1. Collaborative Programming Tim Hinrichs University of Chicago

2. 2 Collaborative Programming Settings in which groups of people issue instructions to computer systems. –Cooperative goals –Competitive goals

3. 3 Collaborative Programming Languages Principles of Collaboration –Information is combined. –No one knows everything. –People never agree on everything. Required Properties of Collaborative Programming Languages –Combinable instruction sets –Partial instruction sets –Conflicting instruction sets

4. 4 Logical Languages Benefits: –Combination is relatively straightforward. –Can express partial instruction sets. –Can express conflicting instruction sets. Drawback: Processing logical languages, especially with conflicts and incompleteness, can be expensive relative to traditional programming languages.

5. 5 Example: Access Control for Files /common /alice /bob /common /alice /bob Files of interest: /alice Alice rw, Bob r /common Everyone r /alice Alice rw, Bob r /common Everyone r /bob Bob rw, Alice r /common Everyone rw /bob Bob rw, Alice r /common Everyone rw

6. 6 Example: Access Control for Files /common /alice /bob /common /alice /bob Files of interest: /alice Alice +rw, Bob +r-w /common Everyone +r-w /alice Alice +rw, Bob +r-w /common Everyone +r-w /bob Bob +rw, Alice +r-w /common Everyone +rw /bob Bob +rw, Alice +r-w /common Everyone +rw

7. 7 Applications –Security (Authorization Policies) –World Wide Web (Web forms) Non-Applications –Operating systems –Compilers

8. Network Security

9. 9 Local Area Networks

10. 10 Network Policy Examples “Every wireless guest user must send HTTP requests through an HTTP proxy.” “No phone can communicate with any private computer.” “Superusers have no communication restrictions.”

11. 11 Enforcement Today 10.0.0.1 10.0.0.25 Src IP Port Forward 10.0.0.1 80 10.0.0.25

12. 12 NOX Network Operating System Gives administrators control of the network by exposing network events, e.g. new-flow, host- join, host-leave, user-authenticate. Requires no changes to current OSes. Does require changes to current routers. Relies on central controller.

13. 13 NOX Operation

14. 14 NOX Operation SECURITY POLICY

15. 15 NOX Operation

16. 16 Collaborative Programming? Collaboration –Standard network security approaches allow admins a great deal of autonomy. –Collaborative Programming techniques preserve that sense of autonomy. Programming –Instructions tell computer system how to route network communications.

17. 17 FSL FSL: Flow Security Language [Hinrichs2009] Balances the desires to make expressing policies natural and implementing policies efficient. User source Host source Access point source User target Host target Access point target Protocol

18. 18 Features Distributed policy authorship External references Conflict detection/resolution Incremental policy authorship via priorities High Performance: 10 4 queries/second Layered language: LogicData Keywords Conflict Resolution Prioritization

19. 19 Datalog with Attachments Syntax h :- b 1,…,b n,c 1,…,c m h must exist. Every variable in the body must occur in h. No external reference occurs in h. Nonrecursive sentence sets. Semantics –Statement order is irrelevant. –Every sentence set is satisfied by exactly one model.

20. 20 Keyword: allow “Superusers have no communication restrictions.” allow(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- superuser(U src ) superuser(bob) superuser(alice)

21. 21 Keyword: deny “No phone can communicate with any private computer.” deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt ) private(X) :- laptop(X) private(X) :- desktop(X)

22. 22 Keyword: visit “Every wireless guest user must send HTTP requests through a proxy.” visit(U src,H src,A src,U tgt,H tgt,A tgt,Prot,httpproxy) :- guest(U src ), wireless(A src ), Prot=http

23. 23 Current Keyword List allow: allow the flow deny: deny the flow visit: force the flow to pass through an intermediary avoid: forbid the flow from passing through an intermediary ratelimit: limit on Mb/second

24. 24 Collaborative Programming versus Policy Enforcement FSL is a Collaborative Programming language Combinable, partial, conflicting instruction sets Authorization systems cannot enforce partial or conflicting security policies. deny avoid visit allow ratelimit deny avoid visit allow ratelimit

25. 25 FSL Usage Overview Combined Policy Analysis Engine Authorization System Policy 1 Policy n

26. 26 Conflict Resolution Most restrictive: choose instructions that give users the least rights. Most permissive: choose policy instructions that give users the most rights. Implementable using standard Datalog tools. Most restrictive for just allow and deny… P |= c deny(…) if P |= deny(…) P |= c allow(…) if P |/= deny(…)

27. 27 Deployment Experiences FSL has been used for 10 months on a small internal network (about 50 hosts). We are preparing for two larger deployments (of hundreds and thousands of hosts). So far, policies are expressed over just a few classes of objects. Thus, we expect policies to grow slowly with the number of principals.

28. 28 Related Work Authorization Language Features in Literature Logic: Logic programming, FOL, Modal, Linear With or without recursion With or without negation Handling conflicts Delegation History and future-dependent policies Several metalevel operations Centralized/decentralized enforcement Efficiency For citations, see [Hinrichs2009].

29. 29 Datalog as a Collaborative Programming Language Expressing conflicts requires keywords. Benefit: Conflicts can be detected and resolved using traditional inference tools. Drawback: All possible conflicts must be anticipated at language-design time.

30. World Wide Web Forms

31. 31 Web Forms

32. 32

33. 33 Construction and Maintenance Central difficulty: constraints interact. Small constraint changes can correspond to large implementation changes. Approach: users specify constraints and the computer system generates a spreadsheet. Small constraint changes now correspond to little work for users.

34. 34 Websheet Demo Live Demo

35. 35 Collaborative Programming? Collaboration Maintenance of web forms requires collaboration, whether between different people or different instances of the same person. Programming Specification-based programming

36. 36 Logical Foundations Cells: unary predicates, e.g. drive and engine. Constraint: quantifier-free, function-free first-order formula, e.g. “if the engine is small then the drive is 4x2.” drive(4x2) V  engine(small) Cell assignment: ground literals, e.g. drive(4x4)  drive(4x2)

37. 37 Conflict Detection Proposal Check if for spreadsheet S S |= drive(4x4) and S |= drive(4x4)

38. 38 Problem

39. 39 Problem Explanation S: drive(4x2) V  engine(small) drive(4x4)  drive(4x2) engine(small)  engine(large) S is inconsistent. Therefore for every predicate p and value a, S |= p(a) and S |= p(a)

40. 40 Paraconsistent Entailment Definition (Existential Entailment [Hunter98])  existentially entails  if there is some satisfiable subset of  that entails .

41. 41 Performance Demands Need to compute existential entailment in real-time. Each cell click requires computing 2n entailment queries, where n is the domain of the cell. A change to one cell may require updates to many other cells.

42. 42 Related Work Logical spreadsheets –Stanford (Kassoff and Genesereth) –Stony Brook (Ramakrishnan, Ramakrishnan, Warren) –University of Texas (Gupta and Akhter) –Carnegie Mellon-Qatar (Cervesato) –Several in industry DARPA small business program in 2004 Logical Spreadsheets Workshop in 2005 See [Kassoff2007]

43. 43 Classical Logic as a Collaborative Programming Language Conflicts require no special machinery. Benefit: Conflicts do not need to be anticipated by the language designer. Drawback: Automated reasoning tools must implement a paraconsistent version of entailment.

44. Final Words

45. 45 Comparison LogicConflictsReasoningSemantics Datalogkeywordsstandard1 model FOLbuilt-inparaconsistent 0,1,2,… models How do we leverage the strength of Datalog while retaining the strength of FOL?

46. 46 Compilation Approach FOLDatalog Two phases: 1.Compilation for traditional entailment. 2.Compilation for existential entailment.

47. 47 Compiler Definition (Parameterized Theory-Completion): Suppose I is a satisfiable set of constraints. A complete theory  is a parameterized theory-completion of I if for each predicate p, there are predicates p + and p - s.t. for every complete theory C, C U I |= E p(a) iff C U  |= p + (a) C U I |= E p(a) iff C U  |= p - (a)

48. 48 Summary LanguageCompiler Run-time Environment Datalog First-order logic FOL to Datalog LogicConflictsReasoningExample Datalogkeywordsstandard Network Security FOLbuilt-inparaconsistent Logical Spreadsheets

49. 49 [Hinrichs2008a] T. Hinrichs. Collaborative Programming. IJCAR Workshop on Practical Aspects of Automated Reasoning, 2008. http://people.cs.uchicago.edu/~thinrich/ papers/hinrichs2008collaborative.pdf [Hinrichs2009] T. Hinrichs, et. al. Design and Implementation of a Flow- based Security Language. Under review. Available upon request. [Kassoff2007a] M. Kassoff and M. Genesereth. PrediCalc: A Logical Spreadsheet Management System. Knowledge Engineering Review, 22(3), 2007, pp. 281-295. http://logic.stanford.edu/~mkassoff/papers/predicalc.pdf [Kassoff2007b] M. Kassoff and A. Valente. An introduction to logical spreadsheets. Knowledge Engineering Review, 22(3), 2007, pp. 213-219. [Hunter1998] A. Hunter. Paraconsistent Logics. In Handbook of Defeasible Reasoning and Uncertain Information. http://www.cs.ucl.ac.uk/staff/a.hunter/papers/para.ps [Hinrichs2008b] T. Hinrichs and M. Genesereth. Injecting the How into the What. KR 2008. http://people.cs.uchicago.edu/ ~thinrich/papers/hinrichs2008injecting.pdf

50. 50 Questions

51. Backup

52. 52 According to Webster’s… collaborative produced or conducted by two or more parties; can be cooperative or competitive. programming the act of issuing instructions, esp. to computer systems. instructions detailed information telling how something should be done, operated, or assembled.

53. 53 Collaborative Programming Overview LanguageCompiler Run-time Environment First-order logic Logic programming Description logics SAT solvers Prolog Traditional PL Use Case (Scripting Language) Language CompilerRun-time Software Components

54. Web Form Implementation

55. 55 Comparison LogicConflictsReasoningSemantics Datalogkeywordsstandard1 model FOLbuilt-inparaconsistent 0,1,2,… models How do we leverage the strength of Datalog while retaining the strength of FOL?

56. 56 Compilation Approach FOLDatalog Two phases: 1.Compilation for traditional entailment. 2.Compilation for existential entailment.

57. 57 Theory Completion Central difficulty: A theory with many models (FOL) must be converted to a theory with one model (Datalog). Consequently: Compiling FOL to Datalog is a form of theory completion. Spreadsheet compilation is a parameterized form of theory completion.

58. 58 Parameterized Theories The theory that is queried to determine conflicts is comprised of two pieces: Need a compiler that produces a Datalog program that enumerates the logical consequences for ANY complete theory C. Incomplete (I) Complete (C) FOL Constraints Current Cell Values

59. 59 Compiler Definition (Parameterized Theory-Completion): Suppose I is a satisfiable set of constraints. A complete theory  is a parameterized theory-completion of I if for each predicate p, there are predicates p + and p - s.t. for every complete theory C s.t. C U I is satisfiable, C U I |= p(a) iff C U  |= p + (a) C U I |= p(a) iff C U  |= p - (a)

60. 60 Example Datalog when engine has a value. engine + (X) :- engine(X) engine - (X) :-  engine(X) trans + (X) :- X=5-speed, engine(small) trans - (X) :- X=5-speed,  engine(small) engine(small)  trans(5-speed) FOL Constraints:

61. 61 Compiler Given constraints I, 1.Compute resolution closure of I (Res[I]). 2.For each clause in Res[I], produce a series of Datalog queries, introducing 2 keywords per predicate. NB: Res[I] is always finite because I has only unary predicates. See [Hinrichs2008b] for more details.

62. 62 Existential Entailment Two possible sources of inconsistency: Constraints (I) Cell assignment (C) Constraints and cell assignments (C U I) It turns out that the compilation technique just described implements a form of Existential Entailment.

63. 63 Summary LanguageCompiler Run-time Environment Datalog First-order logic FOL to DatalogDatalog eval LogicConflictsReasoningExample Datalogkeywordsstandard Network Security FOLbuilt-inparaconsistent Logical Spreadsheets

64. Intro Backup

65. 65 Database Applications

66. 66 WWW Privacy

67. FSL Backup

68. 68 Negation “Every user except a guest can ssh into any server.” allow(U src,H src,A src,U tgt,H tgt,A tgt,ssh) :-  guest(U src ), server(H tgt )

69. 69 Traditional Security Mechanisms NAT: disable incoming connections for laptops deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- laptop(H tgt ) VLAN: isolate machines a,b,c vlan(a), vlan(b), vlan(c) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- vlan(H src ),  vlan(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :-  vlan(H src ), vlan(H tgt )

70. 70 Query Processing Example “No phone can communicate with any private computer.” deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- phone(H src ), private(H tgt ) deny(U src,H src,A src,U tgt,H tgt,A tgt,Prot) :- private(H src ), phone(H tgt ) private(X) :- laptop(X) private(X) :- desktop(X)

71. 71 Example Compiled bool deny (U src,H src,A src,U tgt,H tgt,A tgt,Prot) { return (phone(H src ) && private(H tgt )) || (private(H src ) && phone(H tgt )); } bool private(X) { return laptop(X) || desktop(X); } Assume the existence of functions for phone, laptop, desktop.

72. 72 Access Control Decision-Making Complexity Query processing is PSPACE-complete in the size of the policy. If the number of arguments are bounded by a constant, query processing takes polynomial time in the size of the policy. If the tallest possible call stack is 1 (ignoring external references), then query processing takes linear time in the size of the policy.

73. 73 Implementation Tests Flows/sMem (MB) Rule Matches 0 rules103,69900 100 rules100,94212 500 rules85,37314 1,000 rules76,336210 5,000 rules54,416930 10,000 rules46,9563852

74. 74 Additive Elaboration To tighten a FSL security policy, one needs only to add statements to it. The conflict resolution strategy ensures that the most restrictive constraints are used. To relax a FSL policy, it is therefore insufficient to simply add statements.

75. 75 Relaxing Security Borrow a mechanism from Cascading Style Sheets (CSS): cascades. To relax security, FSL allows one policy to be overridden by another policy. P 1 < P 2 Any request constrained by P 2 is only constrained by P 2.

76. 76 Algorithms Group Normal Form: every rule body consists only of external references (and =). Flattened Cascades: a policy cascade expressed as a flat policy. Conflict Conditions: conditions on external references under which there will be a conflict. Conflict-free Normal Form: equivalent policy (under conflict resolution) without conflicts.

77. 77 Related Work Comparison Not using FOL, Modal logic, Linear logic No existential variables No recursion Fixed conflict resolution scheme No delegation No history/future-dependent policies Centralized enforcement Limited metalevel operations Access control decisions are constraints. Conflict resolution produces constraint set

78. 78 Core Language Application: Conflict Resolution Language One keyword: resolve, and one external reference: constraint P 1 resolve(deny) :- constraint(deny) resolve(deny) :- constraint(avoid(X)), constraint(visit(X)) P 2 resolve(avoid(X)) :- constraint(avoid(X)) resolve(visit(X)) :- constraint(visit(X)) P 3 resolve(allow) :- constraint(allow)

79. 79 Ongoing Work Currently, each flow initiation requires contacting a central controller. The route for that flow is cached at the router. Working to generalize this caching scheme. Each trip to the central controller caches more than just the route for one flow.

80. Spreadsheet Backup

81. 81 Mathematical Model Each cell is a variable: V Each variable has a domain: D V Constraints require that certain combinations of variables be assigned certain combinations of values: C V The purpose of a spreadsheet is to help users enter data by providing feedback when constraints are violated.

82. 82 Performance Demands Need to compute existential entailment in real-time. Each cell click requires computing O(n) entailment queries, where n is the domain size of the cell. A change to one cell may require updates to many other cells.

83. Compilation Backup

84. 84 Experiments: Two Formulations FHL: color(X,Y)  adj(X,Z)   color(Z,Y) color(X,Y)  node(X)  hue(Y) node(X)  X=a 1  …  X=a n hue(X)  X=b 1  …  X=b m adj(X,Y)  …  X 1 …X n. color(a 1,X 1 )  …  color(a n,X n ) Datalog: ans(X,Y,Z) :- hue(X), hue(Y), X  Y, hue(Z), Y  Z hue(b 1 ) hue(b 2 ) … hue(b m )

85. 85 Experiments: Details For graph sizes 25, 30, 35,…, 60, tested 20 randomly generated graphs. For each graph, tested 3 different hue sets. –k is the maximum degree of the graph. –Graph can always be colored with k+1 colors. –Tested k+1, 2/3k, and 1/3k hues. Compilation cost not counted

86. 86 Experiments: Results I

87. 87 Experiments: Results II

88. Scrap

89. 89 External References Group definitions change far more frequently than security policies. External references allow a policy to remain unchanged even if the groups it relies upon change often. visit(U src,H src,A src,U tgt,H tgt,A tgt,Prot,httpproxy) :- guest(U src ), wireless(A src ), Prot=http

90. 90 Implementing Existential Entailment Resolution-based approach: only generate resolvents whose premises are consistent. DATALOG -based approach: generate database queries that enumerate the existentially-entailed consequences.

91. 91 Spreadsheet Compilation Problem: Compile FOL constraints C to Datalog D s.t. for every cell assignment A D U A |= D [  ]p(a) iff C U A |= E [  ]p(a) drive(4x2) V  engine(small) drive(4x4)  drive(4x2) engine(small)  engine(large) FOL Constraints: Cell Assignments:

92. 92 Message Logical languages are powerful tools in collaborative settings. Collaboration breeds conflict. Embrace conflicts!