Elaboración de la Documentación del sistema HSEQ

All access control logics give a principal the ability to let another principal make statements on her behalf. As an example (based on [50]), consider a file access

scenario, where an administrator (A) has control the operation of deleting files shared

1

We note that an (appropriate) non-normal modal logic (cf. [29]) may be a better basis forsays, if we wish to capture the notion ofexplicitly says. We have chosen the minimal normal modal logic K because it is adopted by most access control logics in the literature (perhaps by default). The counts asapproaches to power [53, 75] use non-normal operators. From an application perspective, we do not have motivation for one choice over the other, and leave an investigation to future work.

by groups of principals. When there are many shared files in the system, A cannot personally handle all requests. Suppose that the administrator authorises the leader of a group (B) to decide when a particular file is to be deleted (del). In this scenario, we say thatB representsA on del, and we wish to conclude that if says_l(B)(del), then saysl(A)(del).

How do we accommodate this inference? A naive approach is to introduce: ψ ≡says_l(B)(del)⇒says_l(A)(del)

into A’s policy. However, such statements create an access control risk, because ψ

could be introduced by B, thereby giving B the ability to decide whether any file is

to be deleted.

To address this security risk, a principalAis only allowed to introduce statements

of the form says_l(A)ψ. Additional machinery (usually an axiom) is needed to accom-

modate representation. Abadi [1] discusses several alternatives, involving variants of the hand-off axiom:

AH says_l(A)(φ ⇒says_l(A)ψ)⇒(φ⇒says_l(A)ψ)

B represents A on del is expressed as:

ϕ = says_l(A)(says_l(B)(del)⇒says_l(A)(del))

Using the hand-off axiom, we conclude that ϕ ⊢ saysl(B)(del) ⇒ saysl(A)(del), using

R1. However, the hand-off axiom has displeasing consequences in classical logics:

Proposition 4.1 (Abadi [1]). The following is provable:

⊢ ¬says_l(B)⊥ ⇒(says_l(B)ϕ ⇒ϕ)

Proof. We proceed as follows:

1. ⊢ϕ⇒(¬ϕ⇒ says_l(B)⊥) (using A1)

3. ⊢saysl(B)(ϕ)⇒saysl(B)(¬ϕ⇒saysl(B)⊥) (from (2) using A2 and R1)

4. ⊢says_l(B)ϕ ⇒(¬ϕ ⇒says_l(B)⊥) (from (3) using AH, A1 and R1)

5. ⊢ ¬says_l(B)⊥ ⇒(says_l(B)ϕ⇒ϕ) (from (4) using A1 and R1)

By Proposition 4.1, if we impose the (reasonable) restriction that principals do not utter contradictions, then we are forced to accept every statement as truth! Halpern and van der Meyden [64] discuss the same problem in the context of a logic for local names:

We certainly want to be able to use the logic to say that if a principal’s statements are not blatantly inconsistent, then certain conclusions follow. While Halpern and van der Meyden [64] address the issue of naming, they exclude notions of representation from their framework. In the context of access control, the solution to the problematic inferences has been to move to an intuitionistic logic [2, 50, 51]. The last step in the deduction above, i.e., from (4) to (5) in the proof of Proposition 4.1, is blocked, since implication is not defined in terms of dis- junction in intuitionistic logic. We note that the inference in (4) holds in intuitionistic systems [2, 50, 51], i.e., if a principal makes a false statement, then her statements are inconsistent. Although this does not seem to cause problems in applications, we believe that it is counterintuitive. Why should a mistaken statement or a lie make a principal’s statements inconsistent? Neither (4) or (5) holds in the logic that we develop.

We suggest that the problem is not with classical reasoning, but with the hand-off

axiom. The key idea is to reformulate the axiom using the interaction betweensaying

and permission. We now introduce the reformulated version of the axiom, followed by a discussion of its benefits.

We say that B represents A on del, if A says that B is permitted to say del.

PB(saysl(B)del) is read as “B is permitted to say del”. The following are equivalent

versions of the axiom of representation:

AR IfA says that B is permitted to say ϕ, then if B says ϕ, A says ϕ

AR says_l(A)(PB(saysl(B)ϕ))⇒(saysl(B)ϕ⇒saysl(A)ϕ)

The axiom of representation is intended for a particular sense of speaking/saying, i.e.,

speaking on someone’s behalf. This sense of saying is the usual one in access control. To simplify matters, we do not explicitly represent the principal on behalf of whom a statement is being made.

“Speaking for” [2, 3, 50] is a case of representation when one principal represents

another on all statements. If B speaks for A, we wish to conclude saysl(B)ϕ ⇒

says_l(A)ϕ for all ϕ. “Speaking for” has a compelling definition in our approach. We

say that B speaks for A if A permits B to say anything (⊥) on her behalf, i.e.,

says_l(A)PB(saysl(B)⊥).

A novelty in our approach is that “speaking for” and hand-off are both obtained as a consequence of the axiom of representation. In [2, 3, 50], “speaking for” and hand- off are not related, i.e., the former involves an algebra over principals or second-order quantification, and the latter is obtained using an axiom (which implies hand-off). This suggests that the representation axiom is quite different from the hand-off axiom. It is tempting to relate the representation axiom to a restricted version of hand-off:

• says_l(A)(says_l(B)ϕ ⇒says_l(A)ϕ)⇒(says_l(B)ϕ ⇒says_l(A)ϕ)

However, even for this restricted case, we do not know of a complete semantics for hand-off, which makes it difficult to show that a statement is not provable (Abadi

et al. [3] observe similar difficulties).2 _{We believe that the representation axiom is a}

2

Garg and Abadi [50] provide a complete semantics for a version of the hand-off axiom which implies but is not equivalent toAH. However, this version of the hand-off leads to the problematic inferences discussed in Proposition 4.1.

persuasive alternative to hand-off, because it yields a decidable logic with a complete semantics, and more importantly, it has an intuitive interpretation.

A restricted version of the axiom of representation has been proposed by Becker

et al. [16], in the context of the authorization language Secpal. In Secpal, rep-

resentation is restricted to atomic predicates, and hence, “speaking for” cannot be accomodated. Moreover, the relationship between permission and obligation is not

explored, and “permission to say” (called “can say” in Secpal [16]) is treated as a

primitive construct. Our formalism generalizesSecpal, to accomodate both “speak-

ing for” and obligation. In Section 4.3.6, we show that an extension to Secpal

fragment of the logic is decidable in polynomial time, thereby preserving Secpal’s

computational benefits. We now discuss further motivation for our approach.