Using First-order Logic to Reason about Policies

1
Using First-order Logic to Reason about Policies

• Vicky Weissman
• Joint work with
• Joseph Halpern and Carl Lagoze

2
What is a policy?

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• Examples include
• All information on this site may be copied.1
• A student shall in no way misrepresent his or
  her work.2

2 http//cuinfo.cornell.edu/Academic/AIC.html
1 http//www.afrl.af.mil/secdis.htm
3
Questions about policies

• Users want to know whats allowed and whats not.
• Policy makers want to know if their policies are
  consistent with those already made.
• E.g. Alice writes a set of policies for her
  universitys new outreach program. Do her
  policies contradict those of the university?

4
Problem Ambiguity

• Consider the policy
• All information on this site may be copied,
• Interpretation 1 The policy allows any part of
  the site to be copied. (All information
  stresses that there are no restrictions on what
  may be copied.)
• Interpretation 2 The policy allows the entire
  site to be copied (i.e. all of the information).
  
• May Alice copy a paragraph that is on the site?
• We dont know.

5
Solution Write policies in first-order logic

• Good News
• Formal semantics ? no ambiguity.
• Fol seems to be sufficiently expressive.
• Bad News
• Many problems for fol are undecidable.
• Many policy writers are not well-versed in logic.
• Well discuss these issues later in the talk.

6
Encoding policies

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• A policy has the form
• ?x1,, ?xm (f ? (?) Permitted(tag, tac))

7
Encoding policies

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• A policy has the form
• ?x1,, ?xm (f ? (?) Permitted(tag, tac))

Permitted(tag, tac) means that agent tag may do
action tag where tag and tac are terms. E.g.
Permitted(Alice, play) means Alice may play.
8
Encoding policies

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• A policy has the form
• ?x1,, ?xm (f ? (?) Permitted(tag, tac))

f is a conjunction of literals where each literal
encodes a condition. E.g. f Vegetable(x1) ?
Ate(Alice, x1) ? ? Scowl(Alice)
9
Encoding policies

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• A policy has the form
• ?x1,, ?xm (f ? (?) Permitted(tag, tac))
• A permitting policy has a positive conclusion, a
  denying policy has a negative conclusion.

10
Encoding policies

• A policy says that an individual may (or may not)
  do an action if certain conditions hold.
• A policy has the form
• ?x1,, ?xm (f ? (?) Permitted(tag, tac))
• A permitting policy has a positive conclusion, a
  denying policy has a negative conclusion.
• E.g.
• ?x1 (Vegetable(x1) ? Ate(Alice, x1) ?
  ?Scowl(Alice) ? Permitted(Alice, play))

11
Environments

• Does the policy
• ?x1 (Vegetable(x1) ? Ate(Alice, x1) ?
  ?Scowl(Alice) ? Permitted(Alice, play))
• allow Alice to play?
• To answer the question we need to know if she ate
  a vegetable and if shes scowling.
• This information, along with other facts about
  the world, are stored in the environment.

12
Environments for policies
Policies seem to refer to 2 types of facts

• Basic facts (ground literals)
• Captures attributes of individuals.
• E.g. Vegetable(carrot), ?Vegetable(carrot cake)
• Constraints (universal formulas)
• Captures relationships between attributes.
• E.g. ?x (Private(x) ? ?Public(x)),
• ?x (Freshmen(x) ? Student(x))

Assumption Environment doesnt talk about whats
permitted policies do that.
13
Encoding the questions in first-order logic

• Assume an environment E and a policy set
• p1,, pn.
• Is c1 allowed to do c2?
  Is E ? p1 ? ? pn ? Permitted(c1, c2)
  valid?
• Are the policies consistent in E?
• Is E ? p1 ? ? pn satisfiable?

14
Encoding the questions in first-order logic

• Assume an environment E and a policy set
• p1,, pn.
• Is c1 allowed forbidden to do c2?
  Is E ? p1 ? ? pn ? ?Permitted(c1, c2)
  valid?
• Are the policies consistent in E?
• Is E ? p1 ? ? pn satisfiable?

15
Can we answer the questions?

• No. These questions are undecidable.
• But the games not over yet!
• We can restrict the language so that the
  questions are tractable AND interesting
  policies are still expressible.

16
One solution Datalog

• Datalog is negation-free, function-free Horn
  clauses queries can be answered in PTime.
• Some extensions have been considered.
• Safe, stratified Datalog Binder DeTreville 02
  , RT Li, Mitchell, Winsborough 02 and SD3
  Trevor 01 .
• Datalog with constraints RTc Li and Mitchell
  03 .
• With these extensions, Datalog is still PTime.
• But
• A policys conclusion must be a positive literal
  (no denying policies).
• Support for functions is limited.

17
Denying policies are common.

• Many applications explicitly forbid actions.
• Smoking is prohibited in the dining areas of all
  restaurants seating more than 35 people is part
  of the NYC Smoke-Free Air Act.
• The tickets may not be refunded is a policy of
  many airline fares, theaters,
• These policies cannot be captured explicitly in
  (the extended versions of) Datalog.

18
Datalog solution

• What isnt explicitly permitted is forbidden.
• Problem Cant distinguish forbidden actions from
  unregulated ones.
• E.g. A universitys policies talk about whos
  permitted to get tenure. The policies for
  Alices new outreach program dont. ? Alices
  policies contradict the universitys.

19
We may want functions too.

• Functions often occur naturally when translating
  English policies to first-order logic.
• E.g. All information on the site may be copied
• translates to either
• ?x1, x2 (OnSite(x1) ? Permitted(x2, copy(x1)))
• ?x1, x2 (EntireSite(x1) ? Permitted(x2, copy(x1)))

20
Another solution

• We want a language that
• doesnt restrict functions and
• allows us to capture denying policies.
• To get this in a tractable language, some
  restrictions are necessary.
• Key idea Restrict bipolars.

21
What is a bipolar?

• A literal l is bipolar in a formula f (in CNF) if
• the literal l is in f and
• there is another literal l in f such that l? ?
  l? for some variable substitutions ? and ?.
• Consider
• f ? x, y (Can(Alice, x) ? ? Can(y, sing))
• Can(Alice, x) is bipolar in f, because
• the literal Can(Alice, x) is in f and
• the literal Can(Alice, x) ? ? l? where
  l ?Can(y, sing), ? x/sing, and
  ? y/Alice.

22
Why is bipolarity interesting?

• If E is an environment and p1, , pn is a set
  of policies such that
• every variable on the lhs of a policy also
  appears on the rhs,
• E is a conjunction of ground literals, and
• there are no bipolar literals in p1 ?? pn.
• Then our questions can be answered in time
  (EP) logE where P p1 ?? pn.
• f is the length of f viewed as a string of
  symbols.

Language with functions denying policies is
tractable!
23
When is every variable on the lhs also on the rhs?

• Recall A policys lhs states the conditions
  under which the permission on the rhs is
  granted/denied.
• Variable restriction is met if what youre
  allowed/forbidden to do is based solely on your
  attributes and the attributes of the regulated
  action.
• Our problems are NP in the number of variables in
  a single policy that violate the restriction.

24
When is E a conjunction of ground literals?

• This restriction is met if E is derived from
  databases and certificates.
• If the E has constraints (e.g. anything private
  is not public), then
• Our problems can be answered in quadratic time,
  if no more than 1 bipolar per clause.
• More than one bipolar per clause is common if
  there are definitions (e.g. a senior citizen is
  someone over 65), but its easy to deal with
  definitions theyre just macros.

25
When are there no bipolar literals in p1 ?? pn?

• Suppose
• Permitted is not in any policys premise and
• all policies are permitting (or all denying).
• Then
• The restriction holds if meeting a condition can
  only add or remove privileges (but not both).
• If each policy has at most 1 bipolar in p1 ??
  pn, then answering queries takes quadratic time.

But what if some policies are permitting and
others denying?
26
Big idea

• We want permissions (prohibitions) to follow
  solely from the permitting (denying) policies.
• If this were true, then we could answer a query
  by looking at the permitting and denying policies
  separately.
• Want we want doesnt come for free.

27
Denying policies can affect permissions

• Consider 2 permitting policies
• p1 anyone who is not faculty may nap.
• p2 faculty may chair committees.
• If Alice is a student, may she take a nap?

28
Denying policies can affect permissions

• Consider 2 permitting policies
• p1 anyone who is not faculty may nap.
• p2 faculty may chair committees.
• If Alice is a student, may she take a nap?
• No, because Alice could be a student who is also
  a faculty member.

29
Denying policies can affect permissions

• Consider 3 policies
• p1 anyone who is not faculty may nap.
• p2 faculty may chair committees.
• p3 students may not chair committees.
• If Alice is a student, may she take a nap?

30
Denying policies can affect permissions

• Consider 3 policies
• p1 anyone who is not faculty may nap.
• p2 faculty may chair committees.
• p3 students may not chair committees.
• If Alice is a student, may she take a nap?
• Yes, because p2 and p3 together imply that
  students arent faculty.

Moral Permitting and denying policies together
can imply environment facts, so we cant separate
the policies, unless
31
Separating policies

• Thm If implied information is made explicit,
  then a positive conclusion follows from all the
  policies iff it follows from the permitting
  policies.
• If there are n policies and there is only one
  bipolar per policy that involves Permitted, then
  at most n2 clauses are added and no added clause
  is more than twice the length of the longest
  original clause.
• Bottom line Under reasonable assumptions, we can
  answer our queries in quadratic time.

32
Expressive power

• The fragment can capture a number of policy sets
  including
• the ones we collected from libraries,
• the ones we collected from government docs,
• most of the licenses that can be written in XrML.

33
Why cant we handle all XrML licenses?

• XrML allows Permitted in the antecedent of
  policies.
• Permitted can be a bipolar ?
• a clause can have multiple bipolars.
• But, XrML does not support negation.
• Our fragment can express some policies that XrML
  cant and vice-versa.

34
Are we done yet?

• We have found a language that is expressive
  enough to capture many policies of practical
  interest AND for which we can answer questions
  efficiently.
• But we havent shown that its accessible to the
  many policy makers and administrators who are not
  logicians.

35
The architecture
Lets non-logicians enter policies and relevant
facts ask questions.
GUI
GUI
user input
answers in English
Translates between user input/ English and
first-order formulas in our restricted form.
translator
translator
formulas
questions
answers
Answer questions such as Can Alice edit the
website? and Are the policies consistent?.
data-base
analyzer
36
Interface

• User selects a task such as
• Describe a person, item, or action.
• State a policy.
• Ask if an action is permitted/forbidden.
• User completes the task by filling in a form.
• E.g. To say Alice is an IEEE member from Jan. 1,
  2003 to Jan. 1, 2004

37
Interface

• User selects a task such as
• Describe a person, item, or action.
• State a policy.
• Ask if an action is permitted/forbidden.
• User completes the task by filling in a form.
• E.g. To say Alice is an IEEE member from Jan. 1,
  2003 to Jan. 1, 2004

38
Form Describe a person, item, or action
Who or what is being described? What is the
characteristic? Does the person, item, or
action have the characteristic? Yes
No When does this description
apply? From To
39
Form Describe a person, item, or action
Who or what is being described? Alice What is
the characteristic? IEEE Member Does the
person, item, or action have the
characteristic? Yes No When
does this description apply? From 1/1/03
To 1/1/04
40
Conclusion

• Completed work
• Found a tractable fragment of first-order logic
  that can express many (almost all?) policies of
  interest.
• Work in progress
• Investigating the extent to which we can capture
  the social security database.
• Building a prototype to demonstrate the
  languages usability.
• Applying the same techniques to formalizing XrML.

41
For more information

• The paperUsing First-order Logic to Reason about
  Policies is available
• at http//www.cs.cornell.edu/People/vickyw.
• in the proceedings of this years Computer
  Security Foundations Workshop (CSFW).

42
Describe a person, item, or action
We tell you whats allowed and whats not
sign in help

• Home
• Facts
• Describe a person, item, or action.
• Relate one person, item, or action to another.
• Record an event.
• Modify the fact database.
• Policies
• Give permission.
• Deny permission.
• Modify the policy database.
• Queries
• Is an event allowed?
• Is an event forbidden?
• What are the known facts?
• What are the known policies?

Who or what is being described? What is the
characteristic? Does the person, item, or action
have the characteristic? When does this
description apply?


Riccardo Focardi
(e.g. George Smith, Rhodes Hall)

Program Chair

(e.g. librarian, building)
yes
no
26/06/02
26/06/04
From
To
dd/mm/yy or now
dd/mm/yy or unknown
or
always
Done
Abort
43
Give Permission
We tell you whats allowed and whats not
sign in help
Right-click in scrollbars to add/remove
requirements.

• Home
• Facts
• Describe a person, item, or action.
• Relate one person, item, or action to another.
• Record an event.
• Modify the fact database.
• Policies
• Give permission.
• Deny permission.
• Modify the policy database.
• Queries
• Is an event allowed?
• Is an event forbidden?
• What are the known facts?
• What are the known policies?

Who is being given permission? Anyone who meets
the following description
ltpolicy applies to everyonegt
Which actions are being regulated? Any action
that meets the following description
ltpolicy applies to every actiongt
Are there other conditions that must hold for the
policy to apply?
ltno other conditions applygt
Done
Abort