Download presentation
Presentation is loading. Please wait.
1
Naftaly Minsky Rutgers University Preventing Theft By Keeping Good Company
2
2 N. Minsky: workshop on Theft—April/05 Outline A real life example: the theft of theater seats. Parental advice about avoiding theft. How to realize the parental advice—over the internet.
3
3 N. Minsky: workshop on Theft—April/05 Theft of Theater Seats—an Example Suppose that a theater issues only one ticket for every seat, at any given performance; and that no one is admitted without a ticket. A theater-ticket is transferable right to occupy a specified seat at a given performance, and may change many hand before it is purchased by one who attempts to use it. But tickets can be forged, so one might find his seat occupied—stolen--when coming to the theater. Question: what can one do to avoid such theft?
4
4 N. Minsky: workshop on Theft—April/05 What did our Parents Tell Us? “Deal only with honest, law-abiding, individuals”. This must mean, in this case, to accept tickets from somebody you trust: 1.not to be a forger; 2.to follow this parental advice—recursively. So, one needs to trust a whole community— whose membership is unknown— to be law-abiding. The theater goers constitute such a community—more or less. Can such a law-abiding community be realized over the internet? This would help prevent some thefts, and other mishaps.
5
5 N. Minsky: workshop on Theft—April/05 The Concept of Law-Governed Interaction (LGI) LGI is a message exchange mechanism that enables a community of distributed agents to interact under an explicit and strictly enforced policy, called the “law” of this community. Some characteristics of LGI: Laws are about the interaction between agents—it is a generalized access-control mechanism. Laws are about local behavior, but they have global, communal, implications, because everybody in the given community is subject to the same law. Incremental deployment, and efficient execution Enforcement is decentralized---for scalability. To be released in May 2005, via: http://www.cs.rutgers.edu/moses/
6
6 N. Minsky: workshop on Theft—April/05 Centralized Enforcement of Communal Laws * The problems: potential congestion, and single point of failure m’ x u v y m ==> y m ==> x m Legend: L---Explicit statement of a Law. I---Policy interpreter S---the interaction state of the community L I S Reference monitor * Replication does not help, if S changes rapidly enough
7
7 N. Minsky: workshop on Theft—April/05 Distributed Law-Enforcement under LGI L I S x u v y L I SxSx L I SvSv L I SySy L I SuSu m ==> y m’ m’’ m m ==> y m
8
8 N. Minsky: workshop on Theft—April/05 The local nature of LGI laws Laws are defined locally, at each agent: They deal explicitly only with local events—such as the sending or arrival of a message. the ruling of a law for an event e at agent x is a function of e, and of the local control state CS X of x. a ruling can mandate only local operations at x. This localization does not reduce the expressive power of LGI laws, and it provides scalability for many (not all) laws.
9
9 N. Minsky: workshop on Theft—April/05 On the basis for trust between members of a community For a member of an L-community to trust its interlocutors to comply with the same law, one needs to ensure: that the exchange of L-messages is mediated by correctly implemented controllers. that interacting controllers operate under the same law L. Such assurances are provided, basically, via certification of controllers, and the exchange of the hash of the law. xy L I CS x L I CS y m ==> y m’’ [m’,hash(L)] C x CxCx CyCy
10
10 N. Minsky: workshop on Theft—April/05 Deployment of LGI Via Distributed TCB (DTCB) I I I I IIx y controller server adopt(L, name) adopt(…) m’ m’’ L m ==> y L
11
11 N. Minsky: workshop on Theft—April/05 A Law-Abiding Community of Theater-Goers Theater T L T T T release L L transfer L L enter T T T
12
12 N. Minsky: workshop on Theft—April/05 A Qualification about “enforcement” It is not possible to compel anybody to operate under any particular law, or to use LGI, for that matter. Yet, an agent may be effectively compelled to exchange L-messages, if it needs services provided only under this law. In our case, for example, if the theater admits only via L-message then theater goers, would have to use L-message to get tickets, and so would “street vendors”, if they want their tickets to be purchased.
13
13 N. Minsky: workshop on Theft—April/05 The Theater Law (Written in prolog) R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))). R2. sent(H,releaseTicket(t(H,P)),Y):- role(theater)@CS, do(forward). R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver). R4. sent(X,transfer(t(H,P)),Y) :- t(H,P)@CS, do(-t(H,P)), do(forward). R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver). R6. sent(X,enter(t(H,P)),H) :- t(H,P)@CS, do(-t(H,P)), do(forward). R7. arrived(X,enter(t(H,P)),H) :- do(deliver).
14
Questions?
15
15 N. Minsky: workshop on Theft—April/05 The Theater Law (part 1) R1. certified([issu(CA),subj(X), attr([role(theater)])) :- do(+role(theater))). An agent may claim the role of a theater by presenting an apptopriate certificate issued by cityHall. R2. sent(H,releaseTicket(t(H,P)),Y):- role(theater)@CS, do(forward). Only a theater can realse tickets, and only its own. R3. arrived(H,releaseTicket(t(H,P)),Y) :- do(+t(H,P)), do(deliver). An arriving ticket is maintained in the CS of the receiver.
16
16 N. Minsky: workshop on Theft—April/05 The Theater Law (part 2) R4. sent(X,transfer(t(H,P)),Y) :- t(H,P)@CS, do(-t(H,P)), do(forward). Transferring a ticket to somebody else. R5. arrived(X,transfer(t(H,P)),Y) :- do(+t(H,P)), do(deliver). Receiving a transferred ticket. R6. sent(X,enter(t(H,P)),H) :- t(H,P)@CS, do(-t(H,P)), do(forward). Entering a theater, with a valid ticket R7. arrived(X,enter(t(H,P)),H) :- do(deliver).
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.