Using First-order Logic to
Reason about Policies
Vicky Weissman
Joint work with:
Joseph Halpern and Carl Lagoze
What is a policy?


A policy says that an individual
may (or may not) do an action if
certain conditions hold.
Examples include


1
`All information on this site may be
copied.’1
`A student shall in no way
misrepresent his or her work.’2
http://www.afrl.af.mil/secdis.htm
2
http://cuinfo.cornell.edu/Academic/AIC.html
Questions about policies


Users want to know what’s allowed and
what’s not.
Policy makers want to know if their
policies are consistent with those already
made.

E.g. Alice writes a set of policies for her
university’s new outreach program. Do her
policies contradict those of the university?
Problem: Ambiguity

Consider the policy
`All information on this site may be copied’,



Interpretation 1: The policy allows any part of the
site to be copied. (`All information’ stresses that
there are no restrictions on what may be copied.)
Interpretation 2: The policy allows the entire site to
be copied (i.e. all of the information).
May Alice copy a paragraph that is on the site?
We don’t know.
Solution:
Write policies in first-order logic
Good News:
 Formal semantics  no ambiguity.
 Fol seems to be sufficiently expressive.
Bad News:
 Many problems for fol are undecidable.
 Many policy writers are not well-versed in logic.
We’ll discuss these issues later in the talk.
Encoding policies


A policy says that an individual may (or may not)
do an action if certain conditions hold.
A policy has the form:
x1,…, xm (f  () Permitted(tag, tac))
Encoding policies


A policy says that an individual may (or may not)
do an action if certain conditions hold.
A policy has the form:
x1,…, xm (f  () Permitted(tag, tac))
Permitted(tag, tac) means that agent tag may do
action tag where tag and tac are terms.
E.g. Permitted(Alice, play) means Alice may play.
Encoding policies


A policy says that an individual may (or may not)
do an action if certain conditions hold.
A policy has the form:
x1,…, xm (f  () Permitted(tag, tac))
f is a conjunction of literals where each literal encodes a
condition.
E.g. f = Vegetable(x1)  Ate(Alice, x1)   Scowl(Alice)
Encoding policies



A policy says that an individual may (or may not)
do an action if certain conditions hold.
A policy has the form:
x1,…, xm (f  () Permitted(tag, tac))
A permitting policy has a positive conclusion, a
denying policy has a negative conclusion.
Encoding policies




A policy says that an individual may (or may not)
do an action if certain conditions hold.
A policy has the form:
x1,…, xm (f  () Permitted(tag, tac))
A permitting policy has a positive conclusion, a
denying policy has a negative conclusion.
E.g.:
x1 (Vegetable(x1)  Ate(Alice, x1) 
Scowl(Alice)  Permitted(Alice, play))
Environments

Does the policy
x1 (Vegetable(x1)  Ate(Alice, x1) 
Scowl(Alice)  Permitted(Alice, play))


allow Alice to play?
To answer the question we need to know if
she ate a vegetable and if she’s scowling.
This information, along with other facts
about the world, are stored in the
environment.
Environments for policies
Policies seem to refer to 2 types of facts:
1.
Basic facts (ground literals)
 Captures attributes of individuals.
 E.g. Vegetable(carrot), Vegetable(carrot cake)
2. Constraints (universal formulas)
 Captures relationships between attributes.
 E.g. x (Private(x)  Public(x)),
x (Freshmen(x)  Student(x))
Assumption: Environment doesn’t talk about
what’s permitted; policies do that.
Encoding the questions in
first-order logic
Assume an environment E and a policy set
{p1,…, pn}.


`Is c1 allowed to do c2?’ =
`Is E  p1 …  pn  Permitted(c1, c2) valid?’
`Are the policies consistent in E?’
`Is E  p1 …  pn satisfiable?’
Encoding the questions in
first-order logic
Assume an environment E and a policy set
{p1,…, pn}.


`Is c1 allowed forbidden to do c2?’ =
`Is E  p1 …  pn  Permitted(c1, c2) valid?’
`Are the policies consistent in E?’
`Is E  p1 …  pn satisfiable?’
Can we answer the questions?


No. These questions are undecidable.
But the game’s not over yet!
We can restrict the language so
that the questions are tractable
AND interesting policies are still
expressible.
One solution: Datalog


Datalog is negation-free, function-free Horn
clauses; queries can be answered in PTime.
Some extensions have been considered.




Safe, stratified Datalog: Binder [DeTreville 02] , RT
[Li, Mitchell, Winsborough 02] and SD3 [Trevor 01] .
Datalog with constraints: RTc [Li and Mitchell 03] .
With these extensions, Datalog is still PTime.
But:


A policy’s conclusion must be a positive literal (no
denying policies).
Support for functions is limited.
Denying policies are common.

Many applications explicitly forbid actions.



`Smoking is prohibited in the dining areas of
all restaurants seating more than 35 people’
is part of the NYC Smoke-Free Air Act.
`The tickets may not be refunded’ is a policy
of many airline fares, theaters, …
These policies cannot be captured
explicitly in (the extended versions of)
Datalog.
Datalog solution


What isn’t explicitly permitted is forbidden.
Problem: Can’t distinguish forbidden
actions from unregulated ones.

E.g. A university’s policies talk about who’s
permitted to get tenure. The policies for
Alice’s new outreach program don’t.  Alice’s
policies contradict the university’s.
We may want functions too.


Functions often occur naturally when translating
English policies to first-order logic.
E.g. `All information on the site may be copied’
translates to either:


x1, x2 (OnSite(x1)  Permitted(x2, copy(x1)))
x1, x2 (EntireSite(x1)  Permitted(x2, copy(x1)))
Another solution

We want a language that




doesn’t restrict functions and
allows us to capture denying policies.
To get this in a tractable language,
some restrictions are necessary.
Key idea: Restrict bipolars.
What is a bipolar?

A literal l is bipolar in a formula f (in CNF) if
1.
2.

the literal l is in f and
there is another literal l’ in f such that l =  l’’ for
some variable substitutions  and ’.
Consider
f =  x, y (Can(Alice, x)   Can(y, sing))
Can(Alice, x) is bipolar in f, because
1.
2.
the literal Can(Alice, x) is in f and
the literal Can(Alice, x)  =  l’’ where
l’ = Can(y, sing),  = [x/sing], and ’ = [y/Alice].
Why is bipolarity interesting?

If E is an environment and {p1, …, pn} is a set
of policies such that
1. every variable on the lhs of a policy also appears on
the rhs,
2. E is a conjunction of ground literals, and
3. there are no bipolar literals in p1 … pn.

Then our questions can be answered in time
(|E|+|P|) log|E| where P = p1 … pn.

|f| is the length of f viewed as a string of symbols.
Language with functions + denying policies is tractable!
When is every variable on the
lhs also on the rhs?



Recall: A policy’s lhs states the conditions
under which the permission on the rhs is
granted/denied.
Variable restriction is met if what you’re
allowed/forbidden to do is based solely on
your attributes and the attributes of the
regulated action.
Our problems are NP in the number of
variables in a single policy that violate the
restriction.
When is E a conjunction of
ground literals?


This restriction is met if E is derived from
databases and certificates.
If the E has constraints (e.g. anything private is
not public), then


Our problems can be answered in quadratic time, if
no more than 1 bipolar per clause.
More than one bipolar per clause is common if there
are definitions (e.g. a senior citizen is someone over
65), but it’s easy to deal with definitions; they’re just
macros.
When are there no bipolar
literals in p1 … pn?
Suppose


Permitted is not in any policy’s premise and
all policies are permitting (or all denying).
Then


The restriction holds if meeting a condition can
only add or remove privileges (but not both).
If each policy has at most 1 bipolar in p1 … pn,
then answering queries takes quadratic time.
But what if some policies are permitting and others denying?
Big idea



We want permissions (prohibitions) to
follow solely from the permitting
(denying) policies.
If this were true, then we could answer a
query by looking at the permitting and
denying policies separately.
Want we want doesn’t come for free.
Denying policies can affect
permissions

Consider 2 permitting policies:



p1 = `anyone who is not faculty may nap.’
p2 = `faculty may chair committees.’
If Alice is a student, may she take a nap?
Denying policies can affect
permissions

Consider 2 permitting policies:



p1 = `anyone who is not faculty may nap.’
p2 = `faculty may chair committees.’
If Alice is a student, may she take a nap?

No, because Alice could be a student who is
also a faculty member.
Denying policies can affect
permissions

Consider 3 policies:




p1 = `anyone who is not faculty may nap.’
p2 = `faculty may chair committees.’
p3 = `students may not chair committees.’
If Alice is a student, may she take a nap?
Denying policies can affect
permissions

Consider 3 policies:




p1 = `anyone who is not faculty may nap.’
p2 = `faculty may chair committees.’
p3 = `students may not chair committees.’
If Alice is a student, may she take a nap?

Yes, because p2 and p3 together imply that
students aren’t faculty.
Moral: Permitting and denying policies together can imply
environment facts, so we can’t separate the policies, unless…
Separating policies

Thm: If implied information is made explicit,
then a positive conclusion follows from all the
policies iff it follows from the permitting policies.


If there are n policies and there is only one bipolar
per policy that involves Permitted, then at most n2
clauses are added and no added clause is more than
twice the length of the longest original clause.
Bottom line: Under reasonable assumptions, we
can answer our queries in quadratic time.
Expressive power

The fragment can capture a number of
policy sets including



the ones we collected from libraries,
the ones we collected from government
docs,
most of the licenses that can be written in
XrML.
Why can’t we handle all XrML
licenses?

XrML allows Permitted in the antecedent
of policies.



Permitted can be a bipolar 
a clause can have multiple bipolars.
But, XrML does not support negation.
Our fragment can express some policies
that XrML can’t and vice-versa.
Are we done yet?
We have found a language that is
expressive enough to capture many
policies of practical interest AND for
which we can answer questions
efficiently.
But we haven’t shown that it’s accessible
to the many policy makers and
administrators who are not logicians.
The architecture
GUI
GUI
user
input
answers
in English
translator
translator
formulas
database
questions
answers
analyzer
Lets non-logicians enter policies
and relevant facts; ask questions.
Translates between user input/
English and first-order formulas
in our restricted form.
Answer questions such as `Can
Alice edit the website?’ and
`Are the policies consistent?’.
Interface

User selects a task such as:





Describe a person, item, or action.
State a policy.
Ask if an action is permitted/forbidden.
User completes the task by filling in a
form.
E.g. To say `Alice is an IEEE member from
Jan. 1, 2003 to Jan. 1, 2004’…
Interface

User selects a task such as:





Describe a person, item, or action.
State a policy.
Ask if an action is permitted/forbidden.
User completes the task by filling in a
form.
E.g. To say `Alice is an IEEE member from
Jan. 1, 2003 to Jan. 1, 2004’…
Form: Describe a person,
item, or action
Who or what is being described?
What is the characteristic?
Does the person, item, or action have the characteristic?
Yes
No
When does this description apply?
From:
To:
Form: Describe a person,
item, or action
Who or what is being described?
Alice
What is the characteristic?
IEEE Member
Does the person, item, or action have the characteristic?
Yes
No
When does this description apply?
From: 1/1/03
To: 1/1/04
Conclusion

Completed work


Found a tractable fragment of first-order logic
that can express many (almost all?) policies of
interest.
Work in progress



Investigating the extent to which we can
capture the social security database.
Building a prototype to demonstrate the
language’s usability.
Applying the same techniques to formalizing
XrML.
For more information…

The paper`Using First-order Logic to
Reason about Policies’ is available:


at http://www.cs.cornell.edu/People/vickyw.
in the proceedings of this year’s Computer
Security Foundations Workshop (CSFW).
Describe a person, item, or action
We tell you
what’s allowed
and what’s not
sign in | help
Home
Who or what is being described?
Facts

Describe a person, item, or action.
Relate one person, item, or action to
another.
Record an event.
Modify the fact database.
(e.g. George Smith, Rhodes Hall)
What is the characteristic?
(e.g. librarian, building)
Does the person, item, or action have the
characteristic?
yes
From:
When does this description apply?
Queries
Is an event allowed?
Is an event forbidden?
What are the known facts?
What are the known policies?
…
Program Chair
Policies
Give permission.
Deny permission.
Modify the policy database.
…
Riccardo Focardi
no
26/06/02
dd/mm/yy or
now
or
To:
26/06/04
dd/mm/yy or
unknown
always
Done
Abort
We tell you
what’s allowed
and what’s not
Home
Facts
Give Permission
sign in | help
Right-click in scrollbars to add/remove requirements.
Who is being given permission?
Anyone who meets the following description:
Describe a person, item, or action.
Relate one person, item, or action to
another.
Record an event.
Modify the fact database.
Policies

Give permission.
Deny permission.
Modify the policy database.
<policy applies to everyone>
Which actions are being regulated?
Any action that meets the following description:
<policy applies to every action>
Queries
Is an event allowed?
Is an event forbidden?
What are the known facts?
What are the known policies?
Are there other conditions that must hold for the policy to
apply?
<no other conditions apply>
Done
Abort