Socially Constructed Trust for Distributed Authorization Steve - - PowerPoint PPT Presentation

Socially Constructed Trust for Distributed Authorization

Steve Barker, King’s College London Valerio Genovese, University of Torino, Italy

Socially Constructed Trust for Distributed Authorization – p.1/17

An Approach

A common approach to trust management: measures of trust (or disbelief or distrust) expressed by using some sub-interval of [−1, 1] as measures of an asserter’s belief/disbelief in some proposition BUT:

• How are these trust measures identified?
• What is the precise distinction between 0.35

trust and 0.4 trust?

• How are these trust measures updated?
• . . .

Socially Constructed Trust for Distributed Authorization – p.2/17

Our Alternative

Testifiers (contributor sources) contribute beliefs

• f their propositional attitudes to a community
• racle; these beliefs are accessible to acceptors of

community testimony. Notes: Trust is community constructed, not the asserted trust of some source, no (dubious) “trust measures”, propositional attitudes not propositions are the focus of trusted assertions, . . .

Socially Constructed Trust for Distributed Authorization – p.3/17

Propositional Attitudes

A propositional attitude is a triple (si, α, ψ) such that:

• si (1 ≤ i ≤ n) is a source of assertions in a

community of sources {s1, . . . , sn} of testimonial knowledge.

• ψ is a proposition;
• α is a propositional attitude that a source si

has in relation to ψ. Note: The proposition ψ is an assertion of a truth; propositional attitudes tie propositions to a testifier (the beliefs of testifiers matter not truths).

Socially Constructed Trust for Distributed Authorization – p.4/17

Semantics

The propositional attitudes of relevance to trust are: believes that, disbelieves that. A source si that neither believes proposition ψ nor disbelieves ψ suspends judgement on ψ. A semantics we use (others exist): If a source si asserts that it disbelieves ψ (resp. ¬ψ) then that does not commit si to asserting that it believes ¬ψ (resp. ψ). However, a source si that asserts that it believes ψ (resp. ¬ψ) implicitly asserts that it disbelieves ¬ψ (resp. ψ).

Socially Constructed Trust for Distributed Authorization – p.5/17

Relation to Access Control

We use the meta-model notion from Barker (2009) for access control policy specification, i.e.,

• Principal-category assignments (pca(p, c)).
• Permission-category assignments

(arca(a, r, c)).

• Category-category relations (typically, to

represent a hierarchical relation). Authorizations are defined in terms of the par predicate, thus: ∀p, a, r, c(arca(a, r, c) ∧ pca(p, c) → par(p, a, r))

Socially Constructed Trust for Distributed Authorization – p.6/17

Attitudes on pca

In our framework a source si of testimony may assert that it believes proposition pca(p, c) (¬pca(p, c)) or may assert that it disbelieves pca(p, c) (¬pca(p, c)). si believing (disbelieving) pca(p, c) means si asserts that principal p ought to be (ought not to be) assigned to category c. si’s beliefs and disbeliefs are held in an oracle (database) in the form of assertion/3 facts.

Socially Constructed Trust for Distributed Authorization – p.7/17

Example

assertion(Kα, believes, pca(KAlice, preferred)). assertion(Kβ, disbelieves, pca(KAlice, preferred)). assertion(Kγ, believes, ¬pca(KAlice, preferred)). assertion(Kδ, disbelieves, ¬pca(KAlice, preferred)). Obvious readings: The source Kα asserts that it believes the principal identified as KAlice ought to be categorized as “preferred”, . . .

Socially Constructed Trust for Distributed Authorization – p.8/17

Statement Types

Community view requires talk of:

• All () or some (♦) members of a community

having attitude α on proposition ψ;

• The majority (M) of members of a community

having attitude α on proposition ψ.

• A specific number of members of a

community having attitude α on proposition ψ.

• A specific member of a community having

attitude α on proposition ψ. Combinations of these options may be expressed.

Socially Constructed Trust for Distributed Authorization – p.9/17

CSL

The required language is formalized as Community Security Language (CSL). CSL is expressed using ASP-DLV syntax with extensions e.g., for remote access request evaluation) and doxastic operators (B+ for “believes that”; B− for “disbelieves that”). Also, B+ for all sources believe, ♦B− for some source disbelieves, M B+ for the majority of sources believe, . . . Remote evaluation of literal L at site ω is expressed by L @ ω.

Socially Constructed Trust for Distributed Authorization – p.10/17

Policy Specification

Policy specification is by rules of the form h ← b1, . . . , bn where, h is a literal L or a counting operator applied to an instance of pca(_, _) with ∈ {α, ♦α, M α}; α ∈ {B+, B−} and; bi := (not)L | (¬) (¬)pca(_, _) | assertion(_, _, (¬)pca(_, _)) | L @ ω | Lg ≺1 f(S) ≺2 Rg | Lg ≺1 f(S) @ ω ≺2 Rg

Socially Constructed Trust for Distributed Authorization – p.11/17

Assertions by Oracles

Oracles may make expressions of their aggregated testimonial knowledge, e.g., B+(pca(Kα, c1)) ∧ ¬♦B+(pca(Kǫ, c5)). That is, “all sources of testimony assert that they believe Kα ought to be assigned to category c1 and no source asserts that it believes that Kǫ

• ught to be assigned to category c5.”

Socially Constructed Trust for Distributed Authorization – p.12/17

Acceptor Policies

Acceptors define policies in terms of the testimony held by oracles, e.g., pca(P, c0) ← B+(pca(P, c1)) @ ω, assertion(s1, B−, ¬pca(P, c4, )) @ ω. That is, the acceptor takes principal P to be assigned to its category c0 if every member of the community that the oracle ω speaks for asserts that P is assigned to the category c1 unless the source s1 says it disbelieves P ought not to be assigned to category c4.

Socially Constructed Trust for Distributed Authorization – p.13/17

Flexible Specification

Different definitions of the , ♦ and M operators can be naturally accommodated, e.g., not simply “every source" has the attitude α in relation to pca(p, c) but “every source of testimonial knowledge on the category c has attitude α in relation to pca(p, c).” Example: B+

bd pca(KBob, bd) (“Every source that

makes assertions about the category bd (bad debtor) says that KBob is a bad debtor”.)

Socially Constructed Trust for Distributed Authorization – p.14/17

Practical Issues

Our framework has been implemented in an extended form of DLV. Testing reveals that distributed literal evaluation is the dominant cost in computation BUT costs are reasonable, in practice, and computation costs grow linearly w.r.t policy base size. Proofs of policy properties follow direct from known results for ASP-DLV (e.g., correctness of request evaluation follows from soundness of known operational methods).

Socially Constructed Trust for Distributed Authorization – p.15/17

Contributions

The proposal is of an alternative view on trust:

• Not based on a trust measure as a real

number (with unclear semantics) of an asserter.

• Not based on discrete trust levels (often with

unclear semantics) of an asserter.

• As community constructed from assertions by

multiple sources of beliefs and disbeliefs.

• As defined flexibly by acceptors according to

their security needs.

• As being based on propositional attitudes not

propositions.

Socially Constructed Trust for Distributed Authorization – p.16/17

Further Work

• Community membership issues (e.g., how to

address the effects of changes to the community).

• Additional propositional attitudes (e.g.,

“knows that”).

• Qualified propositional attitude reports (e.g.,

weakly believed, strongly disbelieved, . . . ).

• Temporally constrained propositional attitude

reports (i.e., beliefs/disbeliefs with a validity period).

• . . .

Socially Constructed Trust for Distributed Authorization – p.17/17