[PPT] - Access control types for agents Rohit Chadha and Matthew Hennessy PowerPoint Presentation

SLIDE 1

Access control types for agents

Rohit Chadha and Matthew Hennessy University of Sussex

Access control types for agents – p.1/20

SLIDE 2

Overview: an agent calculus

We consider an extension of

calculus

It has two named entities

Channels used for communication Agents use channels to communicate

Channels are the resources in this calculus Types are used to control access to the channels

The type of a channel names the agents that can access the channel

Access control types for agents – p.2/20

SLIDE 3

Syntax

A system has a two-level structure

At the lower level, there are extended

✁

processes

At the higher level, there are agents running

✁

threads

At the level of processes, we add a primitive for sender authentication

The process

✂ ✄ ☎✝✆ ✞✟ ✠☛✡ ☞ ✌ ✍

inputs

✠

along the channel

✂

and

✆

is bound to the name of the sender The details of the authentication are abstracted away

A typical system looks like

✎✑✏ ✒ ✓ ✔ ✕ ✖ ✗ ✎✙✘ ✚ ✛ ✜✢ ✣ ✚ ✤ ✜ ✗ ✥

and

✦

are agents which share the name

✧ ✥

is executing the thread

✍

and

✦

is executing the thread

★

Access control types for agents – p.3/20

SLIDE 4

Communication

There are no sites and communication occurs globally There are two types of communication

Standard communication:

✘ ✚✙✩ ✪ ✫ ✬ ✭ ✛ ✜ ✢ ✣ ✚✙✩ ✮ ✎ ✯ ✕ ✰ ✗ ✤ ✜ ✱ ✲ ✘ ✚ ✛ ✜ ✢ ✣ ✚ ✤ ✳ ✢ ✴✵ ✠ ✢✶ ✜

Authenticated input:

✘ ✚✙✩ ✪ ✫ ✬ ✭ ✛ ✜ ✢ ✣ ✚✙✩ ✮ ✳✙✷ ✶ ✎ ✯ ✕ ✰ ✗ ✤ ✜ ✱ ✲ ✘ ✚ ✛ ✜ ✢ ✣ ✚ ✤ ✳ ✢ ✥ ✵ ✆✹✸ ✴ ✵ ✠ ✢ ✶ ✜ ✣

learns the identity of the sender.

Access control types for agents – p.4/20

SLIDE 5

Overview: types

Channels are typed as list of input and output capabilities

An input capability

✺✼✻ ✽ ✾ ✿

means

✂

can read on the channel An output capability

❀✼✻ ✽ ✾ ✿

means

✂

can write on the channel

There is subtyping relation

❁❃❂

n channel

types

A channel type,

❄

is a subtype of

❄ ❅

if

❄

is less restrictive than

❄ ❅

The type

❆ ❇ ❈ ❉ ❊

classifies a name as an agent

Access control types for agents – p.5/20

SLIDE 6

Capability Types

In capability types,

❋❍● ■ ❏ ❑

r

▲

■

❏ ❑

,

❏

may be

A normal transmission type

✰ ▼ ✂ ✫ ✰ ✭

means

◆

can read values of at least type

✰ ✓ ✂ ✫ ✰ ✭

means

◆

can read values of at most type

✰

An authenticated transmission type

❖P❘◗ ❙ ✎✙❚ ✕ ❯ ❱ ✒ ✏ ❲ ✗ ✰ ▼ ✂ ✫ ❳ ✭

means

◆

can read authenticated values Values read must have at least type

✰ ✳ ✢✼❨ ✵❬❩ ✢ ✶

, if

❭

is the sender

✓ ✂ ✫ ❳ ✭

means

◆

can write authenticated values Values written must have at most

✰ ✳ ✢ ✂ ✵❬❩ ✢ ✶

Access control types for agents – p.6/20

SLIDE 7

The wild card *

In place of an identifier

❪

, a capability type may also have a special symbol

❫ ▼✑❴ ✫ ❳ ✭

means anybody can read on the channel

✓ ❴ ✫ ❳ ✭

means anybody can write on the channel

Access control types for agents – p.7/20

SLIDE 8

Type judgements

A type judgement for a system in the agent calculus takes the form

❵ ❛ ❵

, the type environment, is a list of identifiers

✥ ✡ ❜ ❝ ◗ ❞ ❡

, meaning that

✥

is an agent

✂ ✡ ❄

, meaning that

✂

is a channel that has capability list

❄ ❵ ❛

if in the execution of , an agent

❢

in

❵

accesses a channel

❪ ❂ ❣

in

❵

, only when allowed by

❣

Access control types for agents – p.8/20

SLIDE 9

Typing values and processes

The typing judgement uses two other judgements A judgement for typing values,

❵ ❛✐❤ ❂ ❥

Keeps track of access For example, if

❦ ❧ ◆ ✕ ▼ ✥ ✫ ✰ ✭

then

✘

is allowed to input values of type

✰

n

◆

A judgement for typing process threads,

❵ ❛ ♠ ✘

is allowed by

❦

to perform the possible input/output while executing

✛

Access control types for agents – p.9/20

SLIDE 10

Type inference for communication

Output on a channel

❦ ❧ ✬ ✕ ✰ ❦ ❧ ◆ ✕ ✓ ✥ ✫ ✰ ✭ ❦ ❧ ♥ ✛ ✕ ♦♣ qr ❦ ❧ ♥ ◆ ✪ ✫ ✬ ✭ ✛ ✕ ♦♣ qr

Input from a channel

❦ ❧ ◆ ✕ ▼ ✥ ✫ ✰ ✭ ❦ ✸ ✳ ✯ ✕ ✰ ✶ ❧ ♥ ✛ ✕ ♦♣ q r ❦ ❧ ♥ ◆ ✮ ✎ ✯ ✕ ✰ ✗ ✛ ✕ ♦ ♣ qr

Access control types for agents – p.10/20

SLIDE 11

Authenticated communication

Output on an authenticated channel

❦ ❧ ✬ ✕ ✰ ✳ ✢ ✥ ✵ ✆ ✢ ✶ ❦ ❧ ◆ ✕ ✓ ✥ ✫ ❖ P❘◗ ❙ ✎ ✷ ✕ ❯ ❱ ✒ ✏ ❲ ✗ ✰ ✭ ❦ ❧ ♥ ✛ ✕ ♦♣ qr ❦ ❧ ♥ ◆ ✪ ✫ ✬ ✭ ✛ ✕ ♦♣ q r

Input from an authenticated channel

❦ ✸ ❧ ◆ ✕ ▼ ✥ ✫ ❖P❘◗ ❙ ✎ ✷ ✕ ❯ ❱ ✒ ✏ ❲ ✗ ✰ ✭ ❦ ✸ ✷ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✳ ✯ ✕ ✰ ✶ ❧ ♥ ✛ ✕ ♦♣ qr ❦ ❧ ♥ ◆ ✮ ✳ ✷ ✶ ✎ ✯ ✕ ✰ ✗ ✛ ✕ ♦ ♣ qr

Access control types for agents – p.11/20

SLIDE 12

Simple examples

Consider the system

s ❢ t✈✉ ✇ ■ ① ❑③② ❊⑤④ ⑥ ⑦⑧ ⑨ t✈✉ ⑩ ❶✈❷ ❂ ❸❺❹ ❹ ❻ ❼ ❽ ❾ ❿➁➀ ➂ ⑦ ❵ ❛

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ➄ q q ➅ ✸ ✩ ✕ ✓ ✥ ✫ ➄ q q ➅ ✭ ✸ ▼⑤➆ ✫ ➄ q q ➅ ✭ ❵

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ➄ q q ➅ ✸ ✔ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✩ ✕ ✓ ✧ ✫ ➄ q q ➅ ✭ ✸ ▼ ➆ ✫ ➄ q q ➅ ✭

Access control types for agents – p.12/20

SLIDE 13

Simple examples continued...

Consider the system

s ❢ t✈✉ ✇ ■ ① ❑③② ❊⑤④ ⑥ ⑦⑧ ⑨ t✈✉ ⑩ ❶✈❷ ❂ ❸❺❹ ❹ ❻ ❼ ❽ ❾ ❿➁➀ ➂ ⑦ ❵ ❛

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ➄ q q ➅ ✸ ✔ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✩ ✕ ✓ ✥ ✫ ➄ q q ➅ ✭ ✸ ✓ ✧ ✫ ➄ q q ➅ ✭ ✸ ▼ ➆ ✫ ➄ q q ➅ ✭

If a channel type

➇

lists more elements than

➇ ➈

, then it is less restrictive

Access control types for agents – p.13/20

SLIDE 14

Simple examples continued...

Consider the system

s ❢ t✈✉ ✇ ■ ① ❑③② ❊⑤④ ⑥ ⑦⑧ ⑨ t✈✉ ⑩ ❶✈❷ ❂ ❸❺❹ ❹ ❻ ❼ ❽ ❾ ❿➁➀ ➂ ⑦ ❵ ❛

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ➄ q q ➅ ✸ ✩ ✕ ✓ ❴ ✫ ➄ q q ➅ ✭ ✸ ▼⑤➆ ✫ ➄ q q ➅ ✭

r,

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ➄ q q ➅ ✸ ✩ ✕ ✓ ✥ ✫ ➄ q q ➅ ✭ ✸ ▼ ❴ ✫ ➄ q q ➅ ✭ ✓ ❴ ✫ ❳ ✭

is less restrictive than

✓ ✥ ✫ ❳ ✭

and

▼✑❴ ✫ ❳ ✭

is less restrictive than

▼ ✥ ✫ ❳ ✭

Access control types for agents – p.14/20

SLIDE 15

Handover of capabilities

Consider the system

s ❢ t✈✉ ✇ ■ ① ❑③② ❊⑤④ ⑥ ⑦⑧ ⑨ t✈✉ ⑩ ❶✈❷ ❂ ❥ ❼ ❽ ❾ ❿➁➀ ➂ ⑦

Let

❥

be

▲➊➉ ■ ❸❺❹ ❹ ❻ ❑ ❵ ❛

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✣ ✕ ✓ ❴ ✫ ➄ q q ➅ ✭ ✸ ✩ ✕ ✓ ✥ ✫ ✓ ➆ ✫ ➄ q q ➅ ✭ ✭ ✸ ▼ ➆ ✫ ✓ ➆ ✫ ➄ q q ➅ ✭ ✭ ❢

hands over the capability of writing on b to d

Access control types for agents – p.15/20

SLIDE 16

Handover of capabilities continued..

In particular,

①

may be a channel that only

❢

knows at

▲➌➋ ■ ❸ ❹ ❹ ❻ ❑

Consider the system,

✎ ✎✑✏ ✒ ✓ ✣ ✕ ✰ ✗ ✘ ✚✙✩ ✪ ✫ ✣ ✭❺➍ ❲➏➎ ➐ ✜ ✗ ✢ ➃ ✚ ✩ ✮ ✎✙❚ ✕ ✰ ✗ ➑ ➒ ➓→➔➣ ✜

Let

❥

be

▲➌➋ ■ ❸ ❹ ❹ ❻ ❑ ❵ ❛

if

❵

is

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➃ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ✩ ✕ ✓ ✥ ✫ ✓ ➆ ✫ ➄ q q ➅ ✭ ✭ ✸ ▼↔➆ ✫ ✓ ➆ ✫ ➄ q q ➅ ✭ ✭

Access control types for agents – p.16/20

SLIDE 17

Handover of capabilities continued..

❢

can demand payment for the capability

✎ ✎✑✏ ✒ ✓ ✣ ✕ ✰ ✗ ✘ ✚ ➣ ✘ ✷ ✮ ✳✙✷ ✶ ✎✙↕ ✕ ✰ ➈ ✗ ✪ ✫ ✣ ✭ ➑ ➒ ➓→➔➣ ✜ ✗ ✘

gets payment from

✷

, who also sends a return channel

↕ ✘

sends back the name

✣

n

↕

In order for this to work, we can choose

✰ ➈

as

✓ ✥ ✫ ✓ ✆ ✫ ✰ ✭ ✭

;

✘

returns

✣

n

↕

, allowing only the paying agent to write on the channel

❦

contains

✘ ✕ ❯ ❱ ✒ ✏ ❲ ✸ ➣ ✘ ✷ ✕ ▼ ✥ ✫ ❖P❘◗ ❙ ✎ ✷ ✕ ❯ ❱ ✒ ✏ ❲ ✗ ✰ ➈ ✭ ✸ ✓ ❴ ✫ ❖ P ◗ ❙ ✎ ✷ ✕ ❯ ❱ ✒ ✏ ❲ ✗ ✰ ➈ ✭

Access control types for agents – p.17/20

SLIDE 18

Handover of capabilities continued..

The above system can be thought of as a repository of papers

①

a channel on which a paying agent could request papers For example, in order to get the write permission on

①

, an agent

⑨

can execute the following code

✎✑✏ ✒ ✓ ➙ ✔ ➓ ✕ ✰ ➛ ✗ ✎ ➣ ✘ ✷ ✪ ✫ ➙ ✔ ➓ ✭ ➑ ➙ ✔ ➓ ✮ ✎✙➜ ✔ ➓ ✕ ✓ ➆ ✫ ✰ ✭ ✗ ➑ ➜ ✔ ➓ ✪ ➑ ➑ ➑ ✗

where

✰ ➛

is

✓ ✥ ✫ ✓ ➆ ✫ ✰ ✭ ✭ ✸ ▼↔➆ ✫ ✓ ➆ ✫ ✰ ✭ ✭

Access control types for agents – p.18/20

SLIDE 19

Conclusions

An agent calculus with two named entities, channels and agents The calculus allows for sender authentication A type system that controls of access to channels

The type of a channel explicitly names the agents allowed to access A special type to allow everybody to access the channel A dependent type to model sender authentication

Access control types for agents – p.19/20

SLIDE 20

Ongoing and future work

A typed modal logic that allows us to specify the desired properties A modal

➝

calculus with a past operator

Proof techniques to show that systems satisfy these properties Investigate relationship between the logic and types Extensions with sites, delegation, etc..

Access control types for agents – p.20/20