Naftaly Minsky Rutgers University Preventing Theft By Keeping Good Company

2 N. Minsky: workshop on Theft—April/05 Outline  A real life example: the theft of theater seats.  Parental advice about avoiding theft.  How to realize the parental advice—over the internet.

3 N. Minsky: workshop on Theft—April/05 Theft of Theater Seats—an Example  Suppose that a theater issues only one ticket for every seat, at any given performance; and that no one is admitted without a ticket.  A theater-ticket is transferable right to occupy a specified seat at a given performance, and may change many hand before it is purchased by one who attempts to use it.  But tickets can be forged, so one might find his seat occupied—stolen--when coming to the theater.  Question: what can one do to avoid such theft?

4 N. Minsky: workshop on Theft—April/05 What did our Parents Tell Us?  “Deal only with honest, law-abiding, individuals”.  This must mean, in this case, to accept tickets from somebody you trust: 1.not to be a forger; 2.to follow this parental advice—recursively.  So, one needs to trust a whole community— whose membership is unknown— to be law-abiding.  The theater goers constitute such a community—more or less.  Can such a law-abiding community be realized over the internet? This would help prevent some thefts, and other mishaps.

5 N. Minsky: workshop on Theft—April/05 The Concept of Law-Governed Interaction (LGI)  LGI is a message exchange mechanism that enables a community of distributed agents to interact under an explicit and strictly enforced policy, called the “law” of this community.  Some characteristics of LGI:  Laws are about the interaction between agents—it is a generalized access-control mechanism.  Laws are about local behavior, but they have global, communal, implications, because everybody in the given community is subject to the same law.  Incremental deployment, and efficient execution  Enforcement is decentralized---for scalability.  To be released in May 2005, via:

6 N. Minsky: workshop on Theft—April/05 Centralized Enforcement of Communal Laws * The problems: potential congestion, and single point of failure m’ x u v y m ==> y m ==> x m Legend: L---Explicit statement of a Law. I---Policy interpreter S---the interaction state of the community L I S Reference monitor * Replication does not help, if S changes rapidly enough

7 N. Minsky: workshop on Theft—April/05 Distributed Law-Enforcement under LGI L I S x u v y L I SxSx L I SvSv L I SySy L I SuSu m ==> y m’ m’’ m m ==> y m

8 N. Minsky: workshop on Theft—April/05 The local nature of LGI laws  Laws are defined locally, at each agent:  They deal explicitly only with local events—such as the sending or arrival of a message.  the ruling of a law for an event e at agent x is a function of e, and of the local control state CS X of x.  a ruling can mandate only local operations at x.  This localization does not reduce the expressive power of LGI laws,  and it provides scalability for many (not all) laws.

9 N. Minsky: workshop on Theft—April/05 On the basis for trust between members of a community  For a member of an L-community to trust its interlocutors to comply with the same law, one needs to ensure:  that the exchange of L-messages is mediated by correctly implemented controllers.  that interacting controllers operate under the same law L.  Such assurances are provided, basically, via certification of controllers, and the exchange of the hash of the law. xy L I CS x L I CS y m ==> y m’’ [m’,hash(L)] C x CxCx CyCy

10 N. Minsky: workshop on Theft—April/05 Deployment of LGI Via Distributed TCB (DTCB) I I I I IIx y controller server adopt(L, name) adopt(…) m’ m’’ L m ==> y L

11 N. Minsky: workshop on Theft—April/05 A Law-Abiding Community of Theater-Goers Theater T L T T T release L L transfer L L enter T T T

12 N. Minsky: workshop on Theft—April/05 A Qualification about “enforcement”  It is not possible to compel anybody to operate under any particular law, or to use LGI, for that matter.  Yet, an agent may be effectively compelled to exchange L-messages, if it needs services provided only under this law.  In our case, for example, if the theater admits only via L-message then theater goers, would have to use L-message to get tickets, and so would “street vendors”, if they want their tickets to be purchased.

13 N. Minsky: workshop on Theft—April/05 The Theater Law (Written in prolog)  R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))).  R2. sent(H,releaseTicket(t(H,P)),Y):- do(forward).  R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver).  R4. sent(X,transfer(t(H,P)),Y) :- do(-t(H,P)), do(forward).  R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver).  R6. sent(X,enter(t(H,P)),H) :- do(-t(H,P)), do(forward).  R7. arrived(X,enter(t(H,P)),H) :- do(deliver).

Questions?

15 N. Minsky: workshop on Theft—April/05 The Theater Law (part 1)  R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))).  An agent may claim the role of a theater by presenting an apptopriate certificate issued by cityHall.  R2. sent(H,releaseTicket(t(H,P)),Y):- do(forward).  Only a theater can realse tickets, and only its own.  R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver).  An arriving ticket is maintained in the CS of the receiver.

16 N. Minsky: workshop on Theft—April/05 The Theater Law (part 2)  R4. sent(X,transfer(t(H,P)),Y) :- do(-t(H,P)), do(forward).  Transferring a ticket to somebody else.  R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver).  Receiving a transferred ticket.  R6. sent(X,enter(t(H,P)),H) :- do(-t(H,P)), do(forward).  Entering a theater, with a valid ticket  R7. arrived(X,enter(t(H,P)),H) :- do(deliver).