A Formal Foundation for ODRL Problem No formal

A Formal Foundation for ODRL Problem: No formal semantics = Language is ambiguous What’s ODRL? § An XML-based language for writing software licenses. Language specification includes: § syntax § English interpretation of the syntax § Language is freely available. (No copyright or patent restrictions!) § Language has been endorsed by nearly 20 organizations including: § Nokia, a multi-industry conglomerate focused on mobile communications; § DAFNE, a research project funded by the Italian government to develop a prototype of the national infrastructure for electronic publishing; and § Ro. MEO, a research project investigating the rights management of ‘selfarchived’ research in UK academic community. Bottom Line: ODRL has a significant widespread impact on rights management. ODRL is ambiguous. § In ODRL, we can write `if Alice is not permitted to download file A, then she may download file B’. Suppose Alice is neither explicitly permitted nor explicitly forbidden from downloading file A, may she download file B? § In ODRL, we can write `Alice may download file A, if she does actions a 1 and a 2 in order and does actions a 3 and a 4 in any order. Suppose Alice does the action sequence a 2, a 1, a 3, a 4, a 2. May Alice download file A? § In ODRL, we can write that Alice may download file C, if neither of the above policies hold. What does this mean? § The ODRL document says that the language supports revocation, but doesn’t say who may revoke what. Bottom Line: ODRL is under specified. As a result, implementations won’t all agree and the benefits of having a standard are lost. Our Approach: Translate ODRL licenses into formulas in a logic (that has formal semantics). Which Logic? § ODRL statements are of the form `if , then ’ § is a conjunction of constraints (facts that are outside the user’s influence), conditions (constraints that must not hold), and requirements (facts that the user controls). § E. g. , `If Alice is over 21 years old, she has paid the cover charge, and the policy `Alice may not enter the bar’ does not hold, then Alice may enter the bar’. § These statements are readily captured in first-order logic. From Spring 2003… Using First-order Logic to Reason about Policies Background: Policies say what is and what is not permitted. Goals: To create a logic that 1. can easily capture the policies that many people want to discuss 2. can efficiently determine what is allowed and what is forbidden 3. is accessible to non-logicians Sample policies include: • `All information on this site may be copied. ’ • `The tickets may not be refunded. ’ Why bother? : We want to promote the dissemination of ideas, while still respecting intellectual property rights. To do this, we must be able to state what should be shared (i. e. what’s permitted) and what constitutes a violation of a person’s rights (i. e. what’s not permitted). Our Approach: Bottom Line: We translate ODRL licenses to formulas in first-order logic. Benefits of using first-order logic § Can compare ODRL with license languages in the formal methods community (which are often fragments of first-order logic). Encoding Policies 1 Encoding the Environment A policy says what is (or what is not) permitted. The environment (env) gives basic facts about the world. A policy has the form: x 1, …, xm (f ( ) Permitted(tag, tac)) where § f is a conjunction of literals; § tag is an agent, tac is an action, both are terms; § Permitted(tag, tac) means tag may do tac § An environment is a conjunction of § ground literals e. g. Student(Alice) § universal formulas; e. g. x (Man(x) Woman(x)) Encoding Queries Assume an environment E and a policy set P = {p 1, …, pn}, is c 1 allowed/forbidden to do c 2? Is E p 1 … pn ( ) Permitted(c 1, c 2) a valid formula? § Can compare ODRL with Xr. ML, since we have translated both to fol. § Complexity is an open problem, but we are hopeful that applying wellknown results for first-order logic will yield (at least) an upper bound. § We intend to apply our results from last spring to extend ODRL and, if needed, find tractable fragments. 2 Key Idea: Bipolarity § 2 literals l and l’ are unifiable if . l = l’. § A literal l is bipolar in a formula f (in CNF) if l is in f and there is a literal l’ in f such that l and l’ are unifiable, (assume no shared variables). Complexity If § the env. E has only ground literals, § for the policy set P = {p 1, …, pn} there are no bipolars in p 1 … pn, § no variable is only on a policy’s lhs, Then our queries take |P||E| time to ans. Since then: Paper appears in the Proceedings of the 16 th IEEE Computer Security Foundations Workshop, 2003. Research by: Riccardo Pucella and Vicky Weissman, work presented at WITS ’ 04. Relaxing Restrictions § If the variable restriction isn’t met, then problems are NP in the number of variables in any one policy. § Under reasonable assumptions, answering queries takes quadratic time, even if the env. has universal formulas.