
  • ? d?D ? g?G, ?. g? d ? e.
  • (In other words, find D s.t. if any d?D holds,
    then a grant in G implies e.)
  • Return ?d?D CondMet(d).

33
CondMet algorithm
  • CondMet(d)
  • If d is true, Return true.
  • If d is a conc, Return Auth(?, d).
  • If d is e1 ? ... ? en, where E is the set of conc
    in d, Return ?e?E Auth(?, e).

34
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))

35
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D ?

36
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D ?

37
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D ?

38
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D Student(Alice), ?

39
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D Student(Alice)
  • Calls CondMet(Student(Alice))

g is lost!
40
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D Student(Alice)
  • Calls CondMet(Student(Alice))
  • Calls Auth(?, Student(Alice))

41
Example
  • Let g true ? Student(Alice), g
    Student(x) ? Perm(x, eat, lunch)
  • May Alice eat lunch?
  • Auth(g, g, Perm(Alice, eat, lunch))
  • Finds D Student(Alice)
  • Calls CondMet(Student(Alice))
  • Calls Auth(?, Student(Alice))
  • Finds D ?
  • Returns false

42
Algorithm Fix
  • Let G be a set of grants.
  • Auth algorithm
  • Input G and e, where e is var-free conc.
  • Output true iff e follows from G.
  • Auth calls CondMet algorithm
  • CondMet input G and d, where d is a var-free
    cond.
  • Output true iff d holds.

43
Auth algorithm
  • Auth(G, e)
  • Find the set D of var-free conds s.t.
  • ? d?D ? g?G, ?. g? d ? e.
  • (In other words, find D s.t. if any d?D holds,
    then a grant in G implies e.)
  • Return ?d?D CondMet(G, d).

44
CondMet algorithm
  • CondMet(G, d)
  • If d is true, Return true.
  • If d is a conc, Return Auth(G, d).
  • If d is e1 ? ... ? en, where each ei is a conc,
    Return ?i ? n Auth(G, ei).

45
Problem Termination
  • Auth does not terminate on all inputs.
  • E.g., g e ? e, where e is var-free.
  • Auth(g, e)
  • Finds D e
  • Calls CondMet(g, e)
  • CondMet calls Auth(g, e)

46
Termination Fix
Keep track of conc given as input to Auth.
  • Auth(g, e, ?)
  • Finds D e
  • Calls CondMet(g, e, e)
  • CondMet calls Auth(g, e, e)
  • Auth(g, e, e) detects loop
  • Returns false

47
The fixed algorithm is correct.
  • Auth(G, e) should return true only if there is a
    sequence S of grants
  • d1 ? e1, , dn ? en,
  • where
  • each grant is a grant in G under some
    substitution
  • di follows from e1, , ei-1 and
  • en in e.
  • Corrected alg finds S, if it exists.

48
Translation
  • Let sT be the translation of any string s.
  • Grants are a bit tricky.
  • (d ? e)T ?x1, , ?xn (dT ? eT),
  • where x1, , xn are the vars in d and e.
  • If a grant g is a resource (like a certificate)
    gT is a constant.
  • Everything else translates to itself.
  • E.g., R(Bob)T R(Bob) (p1?p2)T p1?p2

49
Translation is correct.
  • Definition A good model satisfies the union
    properties (p1?p2 p2?p1, ).
  • Theorem For every set G of grants and every
    var-free conc e in XrML, (fixed) Auth(G, e)
    returns true iff ?g?G gT ?
    eT is true in every good model.

50
Complexity
  • Determining if a set of XrML grants imply a conc
    is NP-hard.
  • Given the translation, this is easy to prove.
  • Given the proof, its easy to see that the result
    depends on the ? operator.
  • Suppose we remove ? from grammar.
  • XrML translates to Datalog, which is a
    well-known tractable fragment of first-order
    logic.
  • Given the translation, finding a tractable,
    fairly expressive fragment is easy.

51
But thats not all
  • We can extend Datalog by adding some negation
    without becoming intractable.
  • We can extend XrML in the same way.
  • Also, adding functions to Datalog make the
    language intractable.
  • Easy to show same result holds for XrML.

52
Other options
  • If applications need functions and/or another
    type of negation, try another first-order
    language.
  • Lithium HW CSFW 2003 is a fragment of
    first-order logic that supports functions and
    some negation (different restrictions than
    Datalog).
  • We can restrict XrML to be a fragment of Lithium
    and then extend the XrML fragment to include
    functions/some neg.

53
Key Points
  • Digital content providers need to be able to
    write their policies, and these policies need to
    be correctly enforced.
  • No matter how carefully you do it, writing a
    policy language and/or an enforcement algorithm
    without formal semantics WILL BE BUGGY.

54
The End
55
Extensibility
  • Not hard to add some conclusions
  • E.g., Pr(s) resource s has property Pr.
  • Not hard to add some conditions, by extending
    CondMet case statement.
  • But what if we want to add negation?

56
Negation
  • Suppose that a concl can be ?Pr(p), meaning p
    does not have pr.
  • Shouldnt be a problem, since Auth just does
    symbols matching (except on terms) and CondMet
    relies on Auth, when called with a concl.

57
Example
  • Consider the grants
  • true ? Nice(Alice)
  • Nice(x) ? Attractive(x)
  • Grumpy(x) ? ? Attractive(x)
  • ?Grumpy(x) ? Perm(x, eat, cookie)
  • May Alice eat a cookie?

58
Example
  • Consider the grants
  • true ? Nice(Alice)
  • Nice(x) ? Attractive(x)
  • Grumpy(x) ? ? Attractive(x)
  • ?Grumpy(x) ? Perm(x, eat, cookie)
  • May Alice eat a cookie?
  • According to Auth, no.
  • But Grumpy(x) ? ? Attractive(x)
  • Attractive(x) ? ? Grumpy(x)

59
Intentionally left blank
60
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • Auth(G, Perm(Alice, play, Big Hit))
  • Finds D Nice(Alice)
  • Calls CondMet(G, Nice(Alice))

61
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • CondMet(G, Nice(Alice))
  • Calls Auth(G, Nice(Alice))

62
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • Auth(G, Nice(Alice))
  • Finds D true
  • Calls CondMet(G, true)

63
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • CondMet(G, true)
  • Returns true

64
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • Auth(G, Nice(Alice))
  • Finds D true
  • Calls CondMet(G, true) ?Returns true

65
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • CondMet(G, Nice(Alice))
  • Calls Auth(G, Nice(Alice)) ?Returns true

66
Example
  • Let G g1, g2, where
  • g1 Nice(x) ? Perm(x, play, Big Hit)
  • g2 true ? Nice(Alice).
  • May Alice play Big Hit?
  • Auth(G, Perm(Alice, play, Big Hit))
  • Finds D Nice(Alice)
  • Calls CondMet(G, Nice(Alice))
    Returns true

67
Sample XrML policy
  • Consider the policy anyone may play the movie
    Big Hit for 2 (per use).
  • We could write this policy in XrML as

68
 
 
 
Big Hit
  se  2.00sxrate  
 
Write a Comment
User Comments (0)
About PowerShow.com