Expressive Power • How do the sets of systems that models can describe compare? – If HRU equivalent to SPM, SPM provides more specific answer to safety question – If HRU describes more systems, SPM applies only to the systems it can describe April 13, 2004 ECS 235 Slide #1 HRU vs . SPM • SPM more abstract – Analyses focus on limits of model, not details of representation • HRU allows revocation – SMP has no equivalent to delete, destroy • HRU allows multiparent creates – SPM cannot express multiparent creates easily, and not at all if the parents are of different types because can•create allows for only one type of creator April 13, 2004 ECS 235 Slide #2 1
Multiparent Create • Solves mutual suspicion problem – Create proxy jointly, each gives it needed rights • In HRU: command multicreate ( s 0 , s 1 , o ) if r in a [ s 0 , s 1 ] and r in a [ s 1 , s 0 ] then create object o ; enter r into a [ s 0 , o ]; enter r into a [ s 1 , o ]; end April 13, 2004 ECS 235 Slide #3 SPM and Multiparent Create • can•create extended in obvious way – cc ⊆ TS × … × TS × T • Symbols – X 1 , …, X n parents, Y created – R 1, i , R 2, i , R 3 , R 4, i ⊆ R • Rules – cr P, i ( τ ( X 1 ), …, τ ( X n )) = Y / R 1,1 ∪ X i / R 2, i – cr C ( τ ( X 1 ), …, τ ( X n )) = Y / R 3 ∪ X 1 / R 4,1 ∪ … ∪ X n / R 4, n April 13, 2004 ECS 235 Slide #4 2
Example • Anna, Bill must do something cooperatively – But they don’t trust each other • Jointly create a proxy – Each gives proxy only necessary rights • In ESPM: – Anna, Bill type a ; proxy type p ; right x ∈ R – cc ( a , a ) = p – cr Anna ( a , a , p ) = cr Bill ( a , a , p ) = ∅ – cr proxy ( a , a , p ) = { Anna/ x , Bill/ x } April 13, 2004 ECS 235 Slide #5 2-Parent Joint Create Suffices • Goal: emulate 3-parent joint create with 2- parent joint create • Definition of 3-parent joint create (subjects P 1 , P 2 , P 3 ; child C ): – cc ( τ ( P 1 ), τ ( P 2 ), τ ( P 3 )) = Z ⊆ T – cr P 1 ( τ ( P 1 ), τ ( P 2 ), τ ( P 3 )) = C / R 1,1 ∪ P 1 / R 2,1 – cr P 2 ( τ ( P 1 ), τ ( P 2 ), τ ( P 3 )) = C / R 2,1 ∪ P 2 / R 2,2 – cr P 3 ( τ ( P 1 ), τ ( P 2 ), τ ( P 3 )) = C / R 3,1 ∪ P 3 / R 2,3 April 13, 2004 ECS 235 Slide #6 3
General Approach • Define agents for parents and child – Agents act as surrogates for parents – If create fails, parents have no extra rights – If create succeeds, parents, child have exactly same rights as in 3-parent creates • Only extra rights are to agents (which are never used again, and so these rights are irrelevant) April 13, 2004 ECS 235 Slide #7 Entities and Types • Parents P 1 , P 2 , P 3 have types p 1 , p 2 , p 3 • Child C of type c • Parent agents A 1 , A 2 , A 3 of types a 1 , a 2 , a 3 • Child agent S of type s • Type t is parentage – if X / t ∈ dom ( Y ), X is Y ’s parent • Types t , a 1 , a 2 , a 3 , s are new types April 13, 2004 ECS 235 Slide #8 4
Can•Create • Following added to can•create: – cc( p 1 ) = a 1 – cc( p 2 , a 1 ) = a 2 – cc( p 3 , a 2 ) = a 3 • Parents creating their agents; note agents have maximum of 2 parents – cc( a 3 ) = s • Agent of all parents creates agent of child – cc(s) = c • Agent of child creates child April 13, 2004 ECS 235 Slide #9 Creation Rules • Following added to create rule: – cr P ( p 1 , a 1 ) = ∅ – cr C ( p 1 , a 1 ) = p 1 / Rtc • Agent’s parent set to creating parent; agent has all rights over parent – cr Pfirst ( p 2 , a 1 , a 2 ) = ∅ – cr Psecond ( p 2 , a 1 , a 2 ) = ∅ – cr C ( p 2 , a 1 , a 2 ) = p 2 / Rtc ∪ a 1 / tc • Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent) April 13, 2004 ECS 235 Slide #10 5
Creation Rules – cr Pfirst ( p 3 , a 2 , a 3 ) = ∅ – cr Psecond ( p 3 , a 2 , a 3 ) = ∅ – cr C ( p 3 , a 2 , a 3 ) = p 3 / Rtc ∪ a 2 / tc • Agent’s parent set to creating parent and agent; agent has all rights over parent (but not over agent) – cr P ( a 3 , s ) = ∅ – cr C ( a 3 , s ) = a 3 / tc • Child’s agent has third agent as parent cr P ( a 3 , s ) = ∅ – cr P ( s , c ) = C / Rtc – cr C ( s , c ) = c / R 3 t • Child’s agent gets full rights over child; child gets R 3 rights over agent April 13, 2004 ECS 235 Slide #11 Link Predicates • Idea: no tickets to parents until child created – Done by requiring each agent to have its own parent rights – link 1 ( A 1 , A 2 ) = A 1 / t ∈ dom ( A 2 ) ∧ A 2 / t ∈ dom ( A 2 ) – link 1 ( A 2 , A 3 ) = A 2 / t ∈ dom ( A 3 ) ∧ A 3 / t ∈ dom ( A 3 ) – link 2 ( S , A 3 ) = A 3 / t ∈ dom ( S ) ∧ C / t ∈ dom ( C ) – link 3 ( A 1 , C ) = C / t ∈ dom ( A 1 ) – link 3 ( A 2 , C ) = C / t ∈ dom ( A 2 ) – link 3 ( A 3 , C ) = C / t ∈ dom ( A 3 ) – link 4 ( A 1 , P 1 ) = P 1 / t ∈ dom ( A 1 ) ∧ A 1 / t ∈ dom ( A 1 ) – link 4 ( A 2 , P 2 ) = P 2 / t ∈ dom ( A 2 ) ∧ A 2 / t ∈ dom ( A 2 ) – link 4 ( A 3 , P 3 ) = P 3 / t ∈ dom ( A 3 ) ∧ A 3 / t ∈ dom ( A 3 ) April 13, 2004 ECS 235 Slide #12 6
Filter Functions • f 1 ( a 2 , a 1 ) = a 1 / t ∪ c / Rtc • f 1 ( a 3 , a 2 ) = a 2 / t ∪ c / Rtc • f 2 ( s , a 3 ) = a 3 / t ∪ c / Rtc • f 3 ( a 1 , c ) = p 1 / R 4,1 • f 3 ( a 2 , c ) = p 2 / R 4,2 • f 3 ( a 3 , c ) = p 3 / R 4,3 • f 4 ( a 1 , p 1 ) = c / R 1,1 ∪ p 1 / R 2,1 • f 4 ( a 2 , p 2 ) = c / R 1,2 ∪ p 2 / R 2,2 • f 4 ( a 3 , p 3 ) = c / R 1,3 ∪ p 3 / R 2,3 April 13, 2004 ECS 235 Slide #13 Construction Create A 1 , A 2 , A 3 , S , C ; then • P 1 has no relevant tickets • P 2 has no relevant tickets • P 3 has no relevant tickets • A 1 has P 1 / Rtc • A 2 has P 2 / Rtc ∪ A 1 / tc • A 3 has P 3 / Rtc ∪ A 2 / tc • S has A 3 / tc ∪ C / Rtc • C has C / R 3 April 13, 2004 ECS 235 Slide #14 7
Construction • Only link 2 ( S , A 3 ) true ⇒ apply f 2 – A 3 has P 3 / Rtc ∪ A 2 / t ∪ A 3 / t ∪ C / Rtc • Now link 1 ( A 3 , A 2 ) true ⇒ apply f 1 – A 2 has P 2 / Rtc ∪ A 1 / tc ∪ A 2 / t ∪ C / Rtc • Now link 1 ( A 2 , A 1 ) true ⇒ apply f 1 – A 1 has P 2 / Rtc ∪ A 1 / tc ∪ A 1 / t ∪ C / Rtc • Now all link 3 s true ⇒ apply f 3 – C has C / R 3 ∪ P 1 / R 4,1 ∪ P 2 / R 4,2 ∪ P 3 / R 4,3 April 13, 2004 ECS 235 Slide #15 Finish Construction • Now link 4 s true ⇒ apply f 4 – P 1 has C / R 1,1 ∪ P 1 / R 2,1 – P 2 has C / R 1,2 ∪ P 2/ R 2,2 – P 3 has C / R 1,3 ∪ P 3/ R 2,3 • 3-parent joint create gives same rights to P 1 , P 2 , P 3 , C • If create of C fails, link 2 fails, so construction fails April 13, 2004 ECS 235 Slide #16 8
Theorem • The two-parent joint creation operation can implement an n -parent joint creation operation with a fixed number of additional types and rights, and augmentations to the link predicates and filter functions. • Proof : by construction, as above – Difference is that the two systems need not start at the same initial state April 13, 2004 ECS 235 Slide #17 Theorems • Monotonic ESPM and the monotonic HRU model are equivalent. • Safety question in ESPM also decidable if acyclic attenuating scheme April 13, 2004 ECS 235 Slide #18 9
Expressiveness • Graph-based representation to compare models • Graph – Vertex: represents entity, has static type – Edge: represents right, has static type • Graph rewriting rules: – Initial state operations create graph in a particular state – Node creation operations add nodes, incoming edges – Edge adding operations add new edges between existing vertices April 13, 2004 ECS 235 Slide #19 Example: 3-Parent Joint Creation • Simulate with 2-parent – Nodes P 1 , P 2 , P 3 parents – Create node C with type c with edges of type e – Add node A 1 of type a and edge from P 1 to A 1 of type e ´ P 2 P 3 P 1 A 1 April 13, 2004 ECS 235 Slide #20 10
Next Step • A 1 , P 2 create A 2 ; A 2 , P 3 create A 3 • Type of nodes, edges are a and e ´ P 3 P 1 P 2 A 1 A 2 A 3 April 13, 2004 ECS 235 Slide #21 Next Step • A 3 creates S , of type a • S creates C , of type c P 3 P 1 P 2 A 3 A 1 A 2 S C April 13, 2004 ECS 235 Slide #22 11
Last Step • Edge adding operations: – P 1 → A 1 → A 2 → A 3 → S → C : P 1 to C edge type e – P 2 → A 2 → A 3 → S → C : P 2 to C edge type e – P 3 → A 3 → S → C : P 3 to C edge type e P 3 P 1 P 2 A 2 A 3 A 1 S C April 13, 2004 ECS 235 Slide #23 Definitions • Scheme : graph representation as above • Model : set of schemes • Schemes A , B correspond if graph for both is identical when all nodes with types not in A and edges with types in A are deleted April 13, 2004 ECS 235 Slide #24 12
Example • Above 2-parent joint creation simulation in scheme TWO • Equivalent to 3-parent joint creation scheme THREE in which P 1 , P 2 , P 3 , C are of same type as in TWO , and edges from P 1 , P 2 , P 3 to C are of type e , and no types a and e ´ exist in TWO April 13, 2004 ECS 235 Slide #25 Simulation Scheme A simulates scheme B iff • every state B can reach has a corresponding state in A that A can reach; and • every state that A can reach either corresponds to a state B can reach, or has a successor state that corresponds to a state B can reach – The last means that A can have intermediate states not corresponding to states in B , like the intermediate ones in TWO in the simulation of THREE April 13, 2004 ECS 235 Slide #26 13
Recommend
More recommend