Rights management

1
Rights management

• Vicky Weissman
• Vickyw_at_cs.cornell.edu

2
Policies

• A policy is a set of a conditions under which an
  action is permitted or forbidden.
• Simple examples
• CS 502 students cannot edit the course website.
• A student can only modify a course web page with
  the instructors permission.
• More complicated examples
• To borrow a book from the library, you must have
  a library card and you must either bring the book
  back in 2 weeks or pay a fine.
• A license is a type of policy it says what a
  client needs to do to access a resource
  legitimately.

3
Goals
A policy is a set of a conditions under which an
action is permitted or forbidden.
We want to

• Write policies unambiguously.
• Reason about the policies in a provably correct
  way.
• Is a particular action such as Alice editing the
  CS 502 web site allowed? Forbidden?
• Are the policies consistent? In other words,do
  they allow and forbid the same action?
• Enforce the policies in a provably correct way.

4
Writing unambiguous policies

• Policies written in natural languages, like
  English, are often ambiguous.
• Ex A student can only modify a course web page
  with the instructors permission.

5
Writing unambiguous policies

• Policies written in natural languages, like
  English, are often ambiguous.
• Ex A student can only modify a course web page
  with the instructors permission.
• If the student has the instructors permission,
  can the student edit the page?

6
Writing unambiguous policies

• Policies written in natural languages, like
  English, are often ambiguous.
• Ex A student can only modify a course web page
  with the instructors permission.
• If the student has the instructors permission,
  can the student edit the page?
• Does the policy apply to courses with multiple
  instructors? If so, whose permission do you
  need?

7
Isnt this an old problem?

• Well, yes. But policies for digital objects can
  be more complex.
• Consider a library patron borrowing a book
• If its a digital object, pictures can be blurred
  or hidden, according to a policy agreement.
  Certain portions of the text can be blocked out.
• If its a physical book, the library either needs
  a copy for each type of policy or can only
  regulate who sees the book as a single unit.

8
Automatic enforcement

• Digital works typically are protected by
  automatic means (e.g. software), so theres no
  person we can trust.
• We can tell a librarian what the policies are
  and, if we havent considered a scenario, then
  the librarian can do something reasonable.
• If a computer program gets input that it wasnt
  expecting, whats the likelihood that it will do
  something reasonable?

9
Bottom line

• We want to state, reason, and enforce policies.
• The policies were interested in are more complex
  than weve had before.
• The standard solution of relying on a trusted
  person to act reasonably is no longer an option.

10
Current solutions in industry

• Make policies VERY simple.
• For example, digital libraries often only have
  digital objects that are in the public domain.
• Alternatively, many libraries only differentiate
  between subscribers and non-subscribers.
• Use a commercial rights language
• (eg. XrML, ODRL, ).

11
XrML

• Looks like HTML.
• Has tons of predefined tags like
• ltLOCATION country us state NYgt
• Allows people to make new tags for their specific
  needs.

12
Benefits of using XrML

• Popular.
• Policy makers dont have to learn too much new
  lingo when going from app to app.
• Allows common enforcement mechanisms across apps.
• Fairly easy to use.
• Extremely flexible.

13
Disadvantages of XrML

• No formal semantics.
• Semantics tell us what the symbols in a language
  mean.
• The only meaning Ive found given to the
  predefined tags are in English which weve
  already argued is ambiguous.
• If we dont have unambiguous semantics, then we
  cannot hope to reason about policies or enforce
  them in a provably correct way.
• People who use XrML are writing policies that
  seem right without
• anyone knowing precisely what is intended or
  exactly what is
• allowed.

14
Other options - use logic

• Policies can be expressed in first-order logic.
• Example
• students cannot edit the website
• ?i (student(i) gt Permitted(i, edit website))

15
Pros and Cons of using logic
Semantics tell us what the symbols in a language
mean.

• Benefits
• Well-understood.
• Extremely flexible.
• Has formal semantics.
• Disadvantages
• Not user-friendly -gt needs intuitive GUI.
• Most interesting questions are provably
  undecidable -gt need to find a fragment of
  first-order logic that is expressive and
  tractable.

16
Another optionRegular expressions

• Policies are captured by automatons.

give CUID
give acct
Start State
use photocopier
pay fee
Above automaton says the photocopier can be used
by anyone whose paid the fee or has given both a
CUID and an acct number.
17
Pros and cons of reg. expr.
Semantics tell us what the symbols in a language
mean.

• Pros
• Well-understood.
• Easy to give formal semantics.
• Easy to reason about.
• Cons
• Not as expressive as first-order logic.
• Not as user-friendly as natural languages or
  commercial rights languages like XrML.

18
Reasoning about policies

• for policies written in any language without
  formal semantics this includes natural
  languages like English, XrML, ODRL reasoning
  requires a judge
• for policies written as regular expressions
  reasoning strategy depends on the chosen formal
  semantics.

19
Reasoning about policies in first-order logic

• Can Alice edit 502 web site?
• Given
• policies p1, , pn (written in fol) and
• facts about the world E
• (e.g. Senior(Alice) ? (?i (Senior(i) gt
  Student(i))) ? )
• Alice can edit if
• E ? p1 ? ? pn gt Permitted(Alice, edit 502
  site)
• is valid (i.e. if E and all the policies hold,
  then Alice may
• edit the site, regardless of any other policies
  and facts).

20
Enforcement

• There are lots of mechanisms to enforce policies.
  For an overview, take Prof. Schneiders CS 513
  System Security course or read the courses
  notes.
• One interesting mechanism that is particularly
  well-suited to digital objects is in-line
  reference monitors (IRM).

21
IRM idea

• Suppose you wanted to write a code fragment A
  that could only be executed by students. You
  could write
• if (student) A
• But if you did this, then the policy and real
  code are mushed together so its hard to see what
  either is doing and its hard to modify either
  component (e.g. change students to students
  and faculty).
• The IRM idea is to write and maintain the policy
  and code separately. Immediately before
  execution, the IRM monitor interleaves them.

22
Conclusion

• Policies are becoming increasingly complex and
  the solution in the physical world doesnt
  translate to cyberspace.
• There are a lot of ways to write policies, but
  none is a clear winner.
• Need formal semantics if youre going to reason
  and/or enforce policies in a provably correct
  way.
• Formal semantics may not be enough to do this.
• There are a ton of open questions, got research?