Part 5.
Permission Rules for Two-Level
Systems
Controlling access (visibility or scope) of static
references. Analogous to “private” in C/C++/Java.
1
Two-Level Systems (Overview)
Two levels (not counting root)
“Modules” contain resources
Leaves are “resources”, e.g., functions, variables
An example system
Some example permission rulesets
system
Modules: m, n
Resources: x, y, z
m
n
x
z
…
y
Modules could be files. Resources could be functions and
variables.
2
Example Two-Level System:
Three Representations
Top level: Modules (m, n)
Bottom level: Resources (x, y, z)
system
m
U
x
U
I
n
z
y
system
c
c
I
m
n
c
c
c
U
x
y
z
U
C = contain, U = use, I = import
Think of U (use) as “call”, “access variable”, etc.
Think of I (import) as permission to use.
“Import” is sometimes called “Transport”
3
“Import” Ruleset
(2-Levels)
m
U
x
U
I
n
z
y
 x can use y if x and y are siblings, or if x’s
parent imports y’s parent
 x U y  (x S y or  m,n  x P m I n C y)
 U  S  P o I o C, I  S
C = contain, P = parent, S = sibling, U = use, I = import
Constraint: Modules import only modules and resources use only resources
4
“Export” Ruleset
(2-Levels)
m
U
x
U
n
E
z
y
 x can use y if x and y are siblings, or if x’s
parent’s sibling exports y
 x U y  x S y or  j,k  x P j S k E y
 U  S  P o S o E, E  C
“Export” is much like “public” in Java/C++.
Constraint: Resources use only resources
5
“Import-Export” Ruleset
(2-Levels)
m
U
x
U
I
n
E
z
y
 x can use y if x and y are siblings, or if x’s
parent imports y’s parent, who exports y
 x U y  x S y or  m,n  x P m I n E y
 U  S  PoIoE, I  S, E  C
Constraint: Modules import only modules and resources use only resources
6
“Buy” Ruleset
(2-Levels)
m
B
x
U
U
n
z
y
 x can use y if x and y are siblings, or if x buys
for its parent, whose sibling is y’s parent
 x U y  x S y or  m,n  x B m S n C y
 U  S  BoSoC, B  P
Determines which resources can “buy” or “reach” outside their modules.
7
Variation of “Import” Ruleset
(2-Levels)
m
I
x
U
y
I
U
n
z
 x can use y if x and y are siblings, or if x
imports y’s parent
 w can import n if w and n are siblings, or if w’s
parent imports n
 U  S  I o C, I  S  P o I
Rules much like this are used in Euclid and Turing languages.
8
Using ID (Self-Loop) Relations
Mod
I
m
x
Mod
n
z
y
 Predefine: Mod = id(setOfModules)
 Constraint: Modules import only sibling
modules
 x I y  x Mod o S o Mod y
 I  Mod o S o Mod
Many other possible rules, e.g., “Import-Buy”
9
Various Two-Level Rulesets
Ruleset Name
Rules
Buy
U  S  B o S o C, B  P
Import
U  S  P o I o C,
IS
Export
U  S  P o S o E,
E C
Buy-Import
U  S  B o I o C,
B  P, I  S
Import-Export
U  S  P o I o E,
I  S, E C
Buy-Import-Export
U  S  B o I o E,
B  P, I  S, E  C
Constraints: Leaf2Leaf(U), Mod2Mod(I)
10
Part 5b.
Permission Rules for Multi-Level
Systems
Trees not necessarily balanced
“Use” edges not necessarily from leaf to leaf
11
Example Ruleset: “Whole Import-Export”
A node may export its children.
A node may import its siblings. Also,
it may import what its parents
import.
A node may use its siblings and what
they export recursively. Also, it may
use what its parents import, as well
as what they export recursively.
Similar to permission rules used in Turing and Euclid languages
12
Whole Import-Export Ruleset
I
a
b
I
x
• Use
• Import
• Export
U
c
E
d
E
y
U  S o E*  P o I o E*
I  S  PoI
E  C
Each permitting edge is a tube of the permitted edge
13
Selective Buy-Export Ruleset
a
c
b
v
E
B
B
x
E
U
P
Selective Buy-Export
U  B* o S o E*
B  B* o P
E  C o E*
B
B
P
S
U
d
C
w
y
C
E
E
“Tubular Permission”: Each permitting edge is a tube of the permitted edge
14
Example Multi-Level Rulesets
Selective Import-Export ruleset
E  C o E*
I  S o E*  P o I o E*
U  S o E*  P o I o E*
Tube ruleset
TS  PoT  PoToC  ToC
Whole Buy-Sell ruleset
EC
BP
U  B* o S o E*
[Holt tech report 345 ‘96, Mancoridis thesis ‘96] ?
15
Violating, Conforming &
Gratuitous Edges
Iactual
=I
(these actually occur in graph)
Iallowed = S o E*  P o I o E* (these are computed)
Iconforming= I  Iallowed
Iactual = I
Iallowed
Iviolation = I - Iallowed
Igratuitous = Iallowed - I
Iviolating
Iconforming
Igratuitous
To satisfy requirement: Iactual  Iallowed
• Bottom up: Increase parent’s Iactual
• Top Down: Decrease childrens’ Iactual
[See also Murphy’s “reflexion” model ‘95]
16
Part 6.
Sum-of-Products (SoP)
Permission Rules
17
SoP: Example Ruleset
Rule 1: I  S  P o I
Rule 2: E  C
Rule 3: U  S o E*  P o I o E*
Example ruleset has
Three variables (LHS’s): I, E and U
Three constants: S, P and C
Three rules (one for each variable I, E and U)
The right hand side for rule 1 (S  P o I) is
the “sum” (union) of two “products” (S and
P o I)
Rule 2 uses reflexive transitive closure (*)
18
SoP: Basic Vocabulary
The RHS of each SoP rule is a “sum” of
“products”, e.g., in
•
•
I  S  PoI
RHS is the “sum” of S and P o I
P o I is a “product”
In other words:
•
•
Each RHS is a set of simple “path expressions”
SoP = Sum-of-Products = Set-of-Paths
19
Formal Definition: SoP Ruleset
Def. A Sum-of-Products (SoP) ruleset R consists of a
non-empty set of rules each of the form
V  P1  P2  …  Pj
where i  0.
Each Pi is a product and is of the form
r1 o r 2 o … r k
where k  1
About transitive closure TC. In much of the following, we disallow Transitive
Closure (suffix + and *) on RHS to make our presentation simpler. In many
cases below, transitive closure can occur in an RHS without changing the results.
In many cases, algebraic expressions, involving parentheses, can be
incorporated, as long as non-monotonic operators such as set subtraction and
complement are not allowed.
20
Formal Definition: Symbols,
Constants and Variables
Def. Each symbol is a constant or a variable. Consider
an arbitrary rule in an SoP ruleset:
V  P1  P2  …  Pj
where each Pi is a product of the form
r1 o r2 o … rk
Each ri and each V is called a symbol. If the symbol is
directly defined in terms of the tree (e.g., C, ID, P, S), it
is a constant. Otherwise the symbol is a variable. A
variable is sometimes called a type. The left hand side
(V) of a rule must not be a constant. Thus each left
hand side (V) is a variable.
Each variable V can appear on the left side of at most in one
rule.
21
Formal Definition: Empty Sums
A sum can be empty. In principle, a rule’s sum
P1  P2  …  Pj
can contain zero productions, which case the rule
is taken to mean
V  empty
where empty is the set of zero edges.
If a variable W appears in a product but not
explicitly on the left hand side of a rule, then
we assume that there is a rule of the form:
W  empty
We could disallow empty sums, with little change in results.
22
Formal Definition: Productions
and Dependencies
Def. Consider SoP ruleset R consisting of rules of the form
V  P1  P 2  …  Pj
A particular Pi is: r1 o r2 o … o rk
Each V with each of its products Pi is called a production, written
V DR Pi
Where Pi is: r1 o r2 o … o rk
V DR (r1 r2 … rk)
We say V depends on sequence
(r1 r2 … rk) according to ruleset R
V D (r1 r2 … rk)
When R is clear from context we
simply say V depends on the
sequence.
We also define (for each V and each ri)
V dR ri
We say V depends on symbol ri
according to ruleset R
V d ri
When R is clear from context we say
simply V depends on symbol ri
We can give an SoP ruleset by giving a list of its productions.
23
Formal Definition: The Tree
(The NBA Hierarchy)
There is a hierarchy defined by tree T, which can be thought
of as the containment tree of an NBA model.
Def. The tree (hierarchy) T is defined by a set of nodes with
directed edges called C:
N = non-empty set of nodes (vertices)
C  N X N (C for Contain or for Child)
T forms a directed tree, so:
There are no cycles formed by the C edges
There is a distinguished node called the root wuch
that no node contains the root, i.e., the root has not
parent
Each node except the root is contained by exactly
one other node, i.e., each non-root node has a single
parent
There will be variable edges, e.g., V and W edges, added to the tree.
24
Formal Definition: States
Def. Assume
(1) tree T which defines node set N
(2) ruleset R which defines a set of variables (relations)
v = {v1, v2, …}
Corresponding to each variable vi is a set of edges
ei  N X N,
ei = (xi, yi) where xi and yi are nodes
A state (or graph) s is the set of these named sets of edges
s = {v1 : e1, v2 : e2, …}
An alternate approach considers that s is a set of triples:
s  NXvXN
In the alternate approach:
s = { (x1 v1 y1), (x2 v2 y2), … }
where x1, x2, … , y1, y2, … are nodes and v1, v2, … are variables
(relations).
Each state is an NBA model
25
Legality of States in Terms of
Ruleset R and Tree T
Example ruleset R:
Rule 1. I  S  P o I
Rule 2. E  C
Rule 3. U  S o E*  P o I o E*
Assume there is a tree T that connects a set of nodes.
State s consists of sets of directed edges each associated with
a variable (I, E and U) from the ruleset. Each such edge
connects two nodes in the tree.
Def. State s is legal, written L(s), when all rules in the
ruleset are satisfied (rules are interepreted using Tarski
binary algebra).
This example uses transitive closure, although SoP as defined disallows TC.
26
However, most results given here can be generalized to allow TC.
Example: Two Alternate
Representations of States
Example ruleset: Has three variables: I, E and U.
State s can be represented as either
(a) n sets of pairs (one for each variable), e.g.,
s = { I : {(a,b), (b,c)}, E : {(a,d)}, U : {(a,d)} },
or
(b) a single set of triples, e.g.,
s = { (a I b), (b I c), (a E d), (a U d) }
27
Legality of States in Terms of
Permission Function f(s)
Def. Permission function f(s) maps each state s (a set of triples)
to a state
f:QQ
Q is the set of all states. Function f(s) is defined as the set of
triples allowed by s.
Example. In the ruleset with variables I, E and U, f(s) consists of
I triples as computed by I’s products (S, P o I),
E triples as computed by E’s products (one E tuple for each C
tuple),
U triples as computed by U’s products (U  S o E*, P o I o E*)
Def. State s is legal, that is, L(s) is true, when s contains only
triples allowed by f:
L(s) =def s  f (s)
Worry: This could be clearer??
28
Monotonic Permission Function
Function f is monotonic:
s  s’  f(s)  f(s’)
This means: Adding triples to a graph (state) can make more
triples legal and cannot make existing legal triples illegal.
SoP rulesets are inherently monotonic, because each right hand
side of a rule contains only monotonic operators, namely,
“sum” (union) and “product” (composition).
29
Properties Common to Many
Example SoP Rulesets
Graph is legal (Lf ) if it is a prefixpoint of f
Lf (s) =def s  f(s)
Note: when s  f(s), s is called a prefixpoint.
Permission function f is monotonic
Legality is piecewise defined (graph is legal
iff each triple in it is legal)
A graph may permit more triples to be
added to it
Legal graphs are constructive, i.e., can be
built step-by-step from legal subgraphs
What permission rules have these properties??
30