programs).itsneedarisesinanysystemwithmultipleusersandsensitiveinformationorsharedresourcessuchasthemilitary[4],bankingandcommerce[7]



Similar documents
>

Page 1/.. USA / Canada - South Africa Schedule No. 4 / 2011-Jan-24

Select cell to view, left next event, right hardcopy

PART A: For each worker, determine that worker's marginal product of labor.

GREATEST COMMON DIVISOR

SOLUTIONS TO HOMEWORK SET #4

BMJ. West Africa Edition BRITISH MEDICAL JOURNAL WEST AFRICA EDITION VOLUME 17, NO. 7, JAN ISSN


Lecture 11. Sergei Fedotov Introduction to Financial Mathematics. Sergei Fedotov (University of Manchester) / 7

Privilege and Access Management. Jan Tax Identity Management Specialist UNC Chapel Hill

Managerial Economics & Business Strategy Chapter 8. Managing in Competitive, Monopolistic, and Monopolistically Competitive Markets

CS 173, Spring 2015 Examlet 2, Part A

Harmonizing Objectives and Constraints or Art of Strategic Planning

AP Microeconomics Review

Overview. Physical Database Design. Modern Database Management McFadden/Hoffer Chapter 7. Database Management Systems Ramakrishnan Chapter 16

A Risk Management Approach to Data Preservation

UFED 4PC/Touch 4.1 & UFED Physical/Logical Analyzer Release Notes

Army National Guard Materiel Programs Division

Introduction to Risk, Return and the Historical Record

The European Industrial Doctoral School E.I.D.S.

Part II: Evaluating business & engineering assets

Logic gates. Chapter. 9.1 Logic gates. MIL symbols. Learning Summary. In this chapter you will learn about: Logic gates

A Detailed Price Discrimination Example

PFSE Premier Functional Safety Engineering Safety Instrumented Systems Training Course-TÜV FSEng Certification

Internal Audit Follow-Up Report. Equipment Maintenance and Repair. TxDOT Office of Internal Audit. Jan J

Capio S:t Gorans Hospital. Sofia Palmquist

4GL CONNECTOR OPEN SOURCE TECHNOLOGY AND SERVICES TO BRING INFORMIX 4GL CODE TO THE JAVA ENTERPRISE APPLICATION ENVIRONMENT

Officials Authorized to Provide Documentation of VHA Program Office Non-Research Operations Activities Per VHA Handbook

Implementing a Complaint Management and Reporting System using TrackWise

PowerPoint. to accompany. Chapter 5. Interest Rates

HCBE GRADUATE FINANCIAL AID GUIDE

Propagation of Errors Basic Rules

Handout 2: The Foreign Exchange Market 1

The Relational Model. Why Study the Relational Model? Relational Database: Definitions

Grand Prix Portugal - Mundial Ranking FCI

How to fill Online Banking Corporate Registration form

Pat Quinn, Governor Julie Hamos, Director Telephone: TTY:

Examples on Monopoly and Third Degree Price Discrimination

Non-Autoclave (Prepreg) Manufacturing Technology

ADAM HALL AND THE VPs

EE 209 Lab 1 Sound the Alarm

Attachment 1 provides the analytical results provided by Eberline.


INTERFACES FOR RENEWABLE ENERGY SOURCES WITH ELECTRIC POWER SYSTEMS

CHROMIUM STEEL POWDERS FOR COMPONENTS. JEANETTE LEWENHAGEN Höganäs AB, Sweden

From the light to the full application form focus on work plan

Higher Order Equations

Metrol. Meas. Syst., Vol. XVII (2010), No. 1, pp METROLOGY AND MEASUREMENT SYSTEMS. Index , ISSN

Instantaneous Rate of Change:

Mechanics 1: Vectors

Panorama Necto. Load Balancing Installation Guide. (12.5 and above)

Regular Meeting Tuesday, :30 p.m., January 14, 2014 Town Office

Time Management II. June 5, Copyright 2008, Jason Paul Kazarian. All rights reserved.

EXERCISE 27 WHEN THIRD-DEGREE PRICE DISCRIMINATION HELPS (ALMOST) EVERYONE

DUNLOP PROTECTIVE FOOTWEAR INTERNATIONAL MARKET SEGMENT LEADER

Practice Book. Practice. Practice Book

APIFARMA PORTUGUESE PHARMACEUTICAL INDUSTRY ASSOCIATION

ENrich SEC 70 ENrich SEC 650 High-Resolution Size Exclusion Columns Instruction Manual

Section 9.5: Equations of Lines and Planes

RECOMMENDATIONS FOR THE HANDLING OF FLUORESCENT LAMPS IN PUBLIC SCHOOLS IN JOHANNESBURG, SOUTH AFRICA ENVIRONMENT AND HEALTH RESEARCH UNIT

Improving Software Requirements through Formal Methods: A Review

Merging of Data Flow Diagram with Unified Modeling Language

The Situation of Photovoltaics in Hungary

( ) VOLUME 22 INLAND REVENUE BOARD OF REVIEW DECISIONS. Case No. D37/07

Operating Systems. RAID Redundant Array of Independent Disks. Submitted by Ankur Niyogi 2003EE20367

Click to edit Master title style. Inventories

HOW TO... Use Lump Sum Billing Items

FUZZY Based PID Controller for Speed Control of D.C. Motor Using LabVIEW

Code of Conduct on Energy Efficiency of External Power Supplies

Overview: Transfer Pricing

DATABASE DESIGN. - Developing database and information systems is performed using a development lifecycle, which consists of a series of steps.

Relational Calculus. Module 3, Lecture 2. Database Management Systems, R. Ramakrishnan 1

xlathlete.com Ladder Drills One Foot Every Other Square Forward-2xs - MR- 1, FR-1

Transcription:

LectureNotesinArticialIntelligence,cSpringerVerlag,1997 TableauxMethodsforAccessControlin DistributedSystems Abstract.Theaimofaccesscontrolistolimitwhatusersofdistributed systemscandodirectlyorthroughtheirprograms.asthesizeofthe UniversityofCambridge,England(UK) e-mail:fabio.massacci@cl.cam.ac.uk ComputerLaboratory FabioMassacci? systemsandthesensitivityofdataincreaseformalmethodsofanalysis introducesrelationsbetweenmodalitieswhichcannotbecompiledinto terestingtechnicalchallenges,sinceithasnotthetree-modelproperty, Lampsonet.al.Besidetheapplicativeinterest,thecalculusposesincesscontrolindistributedsystemdevelopedatDEC-SRCbyAbadi, axiomschemas,andhassomefeaturesoftheuniversalmodality. areoftenrequired. Thispaperpresentsaprexedtableauxmethodforthecalculusofac- 1Introduction Accesscontrolisakeyissueforthesecurityofcomputersystems(see[25]for anintroduction).itsmainpurposeistorestraintheactionswhichlegitimate (ormalicious)usersmayperform,eitherdirectlyorindirectly(throughtheir whichdistinguishesitfroms5(viasatisabilityonnontree-models). Asaside-eectweshowatableauxcalculusfortheuniversalmodality programs).itsneedarisesinanysystemwithmultipleusersandsensitiveinformationorsharedresourcessuchasthemilitary[4],bankingandcommerce[7] reasoningtechniques.forinstance,accesscontrolmustbecombinedwithauthentication[31],andpoliciesmustberenedatthevariouslevelsofdelegation [22].Thedenitionofthejurisdictioncapabilitiesofcommunicatingagentsplays munications,delegationofmanagementetc.)whichrequirenewmodellingand alsoakeyroleintheanalysisofsecurityprotocols[5,28].indeedaccesscontrol isjustaproblemofjurisdictionincomplexanddistributedsystems. Distributedsystemsfaceadditionalchallenges(e.g.largescale,insecurecom- orhealthcareservices[2]. (tableauxbased)automatedreasoningtechniquesforaccesscontrol. comesinfeasible.henceformalmethods,logicsandautomatedreasoningtech- niquescanbeusefultoolsforthevericationofsecuritypoliciesandaccess controlprocedures(seee.g.[5,20,19,22,31]).ourtargetisthedevelopmentof?currentaddress:dip.informaticaesistemistica,universitadiroma\lasapienza", viasalaria113,i-00198roma(i),e-mailmassacci@dis.uniroma1.it. Assystemsbecomemorecomplex,human(andinformal)vericationbe- 1

Sw-admin fm205 Remote-User Deputy Postm Postmaster pb User Sys-admin gt maj maj:titanroommanager,knows aboutunix,decstations,alphas, Ethernet,ATM,printersystems, backupsystemsandtex. gt:knowsaboutunix,suns,hp bobcatsandsnakes,gnuemacs,x, Ethernet,Lispandsimilar languages.deputypostmaster. pb:postmaster,knowsaboutunix, Suns,X,mail,news,andwide areacommunications. [...]Ifyouanticipateaneedto loginfromoutsidecambridge,you shouldconsultmajorpb. Fig.1.From\ComputingFacilitiesattheComputerLaboratory" Theprinciplesofaccesscontrolcanbedescribedwithfewabstractions:subjects(humans,programsetc.),objects(data,otherprogramsetc.)andprivileges whichsubjectsdetainonobjects(e.g.read,writeandexecuteinunix).theuse oftheseabstractionsisthebasisofmostformalmodelsproposedintheliterature,startingfromtheclassicalaccessmatrix[18,24]tomoreadvancedsystems [10,19,22,23].Akeyfeatureofthenewapproachesistheattempttomodel morecloselythe(hierarchical)relationshipsbetweenthevarioussubjects,where someprivilegescanbeinheritedalongthechains(e.g.fig.1). Theuseoftheseabstractionsleadsnaturallytowardsaformalisationofthe problemwithmultimodallogics:onesubject,onemodality.therehasabeena numberofworksonmodellingsecurityandobligationsinamultiagentssetting, e.g.[8,17,30],andinparticularwefocusontheexpressivecalculusdeveloped atdec-src[1].thiscalculusisinterestingforanumberofreasons: {itprovidesauniformframeworkforreasoningaboutaccesscontrolinpresenceofdelegationandhasasimplesemantics[1]; {itconstitutesthebasisofarealsystem[19,31]; {itsfeaturesposeinterestingtechnicalchallengesfordeduction. Oneofthecharacteristics,whichchallenge\standard"tableauxcalculi,isthe presenceofformulaeusedformodellingdelegationcerticatesandhierarchical relationshipsbetweensubjects(i.e.modalities).thoserelationshavethesame forceofaxiomschemasandareclosetorole-value-mapconstructsofailanguages [26].Thekeydicultyisthatwecannot\compile"themintotableauxrules (noraxiomschemas)sincetheirpresencedependsontheparticularnonlogical axiomsandtheparticulartheoremwewanttoprove.twodierenttheorems (i.e.accessrequestswithdierentdelegationcerticates)mayimposetotally dierentrelationsbetweensubjects.2

alsohindersastraightforwardextensionoftableauxcalculi.finallyitshares somepropertiesoftheuniversalmodality[12,13]whichcannotbeaxiomatised2. Anotherfeatureofthelogicistheabsenceofthetreemodelpropertywhich tableauxisnotnewforsecurityanddatesbacktotheverussystem[20]. asatargetcalculusfortranslationsfromthematrixmethods[27].theuseof implementationalongthelineofleantheoremproving[3]anditspotentialuse 21]giventheirexibilitytoadapttovariouslogics,thepossibilityofasimple onlybediscoveredon-lineduringthedeductionprocess. Inanutshell,someglobalpropertiesoftheunderlyingKripkemodelscan constituteaforestratherthanatreeandthesetofglobalaxiomsismodiedat runtime.thisrequirestochangethedenitionoftableaubranchesandmakes possibleasimpleiterativeconstructionfortheuniversalmodality. Theproposedsolutionusesanextensionofprexedtableauxwhereprexes ThetableauxmethodproposedhereisbasedonSimpleStepTableaux[9,14, calculusandacorrectoneforthewholelanguage(thecalculusisundecidablein general).thismethodextendsthedeductioncapabilitiesof[1]aswecanprove importantpropertieswhichmustbeaddedasnon-logicalaxiomsin[1,19]. Wederiveasoundandcompletedecisionmethodforalargefragmentofthe followedbyanappendixontheuniversalmodality. 2TheDEC-SRCCalculusforAccessControl (x5)andsketchitssoundnessandcompletenessproofs(x6).conclusions(x7)are manticalfeatures(x3).wediscussthetableauxcalculus(x4)withsomeexamples EXPTIMEtableauformulti-modallogicswiththeuniversalmodality[12,13]. Animportantside-eectofthesetechniques,shownintheappendix,isan Tomakethepaperself-containedwesketchtheintuitionsbehindthecalculus Inwhatfollows,wepresenttheDEC-SRCcalculus(x2)andanalyseitsse- andreferto[1]foraformaltreatmentandto[19,31]foritsapplications. jects,orprincipals,anddenotedbya,b,kaetc.complexprincipals(porq) theprincipalpclaimingtoquotearequestfromq.noticethatpmayclaimto arebuiltbyconjunction\&"andquoting\j".theintuitionisthatp&qis aprincipalwiththeprivilegesofbothpandq,whereaspjqcorrespondsto quoteqevenwhenqneversaidanything. Users,roles,groupsandcryptographickeysarerepresentedbyatomicsub- instanceaforb:=(a&d)jbwheredisadelegationserver[1]. whenaisclaimingtoactasadelegateforb;thelatterwhenaspeaksusing statements(r)areuninterpretedoperationsorrequests[1,23]i.e.propositional letterswhichcanbetrueinaparticularstateofthesystem(requestgranted) arole3r.sincetheycanbeencodedusingjand&,wedonotusethem.for 2Thismayalsoexplainwhyonlyasoundaxiomatisationhasbeendevisedin[1]. Otheroperatorsarepossiblei.e.AforBandAasR[1]:theformerisused 3Foradistinctionbetweenthesecurityconceptsofroleandgroupsee[10,23]. Operationsoverobjectsarerepresentedbystatementsdenotedbys.Atomic 3

^(fm205jusr)controlsread(mail)majsays(fm205)usr)^ Usrcontrolslogin(telnet)^ RemUsrcontrolslogin(ftp)^ SysAdmcontrols(fm205)Usr)^ SwAdm)Usr^ PostMaster)Usr^ Usr)RemUsr SysAdm)SwAdm^ SysAdm)PostMaster^ ^gt)deppostm^ maj)sysadm^ gt)swadm^ pb)postmaster^ Fig.2.ALogicalFormalisationofFig.1 fm205sayslogin(telnet)^ fm205saysread(mail) fm205)remusr interpretationis\iftelnethasbeengrantedsohasftp". orfalse(notgranted).complexstatementsarebuiltwithbooleanconnectives ^;:;etc.:forinstancelogintelnetloginftpwhoseintuitive(andformal) ment\pcontrolss"capturestheintuitionthatprincipalphasaccesscontrol groupmembership:p)gmeansthatphasatleastallprivilegesofgroupg. PcanspeakforQ.IfPsayssthiswouldbeasQitselfsaids.Itisalsousedfor itas\somebodyingrouppsayss". Prequestsstobegranted.IfPisagroupthenwefollow[1,19]andinterpret statementp)q.theintuitionisthatphasatleastalltheprivilegesofqi.e. Principalsandstatementsarelinkedbyprivilegesattributions[23]:thestate- Torepresentuserrequestsweusethemodalstatement\Psayss":principal overs.intheliteratureonauthenticationthisiscalledjurisdictionofaprincipal [5,28]andaxiomatisedasAsayss^Acontrolsss. Theaimistotoreplaceitbyamorecomplexbutmorerealisticaxiom,where Hierarchicalrelationsbetweenprincipalsareconstructedwiththespeaks-for 3FormalSyntaxandSemantics therelationbetweentwoprincipalsaandbisexpressedwiththe)operator: Thelanguage(describedinformallyinx2)isthefollowing,whereAisanatomic stancefm205)usrinfig.2dependsonmaj'sstatements. AparticularP)Qmaydependsonthestatementsofotherprincipals.Forin- Asayss^Bcontrolss^\somerelationbetweenAandB"s: principalandranatomicpropositionalrequest: Otherconnectivesareabbreviations,e.g.ss0:(s^:s0).AlsoPcontrolss isashortcutfor(psayss)s. P;Q::=AjP&Qj(PjQ)s;s0::=rj:sjs^s0jPsayssj(P)Q) 4

w.l.o.g.sincep)qisequivalenttop)a^a)qforanewatomica. eachstatementoftheformpsayss,thestatementsiseitheranatomicrequest forma)q(respectivelyp)a)i.e.theleft(right)principalisatomic.itis weaklyleft(right)restrictedwhenstatementsp)qareadmittediftheyoccur oragroupmembership(bothpossiblynegated).forinstancetheformalisation underthescopeofanoddnumberofnegations4.itisrequestrestrictedwhenin infig.2isleft,rightandrequestrestricted. Astatementisleft(right)restrictedwhenspeaks-forsubformulaehavethe InthesequelweassumethatinP)QeitherPorQisanatomicprincipal, uninterpreted[19,23].ifweadd,amongthepossibleprivileges,thepossibility westillhavearightrestrictedlanguage. tohandoverdelegationtootherprincipalssuchaspicontrols(qj)ak),then requestrissimplytheconjunctionsofstatementsvipicontrolsr,whereris erarchiesandgroupandrolemembership,asinfig.1,therightmostprincipal sentedbyacl(accesscontrollists).inthedec-srclanguage,anaclfora isatomic.moreover,inalmostallsystems[25],privilegesattributionsarerepre- Inpracticestatementsarerightandrequestrestricted.If)isusedforhi- compatibilityofastatewiththerequestsmadebyaprincipalintherealworld. interpretationsuchthatforeveryatomicprincipalaitisaiwwandfor everypropositionalletterritisriw.theniisextendedasfollows: ThesemanticsisbasedonKripkemodels[1,11,16]:arelationmodelsthe AmodelisapairhW;Ii,whereWisanonemptysetofstatesandIan (:s)i=w?si isnotempty.astatementsisvalidiforeverymodelhw;iiitis(s)i=w. (s^s0)i=si\s0i Forsimplicity,wewritewk?sforw2sIandinterchangeasetofstatements Denition1.AstatementsissatisableithereisamodelhW;Iiwhere(s)I (PjQ)I=hw;wij9whw;wi2PIandhw;wi2QI (P&Q)I=PI[QI (P)Q)I=ifQIPIthenWelse; (Psayss)I=wj8w2Wifhw;wi2PIthenw2sI withtheirconjunction.nextweintroducethesetofglobalaxiomsgwhich Denition2.AstatementsisalogicalconsequenceofG,i.e.Gj=s,ifor Globalaxiomscanbeincorporatedintheaxiomatizationof[1]withthemodal theaccesscontrolsystem:groupsmembership,privilegesattributionsetc. becausethemodaldeductiontheoremleadstoanexponentialblowup[15]. deductiontheorem[16,11],buttheirexplicitrepresentationismoreeective holdsineverypossibleworld[11,21].theyarenon-logicalaxiomsdescribing everyhw;iiif8w2w;wk?g,then8w2w;wk?s. 4Forinstancetheformula:Asays((B&C))D)isweaklyleftrestrictedsincethe groupmembership(b&c))disunderthescopeofonenegation. 5

wherewehavethefollowingtwoconditions: Wecanrepresentexplicitytherelationwiththeuniversalmodality[u]as: Remark.ThesemanticsofP)Qreectsglobalpropertiesofthemodel,isclose totheuniversalmodality[12,13],andcanintroduceaxiomschemasonthey. Akeypropertyisthepossibilityofintroducingaxiomschemas\onthey". ForinstanceP)PjPforcesthetransitivityofrelationPI,wherePmaybea (P)locQ)I=wj8w2Wifhw;wi2QIthenhw;wi2PI ([u]s)i=if8v2wvk?sthenwelse; P)Q[u](P)locQ) A)AjA^:(A)B)^Bsays?^:(Asays?)^Asays(Bsays?^:Asays?) complexprincipal.yet,theseglobalpropertiesmayormaynotbepresent.as W=f1;11;2gandAI=fh1;11i;h11;11igandBI=fh2;2ig.Thekeypointis hasnotreemodelatall,althoughitissatisableintheworld1ofthemodelwith anexample,supposewehaveasays(b)bjb).transitivityofbwillfollow thatthismodelhastwoclusters(connectedcomponents)sothat1satisesthe onlyif:asays?isthecase.sob'spropertiesdependontheparticularglobal axiomsandtheoremswearetryingtoprove. (local)saysstatementsand2satisestheglobal:(a)b). Anotherfeatureistheabsenceofthetree-modelproperty[29,16]: ofthelogicwithanhilbertsystem[12,13,29]. unionasin\traditional"modallogics[29].thisisduetothe\hidden"presence oftheuniversalmodalitywhichmakesimpossiblethecompletecharacterisation details)ispointedoutin[1]. Inmodeltheoreticterms,(un)satisabilityisnotpreservedunderdisjoint shortp=q)forthecorrespondingpandq.forgroupsintroduceaprincipali quoting\j"andequationsbetweenwordsp=qtostatementsp)q^q)p(for problemof(semi)groups:mapelementstoatomicprincipals,composition\"to foridentity,oneacfortheconverseofeachatomica,andtherelativeequations. NextuseanewprincipalGrwithglobalaxiomsGrjA=Grforeveryatomic Thelogicisalsoundecidableandareductiontopushdownautomata(without ThenonecanprovethatGrsays(P0=Q0)isvalidwiththoseassumptionsi theequationp0=q0holdsforthegroup[26]. AandthestatementGrsays(P=Q)foreveryp=qcharacterisingthegroup. Asimplerproofusesthetechniquesof[26]andreducesvaliditytotheworld 4ATableauxCalculus prexanddenedas::=nj:a:n.akeydierencefrom\standard"prexed Prexedtableauxuseprexedstatements,i.e.pairsh:siwheresisastatement andisanalternatingsequenceofintegersnandatomicprincipalsacalled 6

hquotei:::(pjqsayss) handi:::(p&qsayss) ::Psayssj::Qsayss[and]::P&Qsayss ::Psays(Qsayss)[quote]::PjQsayss :Psays(Qsayss) hai:::(asayss) :A:m::s:A:mnew[A]::Asayss Glob:. :sifispresentinbands2gb :A:n:s:A:npresent :Qsayss :Psayss arcsarelabelledwithatomicprincipalsandnodewithintegers.withkdierent tableaux[11,14]isthatasetofprexesnowdescribesaforestoftrees,where D(A)::Asayss ::Asays:swithsome:A:nalreadypresentinthebranch initialprexeswehave,ingraph-theoreticterminology,kconnectedcomponents orclusters[16].withglobalaxiomsandtheoperator)wecanimposean euclideanortransitiveclosuresonaclusterbutwecannotcollapsetwoclusters. Stillthedenitionoftableauissimilartoprexedtableauxformodallogics Fig.3.PDL-likeRulesforModalConnectives ofglobalaxiomsduringthedeductionprocessandthereforedierentbranches [11,14,21]:atableauTisarooted(binary)treewherenodesarelabelledwith mayendupwithdierentglobalaxioms. ofglobalaxioms.thisdenitionisessentialbecauseweneedtomodifytheset Thus,eachtimewebranchthetreeweshouldalsoduplicate(intheory)theset theroottoaleafoftandgbisasetofglobalaxioms. prexedstatementsintheusualfashion. Denition3.AbranchofatableauTisapairhB;GBiwhereBisapathfrom fromr)tomarkunsaidstatementsasinfig.4.sincep)qimpliesthatif PsayssthenQsayssforalls,itsnegationmeansthatthereis\something" Therulesforconjunction,quoting,theuseofglobalaxiomsandthetransitional rulesforatomicprincipalsareinfig.3. thatprexalreadyinb,anditisnewifitisnotalreadypresent. Tocopewith)weintroduceanewsetofpropositionalatomsxi(distinct Therulesforpropositionalconnectivesarestandard[11,14,21]andomitted. AprexispresentinabranchhB;GBi,ifthereisaprexedstatementwith (anunknownxi)whichpsaidbutqdidn't.thersttworulescorrespondto 7

hugri:::(p)q) hrgri::p)a::(asayss) n::(qsaysxi)xiandnnew[ugr]: n:psaysxi ::(Psayss) [Lgr]::Asayss:A)Q :Qsayss thelocalfeaturesofthe)operator,whereasthelastisduetoits\universal" Fig.4.Rulesforthespeaks-foroperator GB:=GB[fP)Qg :P)Q whilerightrestrictedlanguagesdonotneedrule[lgr]. avour.thehugri-rulecombinesbothaspects. Furthersimplicationsarepossible:P)(A&B)jQislogicallyequivalentto Remark.WeaklyleftrestrictedstatementsdonotneedrulehRgriandD(A) P)AjQ^P)BjQ.ThisrulecanbeaddedwhenQisemptysinceitmay skippedifaprexedformula:a:n::sisalreadypresentetc. forsomesand.itisopenifallpossibleruleshavebeenappliedanditisnot Denition4.AbranchhB;GBiisclosedifBcontainsboth:sand::s, subformula:(p)q),nomatteritsprex.inasimilarwayrulehaicanbe closed.atableauisclosedifallbranchesareclosed;itisopenifatleastone leadtoright-restrictedformulae.rulehugrimustbeappliedonlyonceforeach branchisopen. Denition5.AvaliditytableauproofforstatementswithglobalaxiomsGis aclosedtableaustartingwiththebranchhf1::sg;gi. Theorem7(StrongWL-Completeness).IfsisalogicalconsequenceofG GthensisalogicalconsequenceofG. secondisthemostimportantfromanapplicativepointofview). Wegiveacompletenessresultonlyfortwomainfragments(asnotedinx3the Theorem6(StrongSoundness).Ifshasatableauproofwithglobalaxioms Inadualwayasatisabilitywitnessisanyopenbranchofthetableaustarting andg[f:sgareweaklyleftrestrictedthenshasaproof. withhf1:sg;gi,whenthecalculusiscompleteforthefragmentathand. bebasedonrstordertranslations)isimportantforsecurityanalysisbecause satisabilitygivesinformationonsecurityweaknesses. Remark.Adecisionmethod(ratherthanasemidecidableprocedurewhichcould Theorem8(StrongWRR-Completeness).Ifsisalogicalconsequenceof GandG[f:sgareweaklyrightandrequestrestrictedthenshasaproof. 8

(h)1:a:3::? (g)2::(asaysx1) (d)1:asays(p)a) (a)1::(:(asays?)(acontrolsp)a)) (c)1::acontrols(p)a) (b)1::(asays?) (f)2:psaysx1 (e)1::(p)a) (i)1:a:3:p)a byreducingcontrolsfrom(c) byhaifrom(b) byrulesfrom(a) (m)2:p)a (l)g1:=fp)ag by[a]from(d) byglobfromg1 by[ugr]from(i) byhugrifrom(e) Foradecisionmethodasimplecondition,checkableinpolynomialtime,can beimposedontheglobalaxiomsandtheconsequences.associateagraphto theglobalaxiomsandthenegationoftheformulatobeproved:eachatomic Fig.5.TableauxProofofanHand-oAxiom contradictionbetween(e;m) loopcheckingwithanextendednotionofthefisher-ladnerclosure.noticethat, intheembeddingofthewordproblem(x3),theprincipalgrcreatescycles. evennumberofnegation,drawanarcfromtheatomicprincipalsinptothose inq.ifthisgraphisacyclicthenthetableauconstructionterminatesbyusing principalisrepresentedbyanodeandforeveryp)q,underthescopeofan derivationofanhand-oaxiom[1,19]. [10,23]:if)isusedforhierarchiesofgroups/rolesthencyclesarenotallowed. 5Examples Forsakeofsimplicity,weassumethatwehaveadirect(obvious)rulefor controlsratherthantranslatingitbackto^and:.arstexampleisthe Inaccesscontrol,acyclicityisnotarestrictionbutratherarequirement keystepisrule[ugr]whichcannotbeaxiomatised. by[1]andareaddedasaxioms.thetableauderivationisshowninfig.5.the able)formulabelow(orinx3)withonlyonesetofglobalaxiomsasin[11,21]. Suchaxiomsareusedbyprincipalstohand-overtheirprivilegesin[1,19].Notice that,althoughvalid,theycannotbeprovedwithinthehilbertsystemdeveloped Tocheckthatglobalaxiomsmustbeassociatedtoabranch,trythe(satis- :(Asays?)(Acontrols(P)A)): from[1,page719]whereacareful(andnontrivial)hilbertproofisgiven. Fora\real-life"deduction(Fig.6)wetakedelegationwithoutcerticates :(A&Bsays?)^Asays(B)A)^Asaysr^Bsays:r 9

(a)1::(kbsays(scsaysr)^kssays(kb)b)^(bja)controlsrr) (b)1:kbsays(scsaysr)rulesfrom(a) (h)1:scontrols(kb)b)byglob (c)1:kssays(kb)b) (g)1:ssays(kb)b) (d)1:bjacontrolsr (e)1::r (f)1:ks)s (h)1::ssays(kb)b) (m)1:r (n)1::(bjasaysr)redcontrolsfrom(d).& (l)1:bsays(scsaysr)by[lgr]from(b);(i) (i)1:kb)b by[lgr]from(c);(f) (s)1:b:2:asaysr (o)1::bsays(asaysr)byhquoteifrom(n) (r)1:b:2:sc)a (q)1:b:2:scsaysr (p)1:b:2::asaysrbyhbifrom(o) redcontrolsfrom(h) by[b]from(l) byglob userwithasucientlypowerfulsmartcard,baworkstationandcaleserver. Example.\AdelegatestoBwhomakesrequeststoC.ForinstanceAmaybea Fig.6.TableauProofofDelegationwithoutCerticates by[lgr]from(q);(r) [...]WhenBwishestomakearequestronA'sbehalf,Bsendsthesigned receivestherequestrhehasevidencethatbhassaidahasrequestedrbut requestsalongwitha'sname...intheformatkbsays(asaysr)...whenc notthatahasdelegatedtob;thencconsultstheacl[accesscontrollist] forrequestranddetermineswhethertherequestshouldbegranted.[...]a certicationauthorityprovidesthecerticatesfortheprincipals'publickeysas whereksiss'spublickey." Weaddalevelofindirectiontotheoriginalproblem(bymodellingexplicitly needed.thenecessarycerticatesarekssays(ka)a)andkssays(kb)b), thesmartcardsc)andusethelogicforthereasoningoftheserverc.theset ofglobalaxiomsandthestatementtobeprovenare: itisnotalwaysvalid!itdependsontheserver'sstatementsi.e.ssays(kb)b). rules).indeedkb)bcorrespondstobikib,i.e.kbsayssbsayssbut InFig.6only[Lgr]-ruleisused.AderivationwithonlyhRgri-ruleispossible. G:=fKS)S;Scontrols(KB)B);Sc)Ag Thisisanexampleofthe\incompilability"ofP)Qintoaxiomschemas(or s:=(kbsays(scsaysr)^kssays(kb)b)^(bja)controlsr)r 10

6Soundnessand(Partial)Completeness preservedbytableauxrules.afterthiskeylemma,therestisstandard[11]. Toprovesoundnesswemapprexestostatesandshowthatsatisabilityis groupsmembershipdependonthesecuritypolicyandthecurrentcerticates. possibilityofadding\on-line"propertiesiscriticalheresincedelegationsand Withouttheserver'scerticatei.e.withadierenttheorem,itdoesn'thold.The Denition9.LetBbeasetofprexedformulaeandhW;Iiamodel,amapping h{();{(:a:n)i2ai. isafunction{()fromprexestostatess.t.foralland:a:npresentinbitis obtainedbyanapplicationofatableauruleisalsosat. Theorem11(SafeExtension).IfTisaSATtableau,thenthetableauT0 Denition10.AtableaubranchhB;GBiissatisable(SATforshort)inthe )operatoristheonlynewcase. mapping{()suchthatforeveryh:sbipresentinbitis{()k?sb.atableauis Proof.Byinductionontherulesappliedasin[11,Chapter8]or[9,14,21].The modelhw;iiifforeverysg2gbandeveryw2witiswk?sgandthereisa modelhw;iiandamapping{()suchthat{()k?p)q.hence(p)q)i=w SATifonebranchissuch. fortheglobalpropertyof)(itisnotemptyasitcontains{()).thereforeadding thegbcondition(andfutureapplicationsoftheglob-rule). ittogbasdonebythe[ugr]doesnotchangethesatisabilityofthebranchwrt hw;wi2qiwithhw;wi62pi.set{(n)=wforthenewprexnand(xi)i= W?fwgforthenewxi.Clearly{(n)k?Psaysxibut{(n)k6?(Qsaysxi).ut Supposethath:P)QioccursinsomeSATbranch.Thentheremustbea adenition)anduseanopenbranchtoconstructamodel.akeypropertythe anditsextensionisdiscussed. proceduremustguaranteeisdownwardsaturation[11,21]:allapplicablerules musthavebeenapplied.theproofisgivenforweaklyleftrestrictedstatements Ifh::(P)Q)iispresentthenbyhp{()k?:(P)Q).Hencethereisa Theorem12(ModelExistence).IfhB;GBiisanopenbranchwithweakly leftrestrictedstatementsonly,thenthereisamodelhw;iionwhichitissat. Forcompletenessweapplyasystematicandfairprocedure(see[11,14]for Incorporatetheconstraintsdueto)andbuildIfromI0asfollows: Proof.Constructapre-modelhW;I0iasfollows: AI0:=fh;:A:nijand:A:narepresentinBg ri0:=fj:r2bg W:=fjispresentinBg 11

Afterthisclosurephasewemustprovethatifh:si2Bthen{()k?sby inductionontheconstructionofs,where{()=.theproofissimilartothose {foreveryformula:a)poccurringinb h;i2aiitish:siinbsothatwecanapplyinductiontoh:si,get usedforpdl[9]ormodallogics[11,14,21]. {repeatuntilax-pointisreached. Thedicultcaseish:Asayssisincewemustprovethatforallprexes ifh;i2pithenaddh;itoai; computepi; k?sandthentheclaim. saturationofthebranchandadoubleinduction:ontheformulasizeandonthe Proposition13.Beforeeachiterationstep,ifh:PsayssiispresentinBand iterationsoftheclosurephaseneededtoenterh;iintoai.forthebasecase somenor(ii)h;i2pibeforetheclosurephaseandpiaiafterwards. weusethefollowingresult,provenbyinductiononpandsasin[9]: introducedinaiduringtheclosurephase.hencewecanhave(i)=:a:nfor Therstcaseisstandard[11,21]whereasforthesecondcaseweusethe Thedierencewith\traditional"proofs[11,21]isthatsomeprexesare present.nowapplytheinductionhypothesis. weusemutualsaturationbetweengloband[ugr]rules.if:a)poccursinb andthereforewhenwasaddedinaiintheclosurephasealsoh:siwas Fortheinductionstepobservethatwheneverh:A)Piispresentthenby saturationh:asayssiimpliesh:psayssi.soapplyprop.13togeth:si h;i2pithenh:siispresentinb satisestheglobalconditionandpiai. then[ugr]impliesthata)p2gb.byglobwehavethatforalls2gband allprexesinbitish:si.henceeverysatisesthelocalconditioni.e.w Thelocalconditionfor)issatisedbyconstruction.Fortheglobalcondition onlydicultpartisduetoliteralsl(ror:r). isthatweonlyhaveliteralsorstatementsoftheformp)aunderthescopeof oftheinductionstep:ifh::(asaysl)iandp)aisalsopresentthenthereisis nonatomicpcannotpropagateoverh:p)ai.howeverwecanprovethedual says.theoperator)doesnotcreateproblemsgivenitsglobalnatureandthe Thepreviousproofforh:Asayssidoesnotworksinceh:Psayssifor Fortherightandrequestrestrictedfragmentofthelanguagethekeypoint ut witheachh::(asaysl)i.atthisstageweneedtousethed(a)-rule,toprove ah;i2pisuchthat::l.thismeansthatallh:psaysl0iareconsistent thatthosepstatementsareconsistentalsowitheachh:asaysl00i.byd(a) onlyworksforrequestrestrictedstatements. weobtainh::(asays:l00)iandthenapplythedualproperty. themselves,andeachofthemwithallpsaysl0.thismeansthatwhenweadda oftheunspeciedl0orl00insothattheresultisstillamodel.again,this h;ifromaitopiintheclosurephasewecanalwaysextendthevaluation Sincealll;l0;l00areliteralsthisisenough:allAsayslareconsistentamong 12

7Conclusion Themajorcontributionofthispaperisthedevelopmentofatableauxmethod alsoclariedsomemodeltheoreticfeaturesofthecalculusthatmakesdicult itsaxiomaticcharacterisation.thecompletenessresultspresentedhereextend forthecalculusofaccesscontrolofabadi,lampsonetal.[1,19,31].wehave S5andtheuniversalmodality(onnontreemodels). intheappendix.thereforewecandistinguish,inprooftheoreticterms,between withtheuniversalmodality[13]andasoundandcompletecalculusispresented directionofprovidingafullyautomatedverier,possiblyusingtheresultsof[3]. liketableautoaforestofprexes,aruntimeupdateofglobalaxiomsandthe correspondingmodicationofthenotionofbranch.futureresearchisinthe thosein[1]andprovidethebasisforafulledgedautomatisation. Aclaimthatwedonotmakeisthatlogicandsemantictableauxshouldbe Asanaside,thesetableauxtechniquescanbeusedformultimodallogics Thistableauxmethodrequiresnoveltechniquessuchaspassingfromatree- respectsecuritypolicies.thisworkisastepinthisdirection. unacceptableslow-downs.logicandtableaux(orsimilarlogic-basedmethods) shouldbeusedforvericationandprototyping,forcheckingthataccessprotocols usedforrun-timedecisionsonaccesscontrol.althoughpossible,thismayleadto byasi,cnrandmurst40%and60%grantsandbyepsrcgrantgr/k77051 whichhelpedtoimprovethispaper.thisresearchhasbeenpartlysupported AppliedLogicgroup(IRIT)andtheanonymousrefereesformanysuggestions Acknowledgements IwouldliketothankL.PaulsonandtheComputerLaboratoryfortheirhospitalityinCambridge,M.Abadi,theComputerSecuritygroup(Cambridge),the \AuthenticationLogics". References 2.R.Anderson.Asecuritypolicymodelforclinicalinformationsystems.InProc.of 1.M.Abadi,M.Burrows,B.Lampson,andG.Plotkin.Acalculusforaccesscontrol 4.D.BellandL.LaPadula.Securecomputersystems:uniedexpositionandMUL- 3.B.BeckertandR.Gore.Freevariabletableauxforpropositionalmodallogics.In 5.M.Burrows,M.Abadi,andR.Needham.Alogicforauthentication.ACMTrans. the15thieeesymp.onsecurityandprivacy.ieeecomp.societypress,1996. indistributedsystems.acmtrans.onprog.lang.andsys.,15(4):706{734,1993. 6.M.CastilhoandA.Herzig.Analternativetotheiterationoperatorofpropositionaldynamiclogic.Tech.Rep.96-05-R,IRIT(Toulouse),Univ.PaulSabatier, jan1996. TICS.ReportESD-TR-75-306,TheMITRECorporation,March1976. theseproceedings,1997. SystemResearchCenter,1989. oncomp.sys.,8(1):18{36,1990.alsoavailableasres.rep.src-39,dec- 13

7.D.ClarkandD.Wilson.Acomparisonofcommercialandmilitarycomputersecuritypolicies.InProc.ofthe6thIEEESymp.onSecurityandPrivacy,pp.184{194. 1987. 8.F.CuppensandR.Demolombe.Adeonticlogicforreasoningaboutcondentiality.In3rdInt.WorkshoponDeonticLogicinComputerScience,Sesimbra, Portugal,1996. 9.G.DeGiacomoandF.Massacci.Tableauxandalgorithmsforpropositionaldynamiclogicwithconverse.InProc.ofthe13thInt.Conf.onAutomatedDeduction (CADE-96),LNAI1104,pp.613{628,1996. 10.D.Ferraiolo,J.Cugini,andK.Richard.Role-basedaccesscontrol(rbac):Features andmotivations.inproc.oftheannual(computersecurityapplicationsconf., 1995. 11.M.Fitting.ProofMethodsforModalandIntuitionisticLogics.Reidel,1983. 12.V.Goranko.Modaldenabilityinenrichedlanguages.NotreDameJ.ofFormal Logic,31(1),1990. 13.V.GorankoandS.Passy.Usingtheuniversalmodality:Gainsandquestions.J. oflogicandcomputation,2(1):5{30,1992. 14.R.Gore.Tableauxmethodformodalandtemporallogics.Tech.Rep.TR-ARP- 15-5,AustralianNationalUniv.,1995. 15.J.HalpernandY.Moses.Aguidetocompletenessandcomplexityformodallogics ofknowledgeandbelief.articialintelligence,54:319{379,1992. 16.G.HughesandM.Cresswell.aCompaniontoModalLogic.Methuen,1984. 17.C.Krogh.Obligationsinmultiagentsystems.In5thScandinavianConferenceon ArticialIntelligence(SCAI-95),pp.29{31.ISOPress,1995. 18.B.Lampson.Protection.ACMOperatingSys.Reviews,8(1):18{24,1974. 19.B.Lampson,M.Abadi,M.Burrows,andE.P.Wobber.Authenticationindistributedsystems:Theoryandpractice.ACMTrans.onComp.Sys.,10(4):265{ 310,1992. 20.B.Marick.Theverusdesignvericationsystem.InProc.ofthe2ndIEEESymp. onsecurityandprivacy,pp.150{157,1983. 21.F.Massacci.Stronglyanalytictableauxfornormalmodallogics.InProc.ofthe 12thInt.Conf.onAutomatedDeduction(CADE-94),LNAI814,pp.723{737, 1994. 22.J.MoetandM.Sloman.Policyhierarchiesfordistributedsystemsmanagement. IEEEJ.onSelectedAreasinCommunications,11(9),1993. 23.R.Sandhu,E.Coyne,H.Feinstein,andC.Youman.Role-basedaccesscontrols models.ieeecomputer,29(2),february1996. 24.R.Sandhu.Thetypedaccessmatrixmodel.InProc.ofthe11thIEEESymp.on SecurityandPrivacy,pp.122{136,1992. 25.R.SandhuandP.Samarati.Accesscontrol:Principlesandpractice.IEEECommunicationsMagazine,pp.40{48,September1994. 26.M.Schmidt-Schauss.SubsumptioninKL-ONEisundecidable.InProc.ofthe1st Int.Conf.onthePrinciplesofKnowledgeRepresentationandReasoning(KR-89), pp.421{431,1989. 27.S.SchmittandC.Kreitz.Convertingnon-classicalmatrixproofsintosequentstylesystems.InProc.ofthe13thInt.Conf.onAutomatedDeduction(CADE-96), LNAI1104,pp.418{432,1996. 28.P.F.SyversonandP.C.vanOorschot.Onunifyingsomecryptographicprotocols logics.inproc.ofthe13thieeesymp.onsecurityandprivacy.ieeecomp. SocietyPress,1994. 14

31.E.Wobber,M.Abadi,andM.Burrows.AuthenticationintheTaosoperating 29.J.vanBenthem.Correspondencetheory.InHandbookofPhilosophicalLogic, 30.R.vanderMeyden.Thedynamiclogicofpermission.J.ofLogicandComputation,6(3):465{479,1996. volumeii.reidel,1986. almostpdlvariant(closeto[6]althoughtheyhaveaweakercommonknowledge ATableauxfortheUniversalModality Wecaneasilydeneatableauxcalculusformultimodallogicswiththeuniversalmodality:useAsayssas[A]stogetthelogicKnormorepreciselyan system.acmtrans.oncomp.sys.,12(1):3{32,1994. modality);addthesinglesteptableaux(sst)rulesfortheothersmodallogics Theorem14(UniversalModality).IfR1;:::;Rnaresoundandcomplete SSTrulesforthe(multi)modallogicsL1;:::;Ln[14,21]thenthetableaux ofknowledgeandbeliefbetweenknands5n[14,21];nallyuseamodied versionofrulehugriand[ugr]describedbelow. Forthesoundnesspartwereplace:P)Qwith:[u]sandP)Qwithsin logicl1:::lnwiththeuniversalmodality. calculusenhancedwithrules[u]andhuiissoundandcompleteformultimodal hui:::[u]s n::snnew[u]::[u]s thecorrespondingargumentofthm.11.forcompleteness,themutualinduction GB:=GB[fsg betweentheapplicationoftheglob-ruleandthe[u]-ruleisidenticaltothm.12. fromtheuniversalmodalityinprooftheoreticterms(closedvsopenbranches validity[12,13,29]andthusbytraditionaltableaux(and1-clustermodels). forsomeformulae).ofcoursethisdistinctioncanonlybedoneassatisability onk-clustersmodelsfork2,sinces5and[u]cannotbedistinguishedby Itispossibleto\distinguishthe(axiomatically)indistinguishable"i.e.S5 Forinstance,withtheS5-rulesfor[A]and[B]givenin[14,21]: 2jG[fsgj). niquesfrom[9,14]andndamodel(ifany)ofsizeatmosto(jg[fsgj combine[a]onlywith[u]andobtaindierenttableaux. havedierenttableaux:oneopen,andthesecondclosed.soreplacinganoccurrenceof[a]with[u]changesthesatisabilityofaformula.equallyonecan Wecanalsoderiveasmallmodeltheorembyadaptingloopcheckingtech- SAT:=hBi[A]r^hBi[A]:rUNSAT:=hBi[A]r^hBi[u]:r ThisarticlewasprocessedusingtheLATEXmacropackagewithLLNCSstyle 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information