Download presentation
Presentation is loading. Please wait.
Published byBaldric Baker Modified over 8 years ago
1
1 Part 5. Permission Rules for Two-Level Systems Controlling access (visibility or scope) of static references. Analogous to “private” in C/C++/Java.
2
2 Two-Level Systems (Overview) Two levels (not counting root) “Modules” contain resources Leaves are “resources”, e.g., functions, variables An example system Some example permission rulesets z x y m n system Modules: m, n Resources: x, y, z … Modules could be files. Resources could be functions and variables.
3
3 Example Two-Level System: Three Representations system xy z m n U U z x y m n U U I I C = contain, U = use, I = import Think of U (use) as “call”, “access variable”, etc. Think of I (import) as permission to use. Top level: Modules (m, n) Bottom level: Resources (x, y, z) c c c c c “Import” is sometimes called “Transport”
4
4 “Import” Ruleset (2-Levels) x can use y if x and y are siblings, or if x’s parent imports y’s parent x U y (x S y or m,n x P m I n C y) U S P o I o C, I S z x y m n U U I C = contain, P = parent, S = sibling, U = use, I = import Constraint: Modules import only modules and resources use only resources
5
5 “Export” Ruleset (2-Levels) x can use y if x and y are siblings, or if x’s parent’s sibling exports y x U y x S y or j,k x P j S k E y U S P o S o E, E C z x y m n U U E Constraint: Resources use only resources “Export” is much like “public” in Java/C++.
6
6 “Import-Export” Ruleset (2-Levels) x can use y if x and y are siblings, or if x’s parent imports y’s parent, who exports y x U y x S y or m,n x P m I n E y U S P o I o E, I S, E C z x y m n U U E I Constraint: Modules import only modules and resources use only resources
7
7 “Buy” Ruleset (2-Levels) x can use y if x and y are siblings, or if x buys for its parent, whose sibling is y’s parent x U y x S y or m,n x B m S n C y U S B o S o C, B P z x y m n U U B Determines which resources can “buy” or “reach” outside their modules.
8
8 x can use y if x and y are siblings, or if x imports y’s parent w can import n if w and n are siblings, or if w’s parent imports n U S I o C, I S P o I Variation of “Import” Ruleset (2-Levels) z x y m n U U I Rules much like this are used in Euclid and Turing languages. I
9
9 Predefine: Mod = id(setOfModules) Constraint: Modules import only sibling modules x I y x Mod o S o Mod y I Mod o S o Mod Using ID (Self-Loop) Relations z x y m n I Many other possible rules, e.g., “Import-Buy” Mod
10
10 Various Two-Level Rulesets Ruleset NameRules Buy U S B o S o C, B P Import U S P o I o C, I S Export U S P o S o E, E C Buy-Import U S B o I o C, B P, I S Import-Export U S P o I o E, I S, E C Buy-Import-Export U S B o I o E, B P, I S, E C Constraints: Leaf2Leaf(U), Mod2Mod(I)
11
11 Part 5b. Permission Rules for Multi-Level Systems Trees not necessarily balanced “Use” edges not necessarily from leaf to leaf
12
12 Example Ruleset: “Whole Import-Export” A node may export its children. A node may import its siblings. Also, it may import what its parents import. A node may use its siblings and what they export recursively. Also, it may use what its parents import, as well as what they export recursively. Similar to permission rules used in Turing and Euclid languages
13
13 Whole Import-Export Ruleset I a x b c y d I U E E UseU S o E* P o I o E* ImportI S P o I ExportE C Each permitting edge is a tube of the permitted edge
14
14 Selective Buy-Export Ruleset a x b c y d U E E v w B B P BP B S C E E C U Selective Buy-Export U B* o S o E* B B* o P E C o E* “Tubular Permission”: Each permitting edge is a tube of the permitted edge
15
15 Example Multi-Level Rulesets Selective Import-Export ruleset E C o E* I S o E* P o I o E* U S o E* P o I o E* Tube ruleset T S P o T P o T o C T o C Whole Buy-Sell ruleset E C B P U B* o S o E* [Holt tech report 345 ‘96, Mancoridis thesis ‘96] ?
16
16 I actual = I (these actually occur in graph) I allowed = S o E* P o I o E* (these are computed) I conforming = I I allowed I violation = I - I allowed I gratuitous = I allowed - I Violating, Conforming & Gratuitous Edges [See also Murphy’s “reflexion” model ‘95] I actual = I I allowed I violating I gratuitous I conforming To satisfy requirement: I actual I allowed Bottom up: Increase parent’s I actual Top Down: Decrease childrens’ I actual
17
17 Part 6. Sum-of-Products (SoP) Permission Rules
18
18 Rule 1: I S P o I Rule 2: E C Rule 3: U S o E* P o I o E* SoP: Example Ruleset Example ruleset has Three variables (LHS’s): I, E and U Three constants: S, P and C Three rules (one for each variable I, E and U) The right hand side for rule 1 ( S P o I ) is the “sum” (union) of two “products” (S and P o I) Rule 2 uses reflexive transitive closure (*)
19
19 SoP: Basic Vocabulary The RHS of each SoP rule is a “sum” of “products”, e.g., in I S P o I RHS is the “sum” of S and P o I P o I is a “product” In other words: Each RHS is a set of simple “path expressions” SoP = Sum-of-Products = Set-of-Paths
20
20 Formal Definition: SoP Ruleset Def. A Sum-of-Products (SoP) ruleset R consists of a non-empty set of rules each of the form V P 1 P 2 … P j where i 0. Each P i is a product and is of the form r 1 o r 2 o … r k where k 1 About transitive closure TC. In much of the following, we disallow Transitive Closure (suffix + and *) on RHS to make our presentation simpler. In many cases below, transitive closure can occur in an RHS without changing the results. In many cases, algebraic expressions, involving parentheses, can be incorporated, as long as non-monotonic operators such as set subtraction and complement are not allowed.
21
21 Formal Definition: Symbols, Constants and Variables Def. Each symbol is a constant or a variable. Consider an arbitrary rule in an SoP ruleset: V P 1 P 2 … P j where each P i is a product of the form r 1 o r 2 o … r k Each r i and each V is called a symbol. If the symbol is directly defined in terms of the tree (e.g., C, ID, P, S), it is a constant. Otherwise the symbol is a variable. A variable is sometimes called a type. The left hand side (V) of a rule must not be a constant. Thus each left hand side (V) is a variable. Each variable V can appear on the left side of at most in one rule.
22
22 Formal Definition: Empty Sums A sum can be empty. In principle, a rule’s sum P 1 P 2 … P j can contain zero productions, which case the rule is taken to mean V empty where empty is the set of zero edges. If a variable W appears in a product but not explicitly on the left hand side of a rule, then we assume that there is a rule of the form: W empty We could disallow empty sums, with little change in results.
23
23 Def. Consider SoP ruleset R consisting of rules of the form V P 1 P 2 … P j A particular P i is: r 1 o r 2 o … o r k Each V with each of its products P i is called a production, written V R P i Where P i is: r 1 o r 2 o … o r k V R (r 1 r 2 … r k ) We say V depends on sequence (r 1 r 2 … r k ) according to ruleset R V (r 1 r 2 … r k ) When R is clear from context we simply say V depends on the sequence. We also define (for each V and each r i ) V R r i We say V depends on symbol r i according to ruleset R V r i When R is clear from context we say simply V depends on symbol r i Formal Definition: Productions and Dependencies We can give an SoP ruleset by giving a list of its productions.
24
24 Formal Definition: The Tree (The NBA Hierarchy) There is a hierarchy defined by tree T, which can be thought of as the containment tree of an NBA model. Def. The tree (hierarchy) T is defined by a set of nodes with directed edges called C: N = non-empty set of nodes (vertices) C N X N (C for Contain or for Child) T forms a directed tree, so: There are no cycles formed by the C edges There is a distinguished node called the root wuch that no node contains the root, i.e., the root has not parent Each node except the root is contained by exactly one other node, i.e., each non-root node has a single parent There will be variable edges, e.g., V and W edges, added to the tree.
25
25 Formal Definition: States Def. Assume (1) tree T which defines node set N (2) ruleset R which defines a set of variables (relations) v = {v 1, v 2, …} Corresponding to each variable v i is a set of edges e i N X N, e i = (x i, y i ) where x i and y i are nodes A state (or graph) s is the set of these named sets of edges s = {v 1 : e 1, v 2 : e 2, …} An alternate approach considers that s is a set of triples: s N X v X N In the alternate approach: s = { (x 1 v 1 y 1 ), (x 2 v 2 y 2 ), … } where x 1, x 2, …, y 1, y 2, … are nodes and v 1, v 2, … are variables (relations). Each state is an NBA model
26
26 Example ruleset R: Rule 1. I S P o I Rule 2. E C Rule 3. U S o E* P o I o E* Assume there is a tree T that connects a set of nodes. State s consists of sets of directed edges each associated with a variable (I, E and U) from the ruleset. Each such edge connects two nodes in the tree. Def. State s is legal, written L(s), when all rules in the ruleset are satisfied (rules are interepreted using Tarski binary algebra). Legality of States in Terms of Ruleset R and Tree T This example uses transitive closure, although SoP as defined disallows TC. However, most results given here can be generalized to allow TC.
27
27 Example: Two Alternate Representations of States Example ruleset: Has three variables: I, E and U. State s can be represented as either (a) n sets of pairs (one for each variable), e.g., s = { I : {(a,b), (b,c)}, E : {(a,d)}, U : {(a,d)} }, or (b) a single set of triples, e.g., s = { (a I b), (b I c), (a E d), (a U d) }
28
28 Legality of States in Terms of Permission Function f(s) Def. Permission function f(s) maps each state s (a set of triples) to a state f : Q Q Q is the set of all states. Function f(s) is defined as the set of triples allowed by s. Example. In the ruleset with variables I, E and U, f(s) consists of I triples as computed by I’s products (S, P o I), E triples as computed by E’s products (one E tuple for each C tuple), U triples as computed by U’s products (U S o E*, P o I o E*) Def. State s is legal, that is, L(s) is true, when s contains only triples allowed by f: L(s) = def s f (s) Worry: This could be clearer??
29
29 Monotonic Permission Function Function f is monotonic: s s’ f(s) f(s’) This means: Adding triples to a graph (state) can make more triples legal and cannot make existing legal triples illegal. SoP rulesets are inherently monotonic, because each right hand side of a rule contains only monotonic operators, namely, “sum” (union) and “product” (composition).
30
30 Properties Common to Many Example SoP Rulesets Graph is legal (L f ) if it is a prefixpoint of f L f (s) = def s f(s) Note: when s f(s), s is called a prefixpoint. Permission function f is monotonic Legality is piecewise defined (graph is legal iff each triple in it is legal) A graph may permit more triples to be added to it Legal graphs are constructive, i.e., can be built step-by-step from legal subgraphs What permission rules have these properties??
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.