Socially Constructed Trust for Distributed Authorization Steve Barker, King’s College London Valerio Genovese, University of Torino, Italy Socially Constructed Trust for Distributed Authorization – p.1/17
An Approach A common approach to trust management: measures of trust (or disbelief or distrust) expressed by using some sub-interval of [ − 1 , 1] as measures of an asserter’s belief/disbelief in some proposition BUT: • How are these trust measures identified? • What is the precise distinction between 0.35 trust and 0.4 trust? • How are these trust measures updated? • . . . Socially Constructed Trust for Distributed Authorization – p.2/17
Our Alternative Testifiers ( contributor sources) contribute beliefs of their propositional attitudes to a community oracle ; these beliefs are accessible to acceptors of community testimony. Notes: Trust is community constructed, not the asserted trust of some source, no (dubious) “trust measures”, propositional attitudes not propositions are the focus of trusted assertions, . . . Socially Constructed Trust for Distributed Authorization – p.3/17
Propositional Attitudes A propositional attitude is a triple ( s i , α, ψ ) such that: • s i ( 1 ≤ i ≤ n ) is a source of assertions in a community of sources { s 1 , . . . , s n } of testimonial knowledge. • ψ is a proposition; • α is a propositional attitude that a source s i has in relation to ψ . Note: The proposition ψ is an assertion of a truth; propositional attitudes tie propositions to a testifier (the beliefs of testifiers matter not truths). Socially Constructed Trust for Distributed Authorization – p.4/17
Semantics The propositional attitudes of relevance to trust are: believes that, disbelieves that. A source s i that neither believes proposition ψ nor disbelieves ψ suspends judgement on ψ . A semantics we use (others exist): If a source s i asserts that it disbelieves ψ (resp. ¬ ψ ) then that does not commit s i to asserting that it believes ¬ ψ (resp. ψ ). However, a source s i that asserts that it believes ψ (resp. ¬ ψ ) implicitly asserts that it disbelieves ¬ ψ (resp. ψ ). Socially Constructed Trust for Distributed Authorization – p.5/17
Relation to Access Control We use the meta-model notion from Barker (2009) for access control policy specification, i.e., • Principal-category assignments ( pca ( p, c ) ). • Permission-category assignments ( arca ( a, r, c ) ). • Category-category relations (typically, to represent a hierarchical relation). Authorizations are defined in terms of the par predicate, thus: ∀ p, a, r, c ( arca ( a, r, c ) ∧ pca ( p, c ) → par ( p, a, r )) Socially Constructed Trust for Distributed Authorization – p.6/17
Attitudes on pca In our framework a source s i of testimony may assert that it believes proposition pca ( p, c ) ( ¬ pca ( p, c ) ) or may assert that it disbelieves pca ( p, c ) ( ¬ pca ( p, c ) ). s i believing (disbelieving) pca ( p, c ) means s i asserts that principal p ought to be (ought not to be) assigned to category c . s i ’s beliefs and disbeliefs are held in an oracle (database) in the form of assertion/ 3 facts. Socially Constructed Trust for Distributed Authorization – p.7/17
Example assertion ( K α , believes, pca ( K Alice , preferred )) . assertion ( K β , disbelieves, pca ( K Alice , preferred )) . assertion ( K γ , believes, ¬ pca ( K Alice , preferred )) . assertion ( K δ , disbelieves, ¬ pca ( K Alice , preferred )) . Obvious readings: The source K α asserts that it believes the principal identified as K Alice ought to be categorized as “preferred”, . . . Socially Constructed Trust for Distributed Authorization – p.8/17
Statement Types Community view requires talk of: • All ( � ) or some ( ♦ ) members of a community having attitude α on proposition ψ ; • The majority ( M ) of members of a community having attitude α on proposition ψ . • A specific number of members of a community having attitude α on proposition ψ . • A specific member of a community having attitude α on proposition ψ . Combinations of these options may be expressed. Socially Constructed Trust for Distributed Authorization – p.9/17
CSL The required language is formalized as C ommunity S ecurity L anguage ( CSL ). CSL is expressed using ASP-DLV syntax with extensions e.g., for remote access request evaluation) and doxastic operators ( B + for “believes that”; B − for “disbelieves that”). Also, � B + for all sources believe, ♦ B − for some source disbelieves, M B + for the majority of sources believe, . . . Remote evaluation of literal L at site ω is expressed by L @ ω . Socially Constructed Trust for Distributed Authorization – p.10/17
Policy Specification Policy specification is by rules of the form h ← b 1 , . . . , b n where, h is a literal L or a counting operator applied to an instance of � pca ( _ , _ ) with � ∈ { � α , ♦ α , M α } ; α ∈ { B + , B − } and; b i := ( not ) L | ( ¬ ) � ( ¬ ) pca ( _ , _ ) | assertion ( _ , _ , ( ¬ ) pca ( _ , _ )) | L @ ω | L g ≺ 1 f ( S ) ≺ 2 R g | L g ≺ 1 f ( S ) @ ω ≺ 2 R g Socially Constructed Trust for Distributed Authorization – p.11/17
Assertions by Oracles Oracles may make expressions of their aggregated testimonial knowledge, e.g., � B + ( pca ( K α , c 1 )) ∧ ¬ ♦ B + ( pca ( K ǫ , c 5 )) . That is, “all sources of testimony assert that they believe K α ought to be assigned to category c 1 and no source asserts that it believes that K ǫ ought to be assigned to category c 5 .” Socially Constructed Trust for Distributed Authorization – p.12/17
Acceptor Policies Acceptors define policies in terms of the testimony held by oracles, e.g., pca ( P, c 0 ) ← � B + ( pca ( P, c 1 )) @ ω, assertion ( s 1 , B − , ¬ pca ( P, c 4 , )) @ ω. That is, the acceptor takes principal P to be assigned to its category c 0 if every member of the community that the oracle ω speaks for asserts that P is assigned to the category c 1 unless the source s 1 says it disbelieves P ought not to be assigned to category c 4 . Socially Constructed Trust for Distributed Authorization – p.13/17
Flexible Specification Different definitions of the � , ♦ and M operators can be naturally accommodated, e.g., not simply “every source" has the attitude α in relation to pca ( p, c ) but “every source of testimonial knowledge on the category c has attitude α in relation to pca ( p, c ) .” Example: � B + bd pca ( K Bob , bd ) (“Every source that makes assertions about the category bd (bad debtor) says that K Bob is a bad debtor”.) Socially Constructed Trust for Distributed Authorization – p.14/17
Practical Issues Our framework has been implemented in an extended form of DLV. Testing reveals that distributed literal evaluation is the dominant cost in computation BUT costs are reasonable, in practice, and computation costs grow linearly w.r.t policy base size. Proofs of policy properties follow direct from known results for ASP-DLV (e.g., correctness of request evaluation follows from soundness of known operational methods). Socially Constructed Trust for Distributed Authorization – p.15/17
Contributions The proposal is of an alternative view on trust: • Not based on a trust measure as a real number (with unclear semantics) of an asserter. • Not based on discrete trust levels (often with unclear semantics) of an asserter. • As community constructed from assertions by multiple sources of beliefs and disbeliefs. • As defined flexibly by acceptors according to their security needs. • As being based on propositional attitudes not propositions. Socially Constructed Trust for Distributed Authorization – p.16/17
Further Work • Community membership issues (e.g., how to address the effects of changes to the community). • Additional propositional attitudes (e.g., “knows that”). • Qualified propositional attitude reports (e.g., weakly believed, strongly disbelieved, . . . ). • Temporally constrained propositional attitude reports (i.e., beliefs/disbeliefs with a validity period). • . . . Socially Constructed Trust for Distributed Authorization – p.17/17
Recommend
More recommend