1. No category

A Formal Foundation for XrML

Formal methods for rights
management
Vicky Weissman
The big picture

Digital content providers want to write
policies about their works.



A policy says that under certain conditions
an action is permitted or forbidden.
The ACM has a digital library and policies
`members may download articles’
`members may not republish articles
without explicit consent’.
They want their policies enforced.
2
The big picture

Digital content providers want to write
policies about their works.



A policy says that under certain conditions
an action is permitted or forbidden.
The ACM has a digital library and policies
`members may download articles’
`members may not republish articles
without explicit consent’.
They want their policies enforced.
3
The big picture

Digital content providers want to write
policies about their works.



A policy says that under certain conditions
an action is permitted or forbidden.
The ACM has a digital library and policies
`members may download articles’
`members may not republish articles
without explicit consent’.
They want their policies enforced.
4
Example




Miramax spends $100 million to make
the movie `Big Hit’.
A warehouse employee `borrows’ a
DVD and puts the movie on the web.
Without appropriate policy writing and
enforcement, people can download the
movie for free, instead of buying it.
If enough people do this, then Miramax
is in trouble.
5
It’s not just movies



Music industry voices same concern.
(Our IP is being stolen!)
Digital libraries can’t put certain
resources online, because of IP laws.
The Greek Orthodox Archdiocese of
America wants to put resources online,
but is wary of defamation.
6
XrML to the rescue


XrML is an XML-based language for
writing policies.
Semantics is given in 2 ways.
1. An English interpretation of the syntax.
2. An English description of an algorithm
that says if a set of XrML policies imply a
permission.

Bottom line: write policies in XrML,
enforce using the algorithm.
7
Industry likes XrML



XrML endorsed by Adobe, Hewlett-Packard,
Microsoft, Xerox, Barnesandnoble.com, MPEG
International Standards Committee…
Microsoft and others plan to make XrML
compliant products.
Will tomorrow’s DVD player enforce XrML
policies?
8
XrML Shortcomings

No formal semantics.



Policies can be ambiguous.
The interpretation of the syntax doesn’t
quite match the algorithm.
The algorithm’s behavior on some
(realistic) input is unintuitive and
unintended by language designers.

E.g. If Alice is a student and any student
may eat lunch, may Alice? Alg. says no. 9
Joint Work with Joe Halpern
CSFW ‘04
Improving XrML



Fix the algorithm to match developers’ intent.
Translate XrML policies to formulas in firstorder logic.
Prove our translation matches the algorithm.


Algorithm says policies imply permission iff
translated policies imply translated permission.
Why translate?


Lets us compare XrML with languages in CS
literature, borrow complexity results, extensions,…
Gives XrML formal semantics (no ambiguity).
10
Consider complexity


Show that determining if a permission
follows from a set of XrML policies is
NP-hard.
Find tractable fragments that are almost
as expressive.
11
First step:
Present XrML syntax

XrML is an XML-based language.


XrML policies are verbose.
So, we present a syntax that is


more concise and
easy to map to XrML syntax.
12
Basic components

Principals


Resources


Digital content (e.g., CS431 Syllabus)
Rights


Agents (e.g., Alice, the University).
Actions (e.g., download, play, edit)
Properties

Describe a principal (e.g., student, smart).
13
Syntax
Princ ::= p | vp | Princ  Princ.
Rsrc ::= s | vs
Right ::= r | vr
Prop ::= pr

p, s, r, and pr are application-defined,
vp, vs, and vr are variables,
 is the union operator.
14
Principals revisited

Set of principals is closed under union.


E.g. Principals include, Alice, Bob, and
{Alice, Bob}
Who is {Alice, Bob}?

{Alice, Bob} is Alice and Bob in cahoots.
15
Principals revisited

Set of principals is closed under union.


E.g. Principals include, Alice, Bob, and
{Alice, Bob}
Who is {Alice, Bob}?


{Alice, Bob} is Alice and Bob in cahoots.
Suppose Alice has a key, does {Alice, Bob}
have it?
16
Principals revisited

Set of principals is closed under union.


E.g. Principals include, Alice, Bob, and
{Alice, Bob}
Who is {Alice, Bob}?


{Alice, Bob} is Alice and Bob in cahoots.
Suppose Alice has a key, does {Alice, Bob}
have it? Yes.
17
Principals revisited

Set of principals is closed under union.


E.g. Principals include, Alice, Bob, and
{Alice, Bob}
Who is {Alice, Bob}?



{Alice, Bob} is Alice and Bob in cahoots.
Suppose Alice has a key, does {Alice, Bob}
have it? Yes.
Suppose that Alice is quiet, is {Alice, Bob}
quiet?
18
Principals revisited

Set of principals is closed under union.


E.g. Principals include, Alice, Bob, and
{Alice, Bob}
Who is {Alice, Bob}?



{Alice, Bob} is Alice and Bob in cahoots.
Suppose Alice has a key, does {Alice, Bob}
have it? Yes.
Suppose that Alice is quiet, is {Alice, Bob}
quiet? Not necessarily.
19
Question

Does a set of principals have the
properties of its members?



XrML interpretation of  doesn’t say.
XrML algorithm makes the assumption in
one routine, but not in another.
Since XrML doesn’t answer question…


We don’t make assumption.
But, can easily write policies to force it.
20
Syntax (cont.)

grant ::= cond  conc.

If cond holds, then conc holds.
21
Syntax (cont.)

grant ::= cond  conc.


If cond holds, then conc holds.
conc ::= Pr(p) | Perm(p, r, s).

Pr(p) means principal p has property pr.
Perm(p, r, s) means p is permitted to
exercise right r over resource s.
22
Syntax (cont.)

grant ::= cond  conc.


If cond holds, then conc holds.
conc ::= Pr(p) | Perm(p, r, s).

Pr(p) means principal p has property pr.
Perm(p, r, s) means p is permitted to
exercise right r over resource s.
23
Syntax (cont.)

grant ::= cond  conc.


If cond holds, then conc holds.
conc ::= Pr(p) | Perm(p, r, s).

Pr(p) means principal p has property pr.
Perm(p, r, s) means p is permitted to
exercise right r over resource s.
24
Syntax (cont.)

grant ::= cond  conc.


conc ::= Pr(p) | Perm(p, r, s).


If cond holds, then conc holds.
Pr(p) means principal p has property pr.
Perm(p, r, s) means p is permitted to
exercise right r over resource s.
cond ::= true | conc | cond  cond.
25
Examples

Can write:



`Alice is nice’ as true  Nice(Alice).
`Anyone who pays $2 may play `Big Hit’’
as Pay$2(x)  Perm(x, play, `Big Hit’).
`Anyone who is nice and pays $1 may play
`Big Hit’’ as Nice(x)  Pay$1(x) 
Perm(x, play, `Big Hit’).
26
Examples

Can write:



`Alice is nice’ as true  Nice(Alice).
`Anyone who pays $2 may play `Big Hit’’
as Pay$2(x)  Perm(x, play, `Big Hit’).
`Anyone who is nice and pays $1 may play
`Big Hit’’ as Nice(x)  Pay$1(x) 
Perm(x, play, `Big Hit’).
27
Examples

Can write:



`Alice is nice’ as true  Nice(Alice).
`Anyone who pays $2 may play `Big Hit’’
as Pay$2(x)  Perm(x, play, `Big Hit’).
`Anyone who is nice and pays $1 may play
`Big Hit’’ as Nice(x)  Pay$1(x) 
Perm(x, play, `Big Hit’).
28
Examples

Can write:



`Alice is nice’ as true  Nice(Alice).
`Anyone who pays $2 may play `Big Hit’’
as Pay$2(x)  Perm(x, play, `Big Hit’).
`Anyone who is nice and pays $1 may play
`Big Hit’’ as Nice(x)  Pay$1(x) 
Perm(x, play, `Big Hit’).
29
The syntax given here is
a fragment of XrML.
30
XrML Algorithm


Let G be a set of grants.
Auth algorithm



Input: G and e, where e is var-free conc.
Output: true iff e follows from G.
Auth calls CondMet algorithm


CondMet input: d, which is a var-free cond.
Output: true iff d holds.
31
Auth algorithm
Auth(G, e)
1. Find the set D of var-free conds s.t.
 dD  gG, . g = d  e.
(In other words, find D s.t. if any dD
holds, then a grant in G implies e.)
2. Return
dD CondMet(d).
32
CondMet algorithm
CondMet(d)
1. If d is true, Return true.
2. If d is a conc, Return Auth(, d).
3. If d is e1  ...  en, where E is the set
of conc in d, Return
eE Auth(, e).
33
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
34
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {?}
35
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {?}
36
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {?}
37
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {Student(Alice), ?}
38
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {Student(Alice)}
g is lost!
Calls CondMet(Student(Alice))
39
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {Student(Alice)}
Calls CondMet(Student(Alice))
Calls Auth(, Student(Alice))
40
Example


Let g = true  Student(Alice),
g’ = Student(x)  Perm(x, eat, lunch)
May Alice eat lunch?

Auth({g, g’}, Perm(Alice, eat, lunch))
Finds D = {Student(Alice)}
Calls CondMet(Student(Alice))
Calls Auth(, Student(Alice))
Finds D = 
Returns false
41
Algorithm Fix


Let G be a set of grants.
Auth algorithm



Input: G and e, where e is var-free conc.
Output: true iff e follows from G.
Auth calls CondMet algorithm


CondMet input: G and d, where d is a varfree cond.
Output: true iff d holds.
42
Auth algorithm
Auth(G, e)
1. Find the set D of var-free conds s.t.
 dD  gG, . g = d  e.
(In other words, find D s.t. if any dD
holds, then a grant in G implies e.)
2. Return
dD CondMet(G, d).
43
CondMet algorithm
CondMet(G, d)
1. If d is true, Return true.
2. If d is a conc, Return Auth(G, d).
3. If d is e1  ...  en, where each ei is a
conc, Return
i  n Auth(G, ei).
44
Problem: Termination


Auth does not terminate on all inputs.
E.g., g = e  e, where e is var-free.
Auth({g}, e)
Finds D = {e}
Calls CondMet({g}, e)
CondMet calls Auth({g}, e)
45
Termination Fix
Keep track of conc
given as input to Auth.
Auth({g}, e, )
Finds D = {e}
Calls CondMet({g}, e, {e})
CondMet calls Auth({g}, e, {e})
Auth({g}, e, {e}) detects loop
Returns false
46
The fixed algorithm is correct.

Auth(G, e) should return true only if
there is a sequence S of grants
d1  e1, …, dn  en,
where




each grant is a grant in G under some
substitution;
di follows from e1, …, ei-1; and
en in e.
Corrected alg finds S, if it exists.
47
Translation
Let sT be the translation of any string s.
 Grants are a bit tricky.



(d  e)T = x1, …, xn (dT  eT),
where x1, …, xn are the vars in d and e.
If a grant g is a resource (like a certificate):
gT is a constant.
Everything else translates to itself.

E.g., R(Bob)T= R(Bob); (p1p2)T = p1p2
48
Translation is correct.


Definition: A good model satisfies the
union properties (p1p2 = p2p1, …).
Theorem: For every set G of grants and
every var-free conc e in XrML, (fixed)
Auth(G, e) returns true iff
gG gT  eT is true in every good
model.
49
Complexity

Determining if a set of XrML grants imply a
conc is NP-hard.



Given the translation, this is easy to prove.
Given the proof, it’s easy to see that the result
depends on the  operator.
Suppose we remove  from grammar.


XrML translates to Datalog, which is a well-known
tractable fragment of first-order logic.
Given the translation, finding a tractable, fairly
expressive fragment is easy.
50
But that’s not all



We can extend Datalog by adding some
negation without becoming intractable.
We can extend XrML in the same way.
Also, adding functions to Datalog make
the language intractable.

Easy to show same result holds for XrML.
51
Other options

If applications need functions and/or
another type of negation, try another
first-order language.


Lithium [HW CSFW 2003] is a fragment of
first-order logic that supports functions and
some negation (different restrictions than
Datalog).
We can restrict XrML to be a fragment of
Lithium and then extend the XrML
fragment to include functions/some neg. 52
Key Points
1. Digital content providers need to be able to
write their policies, and these policies need
to be correctly enforced.
2. No matter how carefully you do it, writing a
policy language and/or an enforcement
algorithm without formal semantics WILL BE
BUGGY.
53
The End
Extensibility

Not hard to add some conclusions



E.g., Pr(s) = resource s has property Pr.
Not hard to add some conditions, by
extending CondMet case statement.
But what if we want to add negation?
55
Negation


Suppose that a concl can be Pr(p),
meaning p does not have pr.
Shouldn’t be a problem, since Auth just
does symbols matching (except on
terms) and CondMet relies on Auth,
when called with a concl.
56
Example

Consider the grants





true  Nice(Alice)
Nice(x)  Attractive(x)
Grumpy(x)   Attractive(x)
Grumpy(x)  Perm(x, eat, cookie)
May Alice eat a cookie?
57
Example

Consider the grants





true  Nice(Alice)
Nice(x)  Attractive(x)
Grumpy(x)   Attractive(x)
Grumpy(x)  Perm(x, eat, cookie)
May Alice eat a cookie?


According to Auth, no.
But Grumpy(x)   Attractive(x) =
Attractive(x)   Grumpy(x)
58
Intentionally left blank
59
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

Auth(G, Perm(Alice, play, `Big Hit’))
Finds D = {Nice(Alice)}
Calls CondMet(G, Nice(Alice))
60
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

CondMet(G, Nice(Alice))
Calls Auth(G, Nice(Alice))
61
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

Auth(G, Nice(Alice))
Finds D = {true}
Calls CondMet(G, true)
62
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

CondMet(G, true)
Returns true
63
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

Auth(G, Nice(Alice))
Finds D = {true}
Calls CondMet(G, true) Returns true
64
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

CondMet(G, Nice(Alice))
Calls Auth(G, Nice(Alice)) Returns true
65
Example

Let G = {g1, g2}, where



g1 = Nice(x)  Perm(x, play, `Big Hit’)
g2 = true  Nice(Alice).
May Alice play `Big Hit’?

Auth(G, Perm(Alice, play, `Big Hit’))
Finds D = {Nice(Alice)}
Calls CondMet(G, Nice(Alice))
Returns true
66
Sample XrML policy


Consider the policy `anyone may play
the movie `Big Hit’ for $2 (per use)’.
We could write this policy in XrML as…
67
<license>
<grant> <forAll varName="anyone" />
<!-- This is saying that anyone can use this grant. -->
<principal varRef="anyone" />
<!-- The right to play the movie is granted -->
<cx:play />
<!-- This is the movie that we are giving access to. -->
<cx:digitalWork>
<cx:title>Big Hit </cx:title>
</cx:digitalWork>
<!-- $2.00 each -->
<sx:fee>
<sx:paymentPerUse>
<sx:rate currency="USD">2.00</ sx:rate>
</sx:paymentPerUse
</sx:fee>
</grant>
</license>
68

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz