-
The system part consists of a list of system rules that each model the preconditions (body) for an (inter-) action of a certain type to happen, and the effects (head) the (inter-) action will have.
The body of a system rule can contain knowledge predicates as well as behavior predicates, but its head is always a knowledge predicate. In fact, this is how SCOLL can tell the difference: if the predicate is used in the head of a system rule, it is a knowledge predicate. If it is used in the body of a system rule, but not in any head, it is a behavior predicate, that has to be derived somewhere in the behavior part of the program.
Thus, system rules create knowledge from behavior and/or knowledge.
Example 1 :
sees(A B) likes(A B) isReceptive(B) => sees(B A);
sees(A B) likes(A B) isReceptive(B) => isSeenBy(A B);
In these system rules, sees/2 and seesMe/2 are knowledge predicates (they occur on the right hand side). Note that sees(B A) is B's knowledge that the collaboration succeeded while isSeenBy(A B) is A's knowledge of it. Probably likes/2 and isReceptive/1 are behavior predicates, but we can only be sure of that after we have examined all the remaining rules in the system part.
Example 2 :
access(A B) access(A X) givesTo(A B X) receives(B) => hasGiven(A B X);
access(A B) access(A X) givesTo(A B X) receives(B) => hasReceived(B X);
access(A B) access(A X) givesTo(A B X) receives(B) => access(B X);
A's knowledge hasGiven(A B X) lets A be aware of its successful collaboration with B, and of the fact that B now has access to X.
B's knowledge hasReceived(B X) is a refinement of its knowledge access(B X), telling B something about how it got access to X. Note that, in this example, B is not told whom it got the access from. The example models invocation (of B by A) with an input argument (X) in systems that do not reveal the invoker.
A and B can use their new knowledge to differentiate their behavior towards the subjects they have access to, as is explained in the next part.
The knowledge access(B X) is generated for subsequent use by the same system rules.
Multiple (sub-) systems
Currently, only one set of systems rules can be provided.
If SCOLLAR is to be used in interoperation mode, all the subsystems will use the same rules. If that is not suitable for your purposes, we suggest using different knowledge predicates for every subsystem.
-
The behavior part consists of a list zero or more behavior classes. A behavior class consists of a name and a list of zero or more subject rules, and has this form:
|
<NAME> { <rule> <rule> ... <rule> }
|
The subject rules have the same format as the system rules: they are simple Horn clauses having zero or more knowledge predicates in their body (left hand side) and exactly one predicate in their head.
For instance, here is a simple behavior class, corresponding to example 2 above:
RECEPTIVE { => receives()}
Notice that the predicate receives() has one less argument than it has in the system rules of example 2. The base subject is always dropped in subject rules, for reasons which will be explained soon.
Subject rules are a monotonic approximation of how subjects of a certain behavior class decide under what circumstances they want to collaborate in what way. The head of a subject rule is usually a behavior predicate, but it can also be a private knowledge predicate.
Private knowledge is knowledge that is generated by the base subject and therefor available only to the subject itself, not to the system. Private knowledge is useful for concisely representing combinations of non-private knowledge the subject has learned during interactions, or to represent the subject's internal "state".
IMPORTANT: Subject rules should of course only use knowledge that is available to the subject itself, and generate behavior (or private knowledge) for the subject itself. Instead of demanding that every predicate in a subject rule should have the same base-subject variable, we simply drop the first argument in the predicate (make it implicit)! The reason for making the base-subject implicit is not just simplification. To understand the importance of it, consider the following counter example of a subject rule in which the first argument is explicit:
Counter example subject rule :
=> likes(A A);
This rule would mean that every subject of this behavior class likes itself. Using this rule makes the following implicit assumptions :
-
The real system that is being modelled in SCOLL, provides and infallible identification facility that allows every subject (or at least every subject of this behavior class), to differentiate between itself and other subjects.
-
The subjects modeled in this behavior always (!) use this identification before making any decision.
These assumptions are very strong and do not hold in most cases, particularly the second one.
If the first assumption does hold, it should be expressed explicitly in the system rules, for instance by a system rule like : => self(A A);
If the second assumption also holds, the use of the identification knowledge in a subject rule should be explicit, for instance: self(A) => likes(A);
Example of a behavior:
|
FORWARDER{
|
=> receives();
|
|
|
hasReceived(X) => givesTo(A X);}
|
FORWARDER is the behavior for subjects that are willing to receive subjects, and forward them to all other subjects. The example assumes that hasReceived/2 is a knowledge predicate, while receives/1 and givesTo/2 are behavior predicates.
DEFAULT behavior
If the name of a behavior class is "DEFAULT", all subjects in the subject part that have behavior assigned explicitly, will have this behavior.
If the behavior class DEFAULT is not specified, the default behavior is defined as the empty set:
DEFAULT {}
-
The subject part is a list of structured records, each representing a subject of the form:
|
<subjectName> : <BEHAVIORNAME> { <fact> <fact> <fact> ...}
|
or, if the subject has DEFAULT behavior:
Subject start with a lower case letter.
The subjectName identifies the subject, the behaviorName identifies its subject rules.
The facts are private knowledge facts that will be set to true, to initialize the subject's behavior.
Just like in the subject rules, these facts have an implicit base subject.
search option
The keyword search can precede the subject name, to indicate that SCOLLAR should maximize the behavior of this subject, using the given behavior as a lower bound. Every individual atomic fact of the subject's behavior will be considered a target. These behavior targets are derived from the behavior predicates, which are defined by the system rules in the system part.
For convenience, search can be replaced by a simple question mark (?).
Example :
|
alice : FORWARDER {
|
isSelf(alice)
|
|
|
mustForwardTo(bob)}
|
|
bob : COMPLEXBEHAVIOR {}
|
|
search carol
|
|
In this example, subject alice is given initial knowledge about who she is and whom she is supposed to forward to. This private knowledge will only "mean" something if the FORWARDER behavior uses it in its subject rules to, directly or indirectly, derive behavior facts from it.
Subject carol is preceded by with the "search" flag. That indicates that SCOLLAR should find solutions that maximize carol's behavior (in excess of carol's DEFAULT behavior) while respecting the safety and liveness constraints in the config part.
Interoperation
-
The subject part of a SCOLL program is also the place where:
-
subsystems are declared
-
subjects are assigned to them
A subsystem is a group of subjects, enclosed within curly brackets, and preceded by the name of the subsystem.
If subsystems are present, SCOLLAR will automatically switch to interoperation mode, when searching for solutions.
For instance:
s1{?a ?b ?c ?d ?e}
s2{?a ?b ?d ?f ?g}
s3{?c ?f ?g ?h ?i}
In this example, s1, s2 and s3 are subsystems, each containing a list of search subjects.
SCOLLAR will first calculate the maximal fixpoint for each subsystem separately, and consider all unreachable knowledge in any of them as forbidden (safety properties) in the global system (the union).
-
A subject can have only one behavior, and that behavior has to be repeated in every subsystem of which it is part. This is a temporal restriction in SCOLLAR. We will address this when the need arises.
For now, if the behavior of a subject differs depending on the subsystem, we suggest introducing subsystem-specific predicates in the system and behavior parts.
-
The config part is a list of (non-private) knowledge facts that represent the initial configuration of the pattern. This is mostly used to set up the initial access graph or matrix.
These facts have explicit base subjects.
Note that knowledge facts in SCOLL are not restricted to binary predicates, and knowledge facts of different arity can be used here as well, to precisely describe the starting state of the system.
Example :
|
access(alice bob)
|
|
hasSendTo(bob carol alice)
|
|
isActivated(childOfAlice)
|
search option
Every configuration fact can be preceded by the search flag, that turns it into a target. SCOLLAR will search for solutions that maximally set these targets to true.
Example :
|
search access(alice bob)
|
|
access(bob carol)
|
For concise notation, when many configuration facts are optional, curly brackets can extend the scope of the search prefix like this:
Example :
|
search { access(alice bob) access(alice carol) }
|
/* targets */
|
|
access(bob carol) access(alice alice)
|
/* facts */
|
The search option in the config part can be used in combination with the search option in the subject part. SCOLLAR will search for solutions that maximally set all targets to true.
Interoperation
When subsystems are declared in the subject part, every fact and target in the config part should be qualified by a subsystem. This is done simply by specifying the subsystem as an extra first argument.
For instance:
access(s1 a bb) access(s1 b c)
search{access(s2 b e) access(s2 e f)}
-
The goal part is a list of:
Negation is indicated by a ! prefix. (Negation is not allowed in any other part.)
When SCOLLAR is searching for solutions (in search mode or interoperation mode), it will only report solutions that comply with
these goals.
Example :
|
!read(carol alice)
|
/* safety property */
|
|
access(bob carol)
|
/* liveness property */
|
SCOLLAR will search for solutions that guarantee that carol will never have read alice, while bob can get access to carol, at least if every subject always uses its maximal behavior.
IMPORTANT:
Remember that SCOLL programs do not model exact behavior, but safe (over-)approximations of behavior. Safety properties guaranteed in the approximation will be guaranteed in the real problem too. However, liveness properties cannot be guaranteed at all, since the modeled behavior will usually be a strict over-approximation of the actual behavior. The only reason we consider liveness properties, is to require a lower bond to the maximally possible generation of facts in the pattern.
If SCOLLAR is to be used in interoperation mode, the goal part should contain only inter-subsystem goals. The intra-subsystem safety goals will be derived from the maximal fixpoints of the individual subsystems.
-
To compute the maximal propagation of authority starting from a given configuration.
This is a simple fixpoint calculation. The system rules and behavior rules are instantiated over de set of subjects, and applied to the initial configuration, until no new facts can be derived. Because the rules are monotonic, and the number of derivable facts is finite, such a fixpoint is always reached.
The search predicates that are specified in the subject part and/or the config part, are
The result is shown on a separate page, containing a table for every subject, showing the reachable predicates as 1, and the unreachable predicates as either 0 or _. The difference between 0 and _ is implementation related, and only relevant for debugging purposes.
The goal part is not taken into account when computing a fixpoint.
However, the resulting tables do indicate the cells containing a safety predicate in red and the ones containing a liveness predicate in green.
Subsystems are not taken into account: fixpoints are calculated on the merged system (the union of all subsystems).
Any subsystem specific facts specified in the config part are "generalized" into facts of the merged system.
Conclusions from fixpoint calculations:
-
If the maximal fixpoint is safe and alive (no red cells contain 1 while all green cells do), then there is only one trivial solution: the set of all search predicates. Consequently, the pattern is safe as it is, and no restrictions have to be applied.
-
If the maximal fixpoint is not live, there is no solution.
-
If the minimal fixpoint is not safe, there is no solution either.
-
To compute maximal sets of search predicates that provide a safe and live solution
In this mode SCOLLAR will look for those subsets of the search predicates that are at the same time:
-
safe with respect to the safety properties in the goal part.
-
alive with respect to the liveness properties in the goal part.
-
maximal, in the sense that setting any other target to true will break safety.
Every solution is presented as a minimal set of restrictions (disallowed targets), rather than as a maximal set of allowed targets.
Every solution can be viewed individually as set of tables, one for every subject, indicating which facts are reachable from the proposed solution.
-
To compute safe reconfigurations for interoperating subsystems
This mode is automatically chosen instead of the previous one, if one or more subsystems are specified in the subject part.
The problem that is analysed here it the following:
Consider several patterns (subsystems) that are assumed to be completely safe by themselves. Interoperation happens when a subject occurs in more than one subsystem: in the combined system, facts may very well become reachable, that are not reachable in a any subsystem. Of these facts, we consider only those that are about a set of subjects that is completely included in at least one subsystem: we say that that subsystem is "responsibe" for that fact. This does not mean that the fact's reachability is caused by the subsystem, but rather that its reachability can be prevented (managed) by restricting the subsystem.
The problem of secure interoperation is:
-
Find (all) minimal sets of restrictions for the subsystems, that are necessary to avoid new facts becoming reachable by interoperation for which the subsystem is responsible.
The goal part. of the pattern is now intended to contain only inter-system safety and liveness requirements for the interoperating system (the union of all subsystems): those for which no subsystem is responsible.
In practice, this mode differs from the previous one only in that it automatically derives all intra-system safety requirements from the subsystems, and adds them to the safety requirements in the goal part, before calculating solutions to the complete (interoperating) system.
Authority represents the ability of a subject to directly or indirectly influence the system (changing some things that are considered relevant).
A subject's authority depends not only on its own current set of rights, but also on the rights of other subjects, and on the rights that it (and other subjects) can acquire directly or indirectly.
In many systems, rights are only propagated when rights are exerted (*). In these systems the subject's authority will depend not only on the distribution of rights in the system, but also on the behavior of the subjects in the system, and therefore possibly also on its own behavior.
In collaborative systems, authority can be controlled partially by means of behavior. In purely collaborative systems, it becomes possible to completely control authority by means of behavior restrictions in trusted subjects.
(*) HRU commands have preconditions on the existence of rights in the rights matrix. Take-grant systems have similar requirements regarding the availability of either a take or a grant right. The creation of new subjects is usually considered to be a universal right, the exertion of which is a matter of behavior: active subjects do it, passive objects do not.