Applications of Computational Logic

Tim HinrichsUniversity of Chicago

COMPULOG Summer SchoolJuly 24-27, 2008

2COMPULOG Summer School 2008

Collaborative Programming

Settings in which groups of people issue instructions to computer systems.– Cooperative goals– Competitive goals

3COMPULOG Summer School 2008

Collaborative Programming Languages

Principles of Collaboration– No one knows everything.– People never agree on everything.

Required Language Properties– Partial instruction sets– Conflicting instruction sets– Combinable instruction sets

4COMPULOG Summer School 2008

Logical Languages

Benefits:– Can express partial instruction sets.– Can express conflicting instruction sets.– Combination is relatively straightforward.

Drawback:Processing logical languages, especially with

conflicts and incompleteness, can be expensive relative to traditional programming languages.

Network Security

6COMPULOG Summer School 2008

Local Area Networks

7COMPULOG Summer School 2008

Network Policy Examples

“Every wireless guest user must send http requests through an http-proxy.”

“No phone can communicate with any private computer.”

“Two superusers have no communication restrictions.”

8COMPULOG Summer School 2008

Desiderata

• Collaborative policy authoring

• High Performance: 105 queries per second.

• Interact with outside world.

9COMPULOG Summer School 2008

FSL

FSL: Flow Security Language [Hinrichs2008b]Multiple network administrators issue instructions for each message/flow.

•User source•Host source•Access point source

•User target•Host target•Access point target

•Protocol

10COMPULOG Summer School 2008

Basic Rules

“Two superusers have no communication restrictions.”

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-superuser(Usrc) , superuser(Utgt)

superuser(bob)superuser(alice)

11COMPULOG Summer School 2008

Rule Sets

“No phone can communicate with any private computer.”

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)

private(X) :- laptop(X)

private(X) :- desktop(X)laptop(lap1)desktop(desk1)phone(phone1)

No Recursion

12COMPULOG Summer School 2008

More Keywords

“Every wireless guest user must send HTTP requests through a proxy.”

visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-guest(Usrc) , wireless(Asrc) , Prot=http

guest(alice)guest(bob)wireless(wap1)

13COMPULOG Summer School 2008

External References

Group definitions change far more frequently than security policies.

External references allow a policy to remain unchanged even if the groups it relies upon change often.

visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,httpproxy) :-guest(Usrc) , wireless(Asrc) , Prot=http

14COMPULOG Summer School 2008

Negation

“Every user except a guest can ssh into any server.”

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,ssh) :-

guest(Usrc) , server(Htgt)

15COMPULOG Summer School 2008

FSL Overview

FSL is built on nonrecursive datalog with negation without existential variables or safety.

Keywords/queriesallow: allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)

deny: deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)

visit: visit(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,host)

avoid: avoid(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot,host)

In security policies, visit and avoid require a constant in the last argument of the consequent.

16COMPULOG Summer School 2008

Query Processing Example

“No phone can communicate with any private computer.”

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-phone(Hsrc) , private(Htgt)

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) :-private(Hsrc) , phone(Htgt)

private(X) :- laptop(X)

private(X) :- desktop(X)

17COMPULOG Summer School 2008

Example Compiled

bool deny (Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot) {

(phone(Hsrc) && private(Htgt)) ||

(private(Hsrc) && phone(Htgt)) }

bool private(X) {laptop(X) || desktop(X)

}

Assume the existence of functions for phone, laptop, desktop.

18COMPULOG Summer School 2008

Conflicts and IncompletenessConflicts are easy to express:

deny(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)

a(Hsrc) b(Htgt)

allow(Usrc,Hsrc,Asrc,Utgt,Htgt,Atgt,Prot)

a(Hsrc) b(Htgt)

Incompleteness is easy to express:

What should the system do if a(Hsrc) b(Htgt)?

19COMPULOG Summer School 2008

Collaborative Programming versus Policy Enforcement

FSL meets the requirements of Collaborative Programming languages– Partial instruction sets– Conflicting instruction sets– Combinable instruction sets

Authorization systems cannot enforce incomplete or conflicting security policies.

20COMPULOG Summer School 2008

FSL Usage Overview

CombinedPolicy

AnalysisEngine

AuthorizationSystem

Policy1

Policyn

21COMPULOG Summer School 2008

Conflict Resolution Strategies

• No conflicts: conflicts are errors.

• Most secure: choose instructions that are most secure.

• Most permissive: choose policy instructions that give users the most rights.

• Cancellation: a flow with conflicting constraints has no constraints.

22COMPULOG Summer School 2008

DATALOG as a Collaborative Programming LanguageExpressing conflicts requires keywords.

Benefit:Conflicts can be detected and resolved using traditional inference tools.

Drawback:All possible conflicts must be anticipated at language-design time.

Logical Spreadsheets

24COMPULOG Summer School 2008

Logical Spreadsheets

See [Kassoff2007]

25COMPULOG Summer School 2008

Websheets

26COMPULOG Summer School 2008

27COMPULOG Summer School 2008

Websheet Demo

Live Demo

28COMPULOG Summer School 2008

Collaborative Programming?

Collaboration– Constraints sometimes originate from

multiple sources.– Data source often different than constraint

source.

“Programming” is a bit of a stretch.

29COMPULOG Summer School 2008

Logical Foundations

Cells: unary predicates, e.g. drive and engine.

Constraint: quantifier-free, function-free first-order formula, e.g.

“if the engine is small then the drive is 4x2.”

drive(4x2) V engine(small)

Cell assignment: ground literals, e.g. drive(4x4)

drive(4x2)

30COMPULOG Summer School 2008

Conflict Detection I

Check if for spreadsheet S S |= drive(4x4) and S |= drive(4x4)

31COMPULOG Summer School 2008

Problem

32COMPULOG Summer School 2008

Problem Explanation

S: drive(4x2) V engine(small) drive(4x4) drive(4x2) engine(small) engine(large)

S is inconsistent. ThereforeS |= drive(4x4) and S |= drive(4x4)

And for every other predicate p and value a,S |= p(a) and S |= p(a)

33COMPULOG Summer School 2008

Paraconsistent Entailment

Definition (Existential Entailment [Hunter98])

existentially entails if there is some set of sentences such that is consistent |=

34COMPULOG Summer School 2008

Implementing Existential Entailment

Resolution-based approach: only generate resolvents whose premises are consistent.

DATALOG-based approach: generate database queries that enumerate the existentially-entailed consequences.

35COMPULOG Summer School 2008

Classical Logic as a Collaborative Programming LanguageConflicts require no special machinery.

Benefit:Conflicts do not need to be anticipated by the language designer.

Drawback:Automated reasoning tools must implement a paraconsistent version of entailment.

Spreadsheet Implementation

37COMPULOG Summer School 2008

Comparison

Logic Conflicts Reasoning Semantics

datalog keywords standard 1 model

FOL built-in paraconsistent0,1,2,… models

How do we leverage the strengths while avoiding the weaknesses?

38COMPULOG Summer School 2008

Compilation Approach

FOL Datalog

39COMPULOG Summer School 2008

Spreadsheet Compilation

Problem: Compile FOL constraints C to Datalog D s.t. for every cell assignment A

D U A |=D []p(a) iff C U A |=E []p(a)

drive(4x2) V engine(small)

drive(4x4)drive(4x2)engine(small)engine(large)

FOLConstraints:

CellAssignments:

40COMPULOG Summer School 2008

Theory Completion

Semantic difficulty:A theory with many models (FOL) must be converted to a theory with one model (Datalog).

Consequently:• Compiling FOL to Datalog is a form of theory

completion.• Spreadsheet compilation is a parameterized form of

theory completion.

41COMPULOG Summer School 2008

Example

Want a Datalog/Prolog program that given ground atoms for engine enumerates the values of drive that are entailed.

ent_drive(X) :- X=4x2, engine(small)

What about negative values for engine?

ent_notengine(X) :- X=small,not(drive(4x2))

drive(4x2) V engine(small)FOLConstraints:

42COMPULOG Summer School 2008

More Generally

Given FOL constraints C,1. Compute resolution closure of C (Res[C]).

2. For each clause in Res[C], produce a series of Datalog queries, introducing 2 keywords per predicate.

NB: Res[C] is always finite because C has only unary predicates.

See [Hinrichs2008c] for more details.

43COMPULOG Summer School 2008

Existential Entailment

Two possible sources of inconsistency:• C itself• C together with cell assignment A

Because ent_drive is built only from constraints that include drive, the Datalog queries implement Existential Entailment.

44COMPULOG Summer School 2008

Message

Build Applicationsand

Embrace Conflicts

45COMPULOG Summer School 2008

[Hinrichs2008a] T. Hinrichs. Collaborative Programming. Workshop on Practical Aspects of Automated Reasoning, 2008. http://people.cs.uchicago.edu/~thinrich/papers/ hinrichs2008collaborative.pdf

[Hinrichs2008b] T. Hinrichs, et. al. Design and Implementation of a Flow-based Security Language. Unpublished. Available upon request.

[Kassoff2007] M. Kassoff and M. Genesereth. PrediCalc: A Logical Spreadsheet Management System. Knowledge Engineering Review, 22(3), 2007, pp. 281-295. http://logic.stanford.edu/~mkassoff/papers/predicalc.pdf

[Hunter1998] A. Hunter. Paraconsistent Logics. In Handbook of Defeasible Reasoning and Uncertain Information. http://www.cs.ucl.ac.uk/staff/a.hunter/papers/para.ps

[Hinrichs2008c] T. Hinrichs and M. Genesereth. Injecting the How into the What. KR 2008. http://people.cs.uchicago.edu/~thinrich/papers/hinrichs2008injecting.pdf

46COMPULOG Summer School 2008

Questions