Using First-order Logic to Reason about Policies Vicky Weissman Joint work with: Joseph Halpern and Carl Lagoze

What is a policy? A policy says that an individual may (or may not) do an action if certain conditions hold. Examples include `All information on this site may be copied.’ 1 `A student shall in no way misrepresent his or her work.’

Questions about policies Users want to know what’s allowed and what’s not. Policy makers want to know if their policies are consistent with those already made. E.g. Alice writes a set of policies for her university’s new outreach program. Do her policies contradict those of the university?

Problem: Ambiguity Consider the policy `All information on this site may be copied’, Interpretation 1: The policy allows any part of the site to be copied. (`All information’ stresses that there are no restrictions on what may be copied.) Interpretation 2: The policy allows the entire site to be copied (i.e. all of the information). May Alice copy a paragraph that is on the site? We don’t know.

Solution: Write policies in first-order logic Good News: Formal semantics  no ambiguity. Fol seems to be sufficiently expressive. Bad News: Many problems for fol are undecidable. Many policy writers are not well-versed in logic. We’ll discuss these issues later in the talk.

Encoding policies A policy says that an individual may (or may not) do an action if certain conditions hold. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac ))

Encoding policies A policy says that an individual may (or may not) do an action if certain conditions hold. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac )) Permitted( t ag, t ac ) means that agent t ag may do action t ag where t ag and t ac are terms. E.g. Permitted(Alice, play) means Alice may play.

Encoding policies A policy says that an individual may (or may not) do an action if certain conditions hold. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac )) f is a conjunction of literals where each literal encodes a condition. E.g. f = Vegetable( x 1 )  Ate(Alice, x 1 )   Scowl( Alice )

Encoding policies A policy says that an individual may (or may not) do an action if certain conditions hold. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac )) A permitting policy has a positive conclusion, a denying policy has a negative conclusion.

Encoding policies A policy says that an individual may (or may not) do an action if certain conditions hold. A policy has the form:  x 1,…,  x m (f  (  ) Permitted(t ag, t ac )) A permitting policy has a positive conclusion, a denying policy has a negative conclusion. E.g.:  x 1 (Vegetable(x 1 )  Ate(Alice, x 1 )   Scowl(Alice)  Permitted(Alice, play))

Environments Does the policy  x 1 (Vegetable(x 1 )  Ate(Alice, x 1 )   Scowl(Alice)  Permitted(Alice, play)) allow Alice to play? To answer the question we need to know if she ate a vegetable and if she’s scowling. This information, along with other facts about the world, are stored in the environment.

Environments for policies 1.Basic facts (ground literals)  Captures attributes of individuals.  E.g. Vegetable(carrot),  Vegetable(carrot cake) 2.Constraints (universal formulas)  Captures relationships between attributes.  E.g.  x (Private(x)   Public(x)),  x (Freshmen(x)  Student(x)) Policies seem to refer to 2 types of facts: Assumption: Environment doesn’t talk about what’s permitted; policies do that.

Encoding the questions in first-order logic Assume an environment E and a policy set {p 1,…, p n }. `Is c 1 allowed to do c 2 ?’ = `Is E  p 1  …  p n  Permitted(c 1, c 2 ) valid?’ `Are the policies consistent in E?’ `Is E  p 1  …  p n satisfiable?’

Encoding the questions in first-order logic Assume an environment E and a policy set {p 1,…, p n }. `Is c 1 allowed forbidden to do c 2 ?’ = `Is E  p 1  …  p n   Permitted(c 1, c 2 ) valid?’ `Are the policies consistent in E?’ `Is E  p 1  …  p n satisfiable?’

Can we answer the questions? No. These questions are undecidable. But the game’s not over yet! We can restrict the language so that the questions are tractable AND interesting policies are still expressible.

One solution: Datalog Datalog is negation-free, function-free Horn clauses; queries can be answered in PTime. Some extensions have been considered. Safe, stratified Datalog: Binder [DeTreville 02], RT [Li, Mitchell, Winsborough 02] and SD3 [Trevor 01]. Datalog with constraints: RT c [Li and Mitchell 03]. With these extensions, Datalog is still PTime. But: A policy’s conclusion must be a positive literal (no denying policies). Support for functions is limited.

Denying policies are common. Many applications explicitly forbid actions. `Smoking is prohibited in the dining areas of all restaurants seating more than 35 people’ is part of the NYC Smoke-Free Air Act. `The tickets may not be refunded’ is a policy of many airline fares, theaters, … These policies cannot be captured explicitly in (the extended versions of) Datalog.

Datalog solution What isn’t explicitly permitted is forbidden. Problem: Can’t distinguish forbidden actions from unregulated ones. E.g. A university’s policies talk about who’s permitted to get tenure. The policies for Alice’s new outreach program don’t.  Alice’s policies contradict the university’s.

We may want functions too. Functions often occur naturally when translating English policies to first-order logic. E.g. `All information on the site may be copied’ translates to either:  x 1, x 2 (OnSite(x 1 )  Permitted(x 2, copy(x 1 )))  x 1, x 2 (EntireSite(x 1 )  Permitted(x 2, copy(x 1 )))

Another solution We want a language that doesn’t restrict functions and allows us to capture denying policies. To get this in a tractable language, some restrictions are necessary. Key idea: Restrict bipolars.

What is a bipolar? A literal l is bipolar in a formula f (in CNF) if 1. the literal l is in f and 2. there is another literal l’ in f such that l  =  l’  ’ for some variable substitutions  and  ’. Consider f =  x, y (Can(Alice, x)   Can(y, sing)) Can(Alice, x) is bipolar in f, because 1. the literal Can(Alice, x) is in f and 2. the literal Can(Alice, x)  =  l’  ’ where l’ =  Can(y, sing),  = [x/sing], and  ’ = [y/Alice].

Why is bipolarity interesting? If E is an environment and {p 1, …, p n } is a set of policies such that 1.every variable on the lhs of a policy also appears on the rhs, 2.E is a conjunction of ground literals, and 3.there are no bipolar literals in p 1  …  p n. Then our questions can be answered in time (|E|+|P|) log|E| where P = p 1  …  p n. |f| is the length of f viewed as a string of symbols. Language with functions + denying policies is tractable!

When is every variable on the lhs also on the rhs? Recall: A policy’s lhs states the conditions under which the permission on the rhs is granted/denied. Variable restriction is met if what you’re allowed/forbidden to do is based solely on your attributes and the attributes of the regulated action. Our problems are NP in the number of variables in a single policy that violate the restriction.

When is E a conjunction of ground literals? This restriction is met if E is derived from databases and certificates. If the E has constraints (e.g. anything private is not public), then Our problems can be answered in quadratic time, if no more than 1 bipolar per clause. More than one bipolar per clause is common if there are definitions (e.g. a senior citizen is someone over 65), but it’s easy to deal with definitions; they’re just macros.

When are there no bipolar literals in p 1  …  p n ? Suppose  Permitted is not in any policy’s premise and  all policies are permitting (or all denying). Then  The restriction holds if meeting a condition can only add or remove privileges (but not both).  If each policy has at most 1 bipolar in p 1  …  p n, then answering queries takes quadratic time. But what if some policies are permitting and others denying?

Big idea We want permissions (prohibitions) to follow solely from the permitting (denying) policies. If this were true, then we could answer a query by looking at the permitting and denying policies separately. Want we want doesn’t come for free.

Denying policies can affect permissions Consider 2 permitting policies: p 1 = `anyone who is not faculty may nap.’ p 2 = `faculty may chair committees.’ If Alice is a student, may she take a nap?

Denying policies can affect permissions Consider 2 permitting policies: p 1 = `anyone who is not faculty may nap.’ p 2 = `faculty may chair committees.’ If Alice is a student, may she take a nap? No, because Alice could be a student who is also a faculty member.

Denying policies can affect permissions Consider 3 policies: p 1 = `anyone who is not faculty may nap.’ p 2 = `faculty may chair committees.’ p 3 = `students may not chair committees.’ If Alice is a student, may she take a nap?

Denying policies can affect permissions Consider 3 policies: p 1 = `anyone who is not faculty may nap.’ p 2 = `faculty may chair committees.’ p 3 = `students may not chair committees.’ If Alice is a student, may she take a nap? Yes, because p 2 and p 3 together imply that students aren’t faculty. Moral: Permitting and denying policies together can imply environment facts, so we can’t separate the policies, unless…

Separating policies Thm: If implied information is made explicit, then a positive conclusion follows from all the policies iff it follows from the permitting policies. If there are n policies and there is only one bipolar per policy that involves Permitted, then at most n 2 clauses are added and no added clause is more than twice the length of the longest original clause. Bottom line: Under reasonable assumptions, we can answer our queries in quadratic time.

Expressive power The fragment can capture a number of policy sets including the ones we collected from libraries, the ones we collected from government docs, most of the licenses that can be written in XrML.

Why can’t we handle all XrML licenses? XrML allows Permitted in the antecedent of policies. Permitted can be a bipolar  a clause can have multiple bipolars. But, XrML does not support negation. Our fragment can express some policies that XrML can’t and vice-versa.

Are we done yet? We have found a language that is expressive enough to capture many policies of practical interest AND for which we can answer questions efficiently. But we haven’t shown that it’s accessible to the many policy makers and administrators who are not logicians.

The architecture GUI translator user input data- base formulas answers questions answers in English GUI Lets non-logicians enter policies and relevant facts; ask questions. translator Translates between user input/ English and first-order formulas in our restricted form. analyzer Answer questions such as `Can Alice edit the website?’ and `Are the policies consistent?’.

Interface User selects a task such as: Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden. User completes the task by filling in a form. E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…

Interface User selects a task such as: Describe a person, item, or action. State a policy. Ask if an action is permitted/forbidden. User completes the task by filling in a form. E.g. To say `Alice is an IEEE member from Jan. 1, 2003 to Jan. 1, 2004’…

Form: Describe a person, item, or action Who or what is being described? What is the characteristic? Does the person, item, or action have the characteristic? Yes No When does this description apply? From: To:

Form: Describe a person, item, or action Who or what is being described? Alice What is the characteristic? IEEE Member Does the person, item, or action have the characteristic? Yes No When does this description apply? From: 1/1/03 To: 1/1/04

Conclusion Completed work Found a tractable fragment of first-order logic that can express many (almost all?) policies of interest. Work in progress Investigating the extent to which we can capture the social security database. Building a prototype to demonstrate the language’s usability. Applying the same techniques to formalizing XrML.

For more information… The paper`Using First-order Logic to Reason about Policies’ is available: at in the proceedings of this year’s Computer Security Foundations Workshop (CSFW).

Describe a person, item, or action We tell you what’s allowed and what’s not sign in | help Home Facts  Describe a person, item, or action. Relate one person, item, or action to another. Record an event. Modify the fact database. Policies Give permission. Deny permission. Modify the policy database. Queries Is an event allowed? Is an event forbidden? What are the known facts? What are the known policies? Who or what is being described? What is the characteristic? Does the person, item, or action have the characteristic? When does this description apply? … yesno … From: dd/mm/yy or now To: dd/mm/yy or unknown oralways Done (e.g. George Smith, Rhodes Hall) (e.g. librarian, building) Riccardo Focardi Program Chair Abort 26/06/0226/06/04

Give Permission We tell you what’s allowed and what’s not sign in | help Home Facts Describe a person, item, or action. Relate one person, item, or action to another. Record an event. Modify the fact database. Policies  Give permission. Deny permission. Modify the policy database. Queries Is an event allowed? Is an event forbidden? What are the known facts? What are the known policies? Who is being given permission? Anyone who meets the following description: Right-click in scrollbars to add/remove requirements. Which actions are being regulated? Any action that meets the following description: Are there other conditions that must hold for the policy to apply? DoneAbort