Information Flow in Logic Programming Antoun Yaacoub Introduction - - PowerPoint PPT Presentation
Inf. flow in Logic Prog. Information Flow in Logic Programming Antoun Yaacoub Introduction Syntax and semantics Antoun Yaacoub Information flow in logic Pg. Deciding Institut de Recherche en Informatique de Toulouse (IRIT) bisimulation
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Institut de Recherche en Informatique de Toulouse (IRIT) LILaC Team
November 28th, 2012
1/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Data security Concepts
Confidentiality Integrity Availability
Security policy
Bell-LaPadula model - 1976 Biba model - 1977
Security mechanisms Prevention Access control Detection Inference control Recovery Information flow control
2/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
P(x, y)
Input Output
Initial state →
x = xvali y = yvali Final state → x = xvalf y = yvalf
3/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
P(x, y)
Input Output
Initial state →
x = xvali y = yvali Final state → x = xvalf y = yvalf
x − →P y ”The final value of y tells us (more or less) about the initial value of x”.
3/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
. copy(F1, F2) F1 → F2 . y := x; x → y . z := x; x → z y := z; x → y
4/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
5/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
6/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
6/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
7/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
8/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
1
Context
Syntax and semantics of logic programming
2
Information flow in logic programming
Definitions Bisimulation Decidability and complexity results
3
Application
4
Conclusion
9/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
1
Context
Syntax and semantics of logic programming
2
Information flow in logic programming
Definitions Bisimulation Decidability and complexity results
3
Application
4
Conclusion
10/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Language L=Datalog language clause: A0 ← A1, · · · , Ai, · · · , An Ai: p(t1, · · · , tk). Term in Datalog: a constant or a variable. Fact: A0 ← Goal: G =← A1, · · · , Am. Empty goal: Inference rule: SLD-resolution Computation rule: selection of the leftmost atom in a goal
11/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the program: r(b, b) ←, q(a, a) ←, p(a, b) ←, p(x, y) ← r(x, y), p(x, z) ← q(x, y), p(y, z) and G be the goal ← p(a, z). Example of goals: ← s(a, y), r(x, y) ← q(x, a) ← p(a, z) ← p(a, z)
{z → b} ← r(a, z) failure {x → a, y → z} ← q(a, y), p(y, z) ← p(a, z) . . . infinite {y → a}
12/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
The alphabet of Prolog includes function symbols (constants, variables and expression of the form f (...) are terms) Example: Let P be: p(x) ← p(f (x)) and let G =← p(a) ← p(a) ← p(f (a)) ← p(f (f (a))) . . .
13/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
1
Context
Syntax and semantics of logic programming
2
Information flow in logic programming
Definitions Bisimulation Decidability and complexity results
3
Application
4
Conclusion
14/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
15/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
16/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
16/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
17/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
18/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
G(x,y) y
19/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Definition 1 of information flow in logic programming - Success / Failure For a logic program P and a goal G (x, y) of arity 2, x
SF
− →
P G y iff ∃a, b ∈ UL(P) such that:
P ∪ {G (a, y)} succeeds and P ∪ {G (b, y)} fails Example 1 Let P1 be the following program: p(a, b) ← and let G1(x, y) be the goal: ← p(x, y). P1 ∪ {G1(a, y)} succeeds P1 ∪ {G1(b, y)} fails then x
SF
− →
P1 G1 y
20/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Definition 2 of information flow in logic programming - Substitution answers For a logic program P and a goal G (x, y) of arity 2, x
SA
− →
P G y iff ∃a, b ∈ UL(P) such that:
Θ (P ∪ {G (a, y)}) = Θ (P ∪ {G (b, y)}) Example 2 Let P2 be the following program: p(a, y) ← and let G2(x, y) be the goal: ← p(x, y). Θ(P2 ∪ {G2(a, y)}) = {ǫ} Θ(P2 ∪ {G2(b, y)}) = ∅ then x
SA
− →
P2 G2 y
21/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Bisimulation Let P be a logic program. A binary relation Z between logic goals is said to be a P-bisimulation iff it satisfies the following conditions for all goals F1, G1 such that F1ZG1: TEST: F1 = iff G1 = , BCK cond: For each resolvent F2 of F1 and a clause in P, there exists a resolvent G2 of G1 and a clause in P such that F2ZG2, FWD cond: For each resolvent G2 of G1 and a clause in P, there exists a resolvent F2 of F1 and a clause in P such that F2ZG2. We prove that there exists a maximal P-bisimulation, noted ZP
max.
ZP
max is an equivalence relation.
22/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the following program: p(a, y) ← q(y), p(b, y) ← r(y), p(b, y) ← s(y) and let F =← p(a, y) and G =← p(b, y). ← p(a, y) ← q(y) failure ← p(b, y) ← r(y) failure ← s(y) failure Let Z be the binary relation between goals such that: ← p(a, y) Z ← p(b, y), ← q(y) Z ← r(y), ← q(y) Z ← s(y). Z is a P-bisimulation. Since F Z G, then F ZP
max G.
23/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the following program: p(a) ← q(a), q(a) ←, p(a) ← r(a), p(b) ← q(b), p(b) ← r(c), q(b) ← r(c) ← r(a) and let F =← p(a) and G =← p(b). ← p(a) ← q(a)
← p(b) ← q(b)
← r(a)
24/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Definition 3 of information flow in logic programming - Bisimulation For a logic program P and a goal G (x, y) of arity 2, x
BI
− →
P G y iff ∃a, b ∈ UL(P) such that:
non G(a, y)ZP
maxG(b, y)
Example 3 Let P3 be the following program: p(x, a) ← p(a, b) ← q(a) and let G3(x, y) be the goal: ← p(x, y). ← p(a, y)
θ = {y → a}
← q(a)
θ = {y → b}
← p(b, y)
θ = {y → a}
x
BI
− →
P3 G3 y
25/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Results For a program P and a goal G(x, y), we prove that: x
SF
− →
P G y ⇒ x SA
− →
P G y
x
SF
− →
P G y ⇒ x BI
− →
P G y
For some program P and a goal G(x, y), we have: x
SA
− →
P G y and not x SF
− →
P G y
x
BI
− →
P G y and not x SF
− →
P G y
26/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Consider the following decision problems: Information flow decision problems for logic programs πSF
Output: Determine if x
SF
− →
P G y
πSA
Output: Determine if x
SA
− →
P G y
πBI
Output: Determine if x
BI
− →
P G y
27/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Information flow decision problems in logic programming - Undecidability For logic program (in general), we prove that: πSF is undecidable. Sketch of the proof: Reduce the following undecidable problem π1 to πSF Input: a logic program P, a (ground) goal ← G Output: P ∪ {← G} succeeds Reduction π1 πSF (P, ← G) P′ = P ∪ {p(a, y) ← G} πSA is undecidable.
28/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Information flow decision problems in logic programming - Undecidability For logic program (in general), we prove that: πBI is undecidable. Sketch of the proof: Reduce the following undecidable problem π2 to πBI Input: a binary program with exactly one clause, a goal ← G Output: SLD-tree for P ∪ {← G} contains an infinite branch Reduction π2 πBI (P, ← G) P′ = P ∪ {p(a, y) ← G p(b, y) ← G p(b, y) ← p(c, y) p(c, y) ← p(c, y)}
29/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Information flow decision problems in logic programming - Decidability For Datalog programs, we prove that: πSF is EXPTIME-complete.
hardness: Reduce the following problem to πSF Input: A Datalog program P, a ground atom A Output: P?A (A is a logical consequence of P)
πSA is EXPTIME-complete. πBI ?
30/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Clark (1977), Sheperdson (1985) for every predicate symbol p in P, associate a positive integer l(p) for all clauses of the form p0(· · · ) ← p1(· · · ), · · · , pn(· · · ) l(p0) > l(p1), · · · , l(pn).
31/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Example of a program: s(a, a) ← s(b, b) ← q(a, b) ← p(x, y) ← s(x, y) p(a, b) ← q(b, a) p(x, y) ← q(x, z), s(z, y) l(q) = 1 l(s) = 1 l(p) = 2 ← p(a, y) ← s(a, y)
θ = {y → a} θ = {x → a}
← q(b, a)
θ = {y → b}
← q(a, z), s(z, y) ← s(b, y)
θ = {y → b} θ = {z → b} θ = {x → a}
31/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Information flow decision problems in logic programming - Decidability For hierarchical Datalog binary (body of the clause contains at most
πSF is in ∆2P.
Sketch of the proof : For all a, b ∈ UL(P) If (P ∪ {G(a, y)} ∈ SUCCESSES and P ∪ {G(b, y)} ∈ FAILURES) then accept else reject
πSA is in EXPTIME. πBI is in EXPTIME.
32/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πhie): given an hierarchical Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim1(F1, G1):
33/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
function bisim1(F1,G1) if bothempty(F1, G1) or bothfail(F1, G1) then return true else SF ← − successor(F1) SG ← − successor(G1) if SF = ∅ and SG = ∅ then SF′ ← − SF while SF′ = ∅ do F2 ← − get-element(SF′) found-bisim ← − false SG′ ← − SG while SG′ = ∅ and found-bisim = false do G2 ← − get-element(SG′) found-bisim ← − bisim1(F2, G2) if found-bisim = false then return false SG′ ← − SG while SG′ = ∅ do G2 ← − get-element(SG′) found-bisim ← − false SF′ ← − SF while SF′ = ∅ and found-bisim = false do F2 ← − get-element(SF′) found-bisim ← − bisim1(G2, F2) if found-bisim = false then return false return true else return false Example: Let P be the following hierarchical Datalog program: p(a) ← p(b) ← p(a) ← q(a) and let F1 =← p(b), G1 =← p(a) ← p(b)
34/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πhie): given an hierarchical Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim1(F1, G1) satisfying: Termination: bisim1(F1, G1) terminates. Completeness: If F1ZP
maxG1, then bisim1(F1, G1) returns true.
Soundness: If bisim1(F1, G1) returns true, then F1ZP
maxG1.
Bisimulation for hierachical Datalog programs (πhie) is in 2EXPTIME.
35/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πhie): given an hierarchical Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim1(F1, G1) satisfying: Termination: bisim1(F1, G1) terminates. Proof done by ≪-induction on (F1, G1). Let ≪ be the binary relation on the set of all pairs of Datalog goals defined by: (F2, G2) ≪ (F1, G1) iff the SLD-tree for F1 is deeper than the SLD-tree for F2, the SLD-tree for G1 is deeper than the SLD-tree for G2. ≪ is a well-founded partial order on the set of all pairs of goals.
35/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Bol, Apt and Klop. (1991) Consider dependency graph (N, E) of a Datalog program P. N is the set of the predicate symbols in P. pEq if P contains a clause p(· · · ) ← · · · , q(· · · ), · · · E ∗ reflexive transitive closure of E. for all clauses of the form p0(· · · ) ← p1(· · · ), · · · , pn(· · · ), and for all 1 ≤ i ≤ n − 1, pi does not depend on p0 Example: Let P be: p(x, y) ← q(x), r(y), s(y, x) s(x, y) ← p(x, y) q(a) ← r(b) ← p q r s
36/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the following restricted Datalog program: q(a) ← p(x) ← q(x), p(x) and let F =← p(a) ← p(a) ← q(a), p(a) ← p(a) . . .
37/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Apt et al. (1989), Bol et al. (1991), Bol (1990), Smith et al. (1986), Van Gelder (1987), Vieille (1989), Besnard (1989), Convington (1985), Sahlin (1993), Brough & Walker (1984), Shen (1997). Modify the computation mechanism by adding a capability of pruning. At some point, the interpreter is forced to stop its search through a certain part of the SLD-tree. The pruning of a node in an SLD-tree must depend only on its ancestors.
38/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
P a program G a goal L a loop check T =SLD-tree(P ∪ {G}) T ′ =pruned SLD-tree(P ∪ {G}) L
39/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the following restricted Datalog program: q(a) ← p(x) ← q(x), p(x) and let F =← p(a) ← p(a) ← q(a), p(a) ← p(a) . . . ← p(a) ← q(a), p(a) ← p(a) STOP
40/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πres): given a restricted Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim2((F1), (G1)): .
41/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
function bisim2((F1 ⇒ · · · ⇒ Fi ),(G1 ⇒ · · · ⇒ Gi )) if bothempty(Fi , Gi ) or bothfail(Fi , Gi ) or
then return true else SF ← − successor(Fi ) SG ← − successor(Gi ) if SF = ∅ and SG = ∅ then SF′ ← − SF while SF′ = ∅ do F′ ← − get-element(SF′) found-bisim ← − false SG′ ← − SG while SG′ = ∅ and found-bisim = false do G′ ← − get-element(SG′) found-bisim ← − bisim2((F1 ⇒ · · · ⇒ Fi ⇒ F′), (G1 ⇒ · · · ⇒ Gi ⇒ G′)) if found-bisim = false then return false SG′ ← − SG while SG′ = ∅ do G′ ← − get-element(SG′) found-bisim ← − false SF′ ← − SF while SF′ = ∅ and found-bisim = false do F′ ← − get-element(SF′) found-bisim ← − bisim2((G1 ⇒ · · · ⇒ Gi ⇒ G′), (F1 ⇒ · · · ⇒ Fi ⇒ F′)) if found-bisim = false then return false return true else return false Example: Let P be the following restricted Datalog program: q(a) ← q(b) ← p(x) ← q(x), p(x) and let F1 =← p(a), G1 =← p(b) ← p(a) ← q(a), p(a) ← p(a) . . . ← p(b) ← q(b), p(b) ← p(b) . . . 42/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πres): given a restricted Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim2((F1), (G1)) satisfying: Termination: bisim2((F1), (G1)) terminates. Completeness: If F1ZP
maxG1, then bisim2((F1), (G1)) returns true.
Soundness: If bisim2((F1), (G1)) returns true, then F1ZP
maxG1.
Bisimulation for restricted Datalog programs (πres) is in 2EXPTIME. . .
43/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
(πres): given a restricted Datalog program P and Datalog goals F1, G1, determine whether F1ZP
maxG1.
We can write a decision procedure bisim2((F1), (G1)) satisfying: Termination: bisim2((F1), (G1)) terminates. Proof done by ≺-induction on ((F1), (G1)). Let ≺ be the binary relation on the set of all pairs of SLD-derivations defined by: ((F1 ⇒ · · · ⇒ Fi), (G1 ⇒ · · · ⇒ Gi)) ≺ ((F ′
1 ⇒ · · · ⇒
F ′
j ), (G ′ 1 ⇒ · · · ⇒ G ′ j )) iff:
i > j, (F1 ⇒ · · · ⇒ Fj) = (F ′
1 ⇒ · · · ⇒ F ′ j ),
(G1 ⇒ · · · ⇒ Gj) = (G ′
1 ⇒ · · · ⇒ G ′ j ),
there exists no substitutions σ, τ such that F ′
l = F ′ k[σ],
G ′
l = G ′ k[τ] for some 1 ≤ k < l ≤ j.
≺ is a well-founded partial order on the set of all pairs of SLD-derivations.
43/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
1
Context
Syntax and semantics of logic programming
2
Information flow in logic programming
Definitions Bisimulation Decidability and complexity results
3
Application
4
Conclusion
44/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be a Datalog program, G(x, y) be a goal. Let a, b be two elements of UL(P). a ≡SF b iff both P ∪ {← p(a, y)} and P ∪ {← p(b, y)} succeed
a ≡SA b iff θ(P ∪ {← p(a, y)}) = θ(P ∪ {← p(b, y)}); a ≡BI b iff P ∪ {← p(a, y)}Z P
maxP ∪ {← p(b, y)}.
We prove that ≡SF, ≡SA and ≡BI are equivalence relations. We define the level of a goal as the cardinality of the smallest equivalence class. If the level of G(x, y) is equal to 1, then the output variable y reveals information about the variable x.
45/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Let P be the following program: C1 : p(a, a) ←; C2 : p(a, b) ←; C3 : p(b, a) ←; and ← p(x, y) a goal. UL(P) is equal to {a, b}. For the definition of the flow based on success and failure: P ∪ {← p(a, y)} succeeds and P ∪ {← p(b, y)} succeeds. Level(← p(x, y)) = 2. For the definition of the flow based on substitution answers: Θ[P ∪ {← p(a, y)}] = {y → a, y → b} and Θ[P ∪ {← p(b, y)}] = {y → a}. Level(← p(x, y)) = 1. For the definition of the flow based on bisimulation: Tree(P ∪ {← p(a, y)}) Z P
max Tree(P ∪ {← p(b, y)}).
Level(← p(x, y)) = 2.
46/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Logic programs as abstract functions: Program P Function fP p(x, y) fp : UL(P) − → R a − → fP(a) x: input position a ∈ UL(P) y: output position fP(a) ∈ θ(P ∪ {← p(a, y)})
47/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Program Function age(ann, 56) ← age(billy, 27) ← age : UL(P) − → R age(carl, 34) ← Let ← age(x, y) be a goal. Example: For x = ann, age(ann) = θ(P ∪ {← age(ann, y)}) = {y → 56}
48/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Protection mechanism produces:
1
the same value as the program for inputs not violating the policy
2
an error message for inputs revealing confidential information For a program fP : UL(P) − → R. m : UL(P) − → R ∪ {error1, error2, · · · } a ∈ UL(P) − → m(a) = fP(a) OR m(a) ∈ {error1, error2, · · · } E = {error1, error2, · · · } Confidentiality policy for P : c : UL(P) − → J such that J ⊆ UL(P) m is secure iff there is a function m′ : J → R ∪ E such that, for all a ∈ UL(P), m(a) = m′(c(a)).
49/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Program Function age(ann, 56) ←; age(billy, 27) ←; age : UL(P) − → R age(carl, 34) ←; Protection mechanism: m : UL(P) − → R ∪ E for which: m(a) = age(a) when a ∈ UL(P) m(a) = Error, otherwise. Confidentiality policy: bearing leaking information about ann. c : UL(P) − → J, UL(P) = {ann, billy, carl}, J = {billy, carl} c(billy) = billy, c(carl) = carl and c(ann) is undefined.
50/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Program Function age(ann, 56) ←; age(billy, 27) ←; age : UL(P) − → R age(carl, 34) ←; Goal: P ∪ {← age(billy, y)} θ = {y → 27} Protection mec: m(billy) θ = {y → 27}
m(c(billy)) θ = {y → 27} Goal: P ∪ {← age(ann, y)} θ = {y → 56} Protection mec: m(ann) θ = {y → 56}
m(c(ann)) error
50/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Program Function age(ann, 56) ←; age(billy, 27) ←; age : UL(P) − → R age(carl, 34) ←; Protection mechanism: m2 : UL(P) − → R ∪ E for which: m(a) = age(a) when Level(← age(a, y)) > 1 m(a) = Error, otherwise. Confidentiality policy: bearing leaking information about ann. c : UL(P) − → J, UL(P) = {ann, billy, carl}, J = {billy, carl} c(billy) = billy, c(carl) = carl and c(ann) is undefined.
51/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Program Function age(ann, 56) ←; age(billy, 27) ←; age : UL(P) − → R age(carl, 34) ←; Goal: P ∪ {← age(billy, y)} θ = {y → 27} Protection mec: m(billy) error
m(c(billy)) error Goal: P ∪ {← age(ann, y)} θ = {y → 56} Protection mec: m(ann) error
m(c(ann)) error
51/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
m1, m2 two distinct protection mechanisms for P under c. m1 is as precise as m2 (m1 ≻ m2) if for all a ∈ UL(P), if m2(a) = fP(a), then m1(a) = fP(a). m1 is more precise than m2 (m1 ≫ m2) if: (m1 ≻ m2) and ∃b ∈ UL(P) such that m1(b) = fP(b) and m2(b) = fP(b). We can prove that: ≻ is reflexive and transitive and that ≫ is a strict ordering
52/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
m3 = m1 ∪ m2 is defined as m3(a)
= m1(a) otherwise.
m2 secure for P under c ⇒ m1 ∪ m2 secure for P under c. We can show that, m1 ∪ m2 ≻ m1 and m1 ∪ m2 ≻ m2. There exists a precise, secure mechanism m∗ such that, for all secure mechanisms m associated with p and c, m∗ ≻ m.
53/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
1
Context
Syntax and semantics of logic programming
2
Information flow in logic programming
Definitions Bisimulation Decidability and complexity results
3
Application
4
Conclusion
54/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Information flow in logic programming:
1
Three definitions of information flows in logic programs.
2
Notion of bisimulation between goals.
3
Links between these definitions.
4
Generalization of the definitions for goals with arity higher than 2.
5
Flow manipulation via program transformation.
Undecidability / decidability of the flow in logic programming: For a logic program P and a two variables goal ← G(x, y), determining whether there is a flow of information from x to y. General Datalog programs Binary hierarchical setting Datalog programs πSF Undecidable EXPTIME-complete in ∆2P πSA Undecidable EXPTIME-complete in EXPTIME πBI Undecidable ? in EXPTIME
55/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Bisimulation of logic goals: Logic programs Decidability and complexity results Prolog programs Undecidable Datalog programs ? hierarchical Datalog programs 2EXPTIME restricted Datalog programs 2EXPTIME nvi Datalog programs ? svo Datalog programs ? hierarchical Datalog + negation
Preventive inference control for deductive databases:
1
We proposed the notion of confidentiality policy, secure mechanism, precise security mechanism for logic programming.
2
We gave a precise and secure mechanism for deductive databases.
55/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
Future Work
1
More formal work:
Looking for new types of logic programs for which the question
Continue investigating the decidability of the existence of the flow relatively to bisimulation in Datalog programs without considering loop checking techniques. How to use the notion of bisimulation between goals in order to define bisimulation between logic programs.
2
Implementation: different algorithms.
3
Real-Time Databases:
how to embed our security mechanism framework in real-time databases. how our framework can enforce databases security policies. how to bring changes on our framework in order to balance real-time requirements with security.
56/56
Prog. Antoun Yaacoub Introduction Syntax and semantics Information flow in logic Pg. Deciding bisimulation Application Conclusion
56/56