1 / 68

Formal methods for rights management

Formal methods for rights management. Vicky Weissman. The big picture. Digital content providers want to write policies about their works. A policy says that under certain conditions an action is permitted or forbidden.

aletha
Download Presentation

Formal methods for rights management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Formal methods for rights management Vicky Weissman

  2. The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.

  3. The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.

  4. The big picture • Digital content providers want to write policies about their works. • A policy says that under certain conditions an action is permitted or forbidden. • The ACM has a digital library and policies `members may download articles’ `members may not republish articles without explicit consent’. • They want their policies enforced.

  5. Example • Miramax spends $100 million to make the movie `Big Hit’. • A warehouse employee `borrows’ a DVD and puts the movie on the web. • Without appropriate policy writing and enforcement, people can download the movie for free, instead of buying it. • If enough people do this, then Miramax is in trouble.

  6. It’s not just movies • Music industry voices same concern. (Our IP is being stolen!) • Digital libraries can’t put certain resources online, because of IP laws. • The Greek Orthodox Archdiocese of America wants to put resources online, but is wary of defamation.

  7. XrML to the rescue • XrML is an XML-based language for writing policies. • Semantics is given in 2 ways. • An English interpretation of the syntax. • An English description of an algorithm that says if a set of XrML policies imply a permission. • Bottom line: write policies in XrML, enforce using the algorithm.

  8. Industry likes XrML • XrML endorsed by Adobe, Hewlett-Packard, Microsoft, Xerox, Barnesandnoble.com, MPEG International Standards Committee… • Microsoft and others plan to make XrML compliant products. • Will tomorrow’s DVD player enforce XrML policies?

  9. XrML Shortcomings • No formal semantics. • Policies can be ambiguous. • The interpretation of the syntax doesn’t quite match the algorithm. • The algorithm’s behavior on some (realistic) input is unintuitive and unintended by language designers. • E.g. If Alice is a student and any student may eat lunch, may Alice? Alg. says no.

  10. Joint Work with Joe Halpern CSFW ‘04 Improving XrML • Fix the algorithm to match developers’ intent. • Translate XrML policies to formulas in first-order logic. • Prove our translation matches the algorithm. • Algorithm says policies imply permission iff translated policies imply translated permission. • Why translate? • Lets us compare XrML with languages in CS literature, borrow complexity results, extensions,… • Gives XrML formal semantics (no ambiguity).

  11. Consider complexity • Show that determining if a permission follows from a set of XrML policies is NP-hard. • Find tractable fragments that are almost as expressive.

  12. First step: Present XrML syntax • XrML is an XML-based language. • XrML policies are verbose. • So, we present a syntax that is • more concise and • easy to map to XrML syntax.

  13. Basic components • Principals • Agents (e.g., Alice, the University). • Resources • Digital content (e.g., CS431 Syllabus) • Rights • Actions (e.g., download, play, edit) • Properties • Describe a principal (e.g., student, smart).

  14. Syntax Princ ::= p | vp | Princ  Princ. Rsrc ::= s | vs Right ::= r | vr Prop ::= pr • p, s, r, and pr are application-defined, vp, vs, and vr are variables,  is the union operator.

  15. Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots.

  16. Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it?

  17. Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes.

  18. Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes. • Suppose that Alice is quiet, is {Alice, Bob} quiet?

  19. Principals revisited • Set of principals is closed under union. • E.g. Principals include, Alice, Bob, and {Alice, Bob} • Who is {Alice, Bob}? • {Alice, Bob} is Alice and Bob in cahoots. • Suppose Alice has a key, does {Alice, Bob} have it? Yes. • Suppose that Alice is quiet, is {Alice, Bob} quiet? Not necessarily.

  20. Question • Does a set of principals have the properties of its members? • XrML interpretation of  doesn’t say. • XrML algorithm makes the assumption in one routine, but not in another. • Since XrML doesn’t answer question… • We don’t make assumption. • But, can easily write policies to force it.

  21. Syntax (cont.) • grant ::= cond  conc. • If cond holds, then conc holds.

  22. Syntax (cont.) • grant ::= cond  conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.

  23. Syntax (cont.) • grant ::= cond  conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.

  24. Syntax (cont.) • grant ::= cond  conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s.

  25. Syntax (cont.) • grant ::= cond  conc. • If cond holds, then conc holds. • conc ::= Pr(p) | Perm(p, r, s). • Pr(p) means principal p has property pr. Perm(p, r, s) means p is permitted to exercise right r over resource s. • cond ::= true | conc | cond  cond.

  26. Examples • Can write: • `Alice is nice’ as true  Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x)  Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x)  Pay$1(x)  Perm(x, play, `Big Hit’).

  27. Examples • Can write: • `Alice is nice’ as true  Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x)  Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x)  Pay$1(x)  Perm(x, play, `Big Hit’).

  28. Examples • Can write: • `Alice is nice’ as true  Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x)  Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x)  Pay$1(x)  Perm(x, play, `Big Hit’).

  29. Examples • Can write: • `Alice is nice’ as true  Nice(Alice). • `Anyone who pays $2 may play `Big Hit’’ as Pay$2(x)  Perm(x, play, `Big Hit’). • `Anyone who is nice and pays $1 may play `Big Hit’’ as Nice(x)  Pay$1(x)  Perm(x, play, `Big Hit’).

  30. The syntax given here is a fragment of XrML.

  31. XrML Algorithm • Let G be a set of grants. • Auth algorithm • Input: G and e, where e is var-free conc. • Output: true iff e follows from G. • Auth calls CondMet algorithm • CondMet input: d, which is a var-free cond. • Output: true iff d holds.

  32. Auth algorithm Auth(G, e) • Find the set D of var-free conds s.t.  dD  gG, . g = d  e. (In other words, find D s.t. if any dD holds, then a grant in G implies e.) • Return dD CondMet(d).

  33. CondMet algorithm CondMet(d) • If d is true, Return true. • If d is a conc, Return Auth(, d). • If d is e1 ...  en, where E is the set of conc in d, Return eE Auth(, e).

  34. Example • Let g = true  Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch))

  35. Example • Let g = true  Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}

  36. Example • Let g = true Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}

  37. Example • Let g = true  Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {?}

  38. Example • Let g = true  Student(Alice), g’ = Student(x) Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice), ?}

  39. Example • Let g = true  Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) g is lost!

  40. Example • Let g = true  Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) Calls Auth(, Student(Alice))

  41. Example • Let g = true  Student(Alice), g’ = Student(x)  Perm(x, eat, lunch) • May Alice eat lunch? • Auth({g, g’}, Perm(Alice, eat, lunch)) Finds D = {Student(Alice)} Calls CondMet(Student(Alice)) Calls Auth(, Student(Alice)) Finds D =  Returns false

  42. Algorithm Fix • Let G be a set of grants. • Auth algorithm • Input: G and e, where e is var-free conc. • Output: true iff e follows from G. • Auth calls CondMet algorithm • CondMet input: G and d, where d is a var-free cond. • Output: true iff d holds.

  43. Auth algorithm Auth(G, e) • Find the set D of var-free conds s.t.  dD  gG, . g = d  e. (In other words, find D s.t. if any dD holds, then a grant in G implies e.) • Return dD CondMet(G, d).

  44. CondMet algorithm CondMet(G, d) • If d is true, Return true. • If d is a conc, Return Auth(G, d). • If d is e1 ...  en, where each ei is a conc, Return i  n Auth(G, ei).

  45. Problem: Termination • Auth does not terminate on all inputs. • E.g., g = e  e, where e is var-free. Auth({g}, e) Finds D = {e} Calls CondMet({g}, e) CondMet calls Auth({g}, e)

  46. Termination Fix Keep track of conc given as input to Auth. Auth({g}, e, ) Finds D = {e} Calls CondMet({g}, e, {e}) CondMet calls Auth({g}, e, {e}) Auth({g}, e, {e}) detects loop Returns false

  47. The fixed algorithm is correct. • Auth(G, e) should return true only if there is a sequence S of grants d1  e1, …, dn  en, where • each grant is a grant in G under some substitution; • di follows from e1, …, ei-1; and • en in e. • Corrected alg finds S, if it exists.

  48. Translation Let sT be the translation of any string s. • Grants are a bit tricky. • (d  e)T = x1, …, xn (dT eT), where x1, …, xn are the vars in d and e. • If a grant g is a resource (like a certificate): gT is a constant. • Everything else translates to itself. • E.g., R(Bob)T= R(Bob); (p1p2)T = p1p2

  49. Translation is correct. • Definition: A good model satisfies the union properties (p1p2 = p2p1, …). • Theorem: For every set G of grants and every var-free conc e in XrML, (fixed) Auth(G, e) returns true iff gGgT eT is true in every good model.

  50. Complexity • Determining if a set of XrML grants imply a conc is NP-hard. • Given the translation, this is easy to prove. • Given the proof, it’s easy to see that the result depends on the  operator. • Suppose we remove  from grammar. • XrML translates to Datalog, which is a well-known tractable fragment of first-order logic. • Given the translation, finding a tractable, fairly expressive fragment is easy.

More Related