* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Combinaison des logiques temporelle et déontique pour la
Abductive reasoning wikipedia , lookup
Combinatory logic wikipedia , lookup
Model theory wikipedia , lookup
Saul Kripke wikipedia , lookup
History of logic wikipedia , lookup
Lorenzo Peña wikipedia , lookup
Propositional formula wikipedia , lookup
Mathematical logic wikipedia , lookup
First-order logic wikipedia , lookup
Quasi-set theory wikipedia , lookup
Natural deduction wikipedia , lookup
Structure (mathematical logic) wikipedia , lookup
Law of thought wikipedia , lookup
Curry–Howard correspondence wikipedia , lookup
Quantum logic wikipedia , lookup
Intuitionistic logic wikipedia , lookup
Laws of Form wikipedia , lookup
Accessibility relation wikipedia , lookup
UNIVERSITÉ TOULOUSE III - Paul Sabatier U.F.R. Mathématiques, Informatique, et Gestion École doctorale Mathématiques, Informatique, et Télécomunications de Toulouse Institut de Recherche en Informatique de Toulouse THÈSE en vue de l’obtention du DOCTORAT DE L’UNIVERSITÉ DE TOULOUSE délivré par l’université Toulouse III - Paul Sabatier Discipline : Informatique Combinaison des logiques temporelle et déontique pour la spécification de politiques de sécurité Julien Brunel soutenue le 12 décembre 2007 devant le jury composé de Philippe Balbiani Jean-Paul Bodeveix Jan Broersen Frédéric Cuppens Stéphane Demri Mamoun Filali Amine Sergei Soloviev Wiebe van der Hoek examinateur directeur de thèse examinateur examinateur rapporteur co-directeur de thèse examinateur rapporteur i Combining temporal and deontic logics for the specification of security policies Julien Brunel supervisors: Jean-Paul Bodeveix, Mamoun Filali Amine Abstract In order to formally specify a security policy, it is natural to reason about time on the one hand, and obligations, permissions, and prohibitions on the other hand. Indeed, we have to express for instance the permission to access a resource for a certain period, the obligation to release a resource before a deadline, or the prohibition to execute a task for a too long period. Temporal and deontic logics seem well suited to specify such concepts. In this thesis, we study how to combine these logics. Firstly, we study the product of linear temporal logic and standard deontic logic, and define obligation with deadline in this context. It has to satisfy a property called propagation property: while it is not fulfilled, it is propagated to the next instant. We then propose a more general propagation property, and propose a semantics to validate it. For the until-free fragment of our logic, we define an axiomatics and a tableaux-like decision procedure. Lastly, we investigate the notion of compliance of a system with respect to a policy specified in such a language. The first definition we come up with is a weak version of compliance called compatibility. For a new fragment of our logic, we adapt the Büchi approach of Vardi and Wolper to decide whether a system is compliant with a policy. We then restrict again the language so that we can define a stronger version of compliance. Actually, a careful analysis shows the necessity to refine the notion of compliance into five different diagnostic cases which give ’levels of compliance’. We provide an algorithm to establish this diagnostic. Keywords: temporal logic, deontic logic, security policy ii iii Combinaison des logiques temporelle et déontique pour la spécification de politiques de sécurité Julien Brunel directeurs de thèse : Jean-Paul Bodeveix, Mamoun Filali Amine Résumé Pour spécifier formellement une politique de sécurité, il est naturel de raisonner d’une part sur la notion de temps, et d’autre part sur les notions d’obligation, de permission, et d’interdiction. En effet, il s’agit d’exprimer par exemple le droit d’accès à une ressource pendant une certaine durée, l’obligation de la libérer avant un instant donné, ou encore l’obligation qu’une certaine tâche ne soit pas exécutée pendant un temps trop important. Les logiques temporelle et déontique apparaissent comme des outils adéquats pour spécifier de telles notions. Dans cette thèse, nous étudions comment combiner de telles logiques. Nous étudions dans un premier temps le produit de la logique temporelle linéaire avec la logique déontique standard, et définissons une obligation avec délai dans ce contexte. L’obligation avec délai doit notamment satisfaire une propriété que l’on nomme propagation : tant qu’elle n’est pas remplie et que le délai n’est pas atteint, elle se propage à l’instant suivant. Nous proposons ensuite une sémantique qui valide une propriété de propagation plus générale, puis définissons une axiomatique et une procédure de décision pour fragment du langage qui ne contient pas l’opérateur temporel ’until’. Nous nous intéressons enfin à la notion de conformité d’un système vis à vis d’une politique de sécurité spécifiée dans un tel langage. La première définition que nous proposons est une version faible de la conformité que l’on nomme compatibilité. Nous restreignons ensuite le langage afin définir une version plus forte de la conformité, et proposons un algorithme pour vérifier la conformité d’un système vis à vis d’une politique. Mots-clés : logique temporelle, logique déontique, politique de sécurité iv Remerciements / Acknowledgments Remerciements Une première étape se termine aujourd’hui. Je saisis l’occasion de remercier ceux qui ont contribué, d’une manière ou d’une autre, à mon travail durant ces trois années et demie. Tout d’abord, je tiens à remercier très chaleureusement mes directeurs de thèse Jean-Paul Bodeveix et Mamoun Filali Amine, qui m’ont donné l’opportunité de faire cette thèse, pour leur soutien permanent et leurs conseils. Je me souviens du stage, durant l’été 2002, pendant lequel ils m’ont initié à la recherche et transmis leur passion pour les méthodes formelles. Leur enthousiasme et leur complémentarité ont constitué un grand atout pour ma thèse, et travailler avec eux a été un grand plaisir. Je voudrais ensuite remercier Stéphane Demri et Wiebe van der Hoek, pour l’intérêt qu’ils ont apporté à mon travail en acceptant d’être rapporteurs de cette thèse. Leurs corrections, remarques, et questions, m’ont permis d’améliorer ce mémoire et m’ont donné des perspectives très intéressantes. Merci à Jan Broersen qui a accepté de m’accueillir à Utrecht, en février 2006, avant même de me connaître ! L’accueil fut très chaleureux, et le séjour très agréable. J’y ai appris beaucoup sur les logiques déontiques, et les logiques d’action. La collaboration qui a suivi a été un excellent stimulant jusqu’à la fin de ma thèse, et la logique proposée en est le fruit. Merci à Philippe Balbiani, pour les nombreuses discussions, pour ses conseils aussi bien sur des aspects scientifiques pointus que sur le déroulement de ma thèse. J’ai beaucoup apprécié sa disponibilité. Sa connaissance des logiques modales m’a apporté beaucoup. Merci également à Frédéric Cuppens et Nora Cuppens-Boulahia. Grâce à leur enthousiasme, la collaboration entamée dans le cadre du projet DISPO a pu se poursuivre lors de plusieurs séjours à Rennes, où nous avons pu discuter v vi longuement des obligations et des violations dans une politique de sécurité. Je voudrais également remercier Sergei Soloviev pour le regard extérieur qu’il a porté sur mon travail, et pour avoir accepté de présider le jury. Je remercie Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, et Wiebe van der Hoek, pour leurs questions et commentaires stimulants lors de la soutenance. Je remercie toutes les personnes que j’ai côtoyées à l’IRIT (chercheurs, secrétaires, enseignants, et techniciens) qui ont contribué à un environnement agréable. Merci en particulier à ceux qui ont partagé mon bureau (Abbassia, Jean-François, Lei, et Marjorie) avec qui j’ai passé de bons moments. Je pense aussi à ma famille, que j’étais très heureux de retrouver pendant la semaine de ma soutenance. À mon père, qui a traversé l’océan Indien pour y assister ! À ma mère, qui a fait preuve d’un sang froid à toute épreuve pour la gestion de mon pot de thèse ! Je leur dois beaucoup. À ma grand-mère, Mamette, qui a apporté un peu de notre île de beauté avec elle. À Vanina et Yann, sans qui j’aurais sûrement renoncé à la partie 4.2.3 (quel dommage ça aurait été !). Et bien sûr à Benjamin, mon petit frère, qui est malheureusement déjà plus grand que moi. À tous les toulousains qui ont contribué aux conditions agréables dans lesquelles j’ai effectué cette thèse, à travers les soirées, repas, discussions, élaborations de théories-minute, etc. : Mehdi, Camille, Jérôme, Matthieu, Simon, Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas, Arnaud, Marie, David et Marie. Je pense aussi à ceux qui me supportent depuis bien plus longtemps : Thierry, Rémi, Viviane, Rémy, Nico, Gilles, Sonia, Candice, Ben, . . . À Anne-Laure, qui m’a subi pendant la période d’autisme/rédaction, et qui a su m’apporter toute sa douceur. Je lui dédie cette thèse. Acknowledgments I would like to use this page as an opportunity to thank the people who have played a role, in a way or another, in my work during these three years and a half. First of all, I would like to thank my supervisors Jean-Paul Bodeveix and Mamoun Filali Amine for their support and advice. I remember in particular this training period in 2002, during which they introduce me to research, and impart their passion for formal methods to me. Their enthusiasm and their complementarity were a great asset for my thesis, and I have really enjoyed working with them. My acknowledgment also goes to Stéphane Demri and Wiebe van der Hoek, for having reviewed this thesis. Their corrections, remarks, and questions, allowed me to improve this dissertation, and gave me some interesting leads for future work. vii I also thank Jan Broersen, who accepted to welcome me in February 2006 in Utrecht, before even knowing me! The welcome was warm, and the stay very pleasant. I learnt a lot about deontic logics and action logics. The collaboration that followed was really stimulating until the end of my PhD, and the logic proposed in this dissertation is its fruit. My acknowledgment then goes to Philippe Balbiani, for all the discussions we had, about scientific aspects as much as about the progress of my PhD. I have really appreciated his availability. His knowledge of modal logics was very helpful. I also owe thanks to Frédéric Cuppens and Nora Cuppens-Boulahia. Thanks to their enthusiasm, the collaboration we started in the DISPO project went on with some stays in Rennes, during which we were able to talk a lot about obligations and violations in a security policy. I would also like to thank Sergei Soloviev, for the interesting look he gave to my work, and for having accepted to be president of the jury. I thank Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, and Wiebe van der Hoek for being part of the jury, and for their stimulating questions and comments during the defense. I thank all the IRIT staff members who played a part in making the environment pleasant, in particular those who shared my office: Abbassia, Jean-François, Lei, and Marjorie. My thoughts go to my family, that I was so happy to see the week after the defense. To my father, who crossed Indian ocean to attend it! To my mother, who handled the organisation of the drinks party with a lot of selfcontrol! I owe them much. To my grand-mother, who brought a little of our “île de beauté” with her. To Vanina and Yann, without who I would have given section 4.2.3 up (what a pity it would have been!). To Benjamin, my little brother, who is unfortunately already taller than me. To people from Toulouse, who made my after work enjoyable thanks to parties, meals, discussions, etc.: Mehdi, Camille, Jérôme, Matthieu, Simon, Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas, Arnaud, Marie, David and Marie. I also think about those I have known for much more time: Thierry, Rémi, Viviane, Rémy, Nico, Gilles, Sonia, Candice, Ben, . . . To Anne-Laure, who endured me during the autism/writing period, and who gave me all her sweetness. This thesis is dedicated to her. viii ix À Anne-Laure x Contents 1 Introduction 1.1 Security . . . . . . . . . . 1.2 Formal methods and logics 1.3 Outline . . . . . . . . . . 1.4 Bibliographic notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Basic logical concepts 2.1 Modal logic . . . . . . . . . . . . . . . 2.1.1 Axiomatics . . . . . . . . . . . 2.1.2 Semantics . . . . . . . . . . . . 2.2 Deontic logic . . . . . . . . . . . . . . 2.2.1 Standard Deontic Logic SDL . 2.2.2 Some theorems and paradoxes . 2.2.3 Dyadic deontic logic based on a 2.3 Temporal logic . . . . . . . . . . . . . 2.3.1 Linear temporal logic . . . . . . 2.3.2 LT L semantics . . . . . . . . . 2.3.3 Characterization of properties . 2.3.4 LT L axiomatization . . . . . . 2.3.5 Branching-time temporal logic 2.3.6 Timed logic . . . . . . . . . . . 2.4 Model checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Combining temporal and deontic logics 3.1 Fusion of modal logics . . . . . . . . . . 3.1.1 Fusion of LT L and SDL . . . . . 3.1.2 Fusion of CT L and SDL . . . . 3.2 Interaction properties . . . . . . . . . . xi . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 8 10 11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . relation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 13 14 15 19 19 19 21 22 23 24 25 27 29 33 37 . . . . 39 40 41 43 44 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xii . . . . . . . . . . . . . . 44 46 46 47 48 48 50 4 Propagation property 4.1 Deadline obligation . . . . . . . . . . . . . . . . . . . . . . . 4.1.1 Studied properties . . . . . . . . . . . . . . . . . . . 4.1.2 A first attempt for defining deadline obligation . . . 4.1.3 Validation of the propagation property . . . . . . . . 4.1.4 New operator Ok . . . . . . . . . . . . . . . . . . . . 4.2 General propagation property . . . . . . . . . . . . . . . . . 4.2.1 Propagation property and product . . . . . . . . . . 4.2.2 Semantics based on the restriction of the ideal states 4.2.3 Model correspondence for the propagation . . . . . . 4.2.4 Semantics with levels of deontic ideality . . . . . . . 4.2.5 Branching time structures . . . . . . . . . . . . . . . . . . . . . . . . . . 53 53 54 56 57 58 63 63 65 69 74 79 5 Decision procedure and axiomatization 5.1 Tableaux decision procedure for satisfiability . . . . 5.1.1 Tableau data structure and update operations 5.1.2 Tableaux rules . . . . . . . . . . . . . . . . . 5.1.3 Soundness and completeness . . . . . . . . . . 5.1.4 Termination . . . . . . . . . . . . . . . . . . . 5.2 Axiomatization . . . . . . . . . . . . . . . . . . . . . 5.2.1 Admissible forms . . . . . . . . . . . . . . . . 5.2.2 Axiomatization . . . . . . . . . . . . . . . . . 5.2.3 Soundness and completeness . . . . . . . . . . 5.2.4 Theories . . . . . . . . . . . . . . . . . . . . . 5.2.5 Canonical model construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 82 83 84 86 88 90 91 91 92 93 96 6 Computer security application 6.1 Specification of the system . . . . . . 6.1.1 Events or actions? . . . . . . 6.1.2 Labeled Kripke Structures . . 6.2 Deontic extension and compatibility 6.2.1 Deontic extension . . . . . . . 6.2.2 Compatibility . . . . . . . . . 6.2.3 Illustration . . . . . . . . . . 6.3 Decidable fragment . . . . . . . . . . 6.3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 100 100 101 102 103 103 105 106 106 3.3 3.2.1 ’Perfect recall’ property . . . . 3.2.2 ’No learning’ property . . . . . 3.2.3 ’Confluence’ property . . . . . 3.2.4 Obligation and branching time Product . . . . . . . . . . . . . . . . . 3.3.1 Product of modal logics . . . . 3.3.2 Product LT L SDL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii 6.4 6.3.2 Checking internal consistency and compatibility Beyond compatibility . . . . . . . . . . . . . . . . . . . 6.4.1 Policy language . . . . . . . . . . . . . . . . . . 6.4.2 Compliance of a system with its security policy 6.4.3 Diagnostic algorithm . . . . . . . . . . . . . . . 6.4.4 Concluding example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108 111 111 113 124 129 7 Conclusion 133 7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 7.2 Future investigations . . . . . . . . . . . . . . . . . . . . . . . 134 A Proofs of section 4.1.4 A.1 Proofs of property 11 A.2 Proofs of property 12 141 . . . . . . . . . . . . . . . . . . . . . . 141 . . . . . . . . . . . . . . . . . . . . . . 142 xiv Introduction Cette thèse propose un cadre logique qui permet de traiter des notions de temps et d’obligation, dans le but de spécifier des politiques de sécurité. Le point de départ de ce travail est la nécessité de méthodes formelles pour spécifier et vérifier des propriétés de sécurités spécifiques. Cette introduction présente la sécurité informatique, et introduit le point de vue logique que nous allons adopter. Sécurité Les systèmes informatiques sont présents dans de plus en plus de domaines faisant intervenir des aspects de coopération, de distribution, et de réseau. L’augmentation de la complexité des systèmes a permis de nombreuses innovations, mais a aussi soulevé de nouvelles questions. En particulier, garantir des exigences de sécurité est devenu de plus en plus complexe. Ces exigences sont habituellement classifiées comme suit : – confidentialité : assurance que l’information est partagée seulement par des personnes ou organisations autorisées ; – intégrité : assurance que l’information est authentique et complète ; – disponibilité : assurance que les systèmes chargés de délivrer, stocker, ou traiter des informations sont accessibles en cas de besoin. De manière à garantir ces exigences, une politique de sécurité est traditionnellement spécifiée. Il s’agit d’un ensemble de normes et de procédures à mettre en oeuvre pour assurer au mieux les exigences. Cela consiste par exemple à décrire comment les utilisateurs peuvent accéder au système ou aux informations. 1 2 La modélisation de politiques de contrôle d’accès a été beaucoup étudiée dans la littérature [64, 115, 21, 73, 2]. Une politique de contrôle d’accès consiste en un ensemble de règles qui spécifient quelles actions les sujets sont autorisés à effectuer. Une permission peut ne s’appliquer que lorsque certaines conditions sont satisfaites [94, 42, 121]. Par exemple, dans une banque, la politique de contrôle d’accès peut spécifier qu’un employé a l’autorisation d’accorder un prêt à un client seulement si le montant du prêt est inférieur à 50 000 euros. La politique de contrôle d’accès peut aussi inclure des interdictions qui sont en particulier utiles pour spécifier des exceptions à des permissions. Plus récemment, il a aussi été suggéré de considérer d’autres exigences dans une politique de sécurité qui correspondent à des obligations [22, 41]. Par exemple, la politique peut spécifier que n’importe quel utilisateur dans le système informatique de la banque a l’obligation de changer son mot de passe s’il n’a pas été changé depuis trente jours. Les modèles qui considèrent les obligations vont au-delà du contrôle d’accès et sont utilisés pour spécifier des exigence de contrôle d’usage [99]. Comme exemple d’exigence de contrôle d’usage, la banque peut spécifier dans sa politique qu’il est obligatoire d’interrompre la transaction d’un client sur Internet si celui-ci est resté inactif pendant plus d’une minute. Comme dans de nombreux autres domaines scientifiques, les méthodes formelles sont utiles pour lever certaines ambiguïtés et améliorer la qualité de compréhension et d’analyse. Dans le contexte de la sécurité, l’application de méthodes formelles permet de vérifier que la politique est cohérente, ou qu’un système est conforme à une politique. Méthodes formelles et logiques Les méthodes formelles [98] font références à des techniques et des outils mathématiques pour raisonner de manière rigoureuse. Elles permettent de spécifier, concevoir, et valider des systèmes logiciels et matériels. Les spécifications utilisées dans les méthodes formelles sont des énoncées bien formés dans un langage mathématique, et les validations (ou vérifications) sont des preuves de ces énoncés. La définition d’un tel langage de spécification, assortie d’un moyen de déterminer si un énoncé est vrai, est appelée une logique. Un énoncé dans le langage est une formule. Le moyen de déterminer la «valeur de vérité» d’une formule peut être soit syntaxique soit sémantique. Une déduction syntaxique est une séquence finie de formules, qui commence par un axiome (formule arbitrairement vraie) et telle que chaque formule dans la séquence est obtenue à partir des formules précédentes par l’application d’une règle d’inférence. Le moyen sémantique consiste à donner un cadre intuitif à la définition de la vérité d’une formule. Plusieurs familles de logiques ont été étudiées, selon le domaine d’application. Les logiques constructives 3 sont utilisées en informatique, en particulier avec le but de généré du code à partir de la spécification d’un programme [67, 100]. Chaque formule est associée à une preuve qui démontre cette formule, plutôt qu’à une valeur de vérité (vrai ou faux). Une preuve peut aussi être vue comme un algorithme. Une autre famille de logiques a été développée à l’origine par les philosophes : les logiques modales. Elles étudient au départ les raisonnements qui utilisent les notions de nécessité («il est nécessaire que . . . ») et de possibilité («il est possible que . . . »). Les logiques modales sont maintenant plus largement utilisées pour des concepts comme les croyances [53], les intentions [26], les exécutions de programmes [63], les obligations [136], et les aspects temporels [106]. Les formules modales sont construites à partir d’énoncés atomiques, appelés propositions, et d’opérateurs modaux, qui expriment les notions mentionnées ci-dessus. Dans cette thèse, nous nous focaliserons sur les obligations et les aspects temporels, habituellement étudiés à l’aide des logiques temporelles et déontiques. La logique temporelle a été introduite par Prior [106, 107], pour exprimer des phrases comme «il sera toujours le cas que . . . », «il sera un jour le cas que . . . », qui correspondent respectivement aux opérateurs modaux G et F . Kamp [74] a proposé une extension avec l’opérateur binaire U (until) : A U B signifie que A est vrai, et reste vrai jusqu’à ce que B le devienne. Pnueli a proposé en 1977 d’utiliser la logique temporelle pour la spécification et la vérification des systèmes réactifs [101]. Cette idée a donné lieu, peu après, à une technique de vérification appelée vérification de modèle (model checking en anglais) [38, 108]. La première étape consiste à fournir un modèle du système à vérifier - en général, un automate fini - dans un formalisme accepté par l’outil de vérification de modèle. La seconde étape consiste à spécifier le propriété exigée par une formule logique. L’outil applique ensuite une procédure de parcours pour déterminer si la formule est vraie dans l’abstraction du système. Dans les années 80, lors des débuts de la vérification de modèle, il n’était possible que de gérer des systèmes avec quelques milliers d’états. Aujourd’hui, de grands progrès dans les techniques permettent une bien meilleure efficacité, mais l’explosion de l’espace d’états reste un défi important. Le premier système de logique déontique a été introduit par Mally en 1926 [90] ! Malheureusement, ce système a de nombreuses propriétés indésirables, et la logique déontique est seulement devenue un domaine de recherche actif après le premier système de von Wright [136], dont la version avec modèle de Kripke est connue sous le nom de Logique Déontique Standard (Standard Deontic Logic, ou SDL, en anglais). Depuis lors, les logiciens ont soulevé des paradoxes dans SDL, et proposé différentes variantes de SDL pour les éliminer. Cet aspect sera discuté dans le chapitre suivant. Nous pensons que la logique déontique peut être utile à la sécurité informatique dans un contexte où les normes peuvent être violées, et où on voudrait raisonner explicitement sur ces violations. Ça concerne typiquement une politique de 4 sécurité qui spécifie des contraintes faibles. Considérons, par exemple, les règles suivantes dans un contexte d’allocation de ressource : (1) useri a l’obligation de libérer la ressource r après 5 unités de temps d’utilisation ; (2) Si useri utilise la ressource sans la permission, alors il doit ne plus la demander pendant 10 unités de temps. La règle (1) spécifie que useri a l’obligation de libérer la ressource r lorsqu’une certaine condition est vraie. Cette obligation peut être violée, et la règle (2) raisonne explicitement sur cette violation. La logique déontique semble appropriée pour spécifier et raisonner sur ces notions. Par ailleurs, ces deux règles contiennent clairement un aspect temporel. Notre travail consiste à combiner les logiques temporelles et déontiques de manière à pouvoir – exprimer de telles politiques de sécurité ; – vérifier qu’une politique est cohérente ; – vérifier qu’un système est conforme à une politique. Plan du document Cette thèse est organisée de la manière suivante. Le chapitre 2 présente des concepts logiques basiques. Nous y développons les aspects syntaxiques et sémantiques des logiques modales. Nous étudions d’abord les logiques déontiques, qui traitent des obligations, permissions, et interdictions, puis nous nous intéressons aux logiques temporelles. Nous détaillons particulièrement le cas du temps discret et linéaire, dans lequel nous nous situerons dans la suite de la thèse, puis présentons plus brièvement les principales logiques du temps arborescent, et du temps continu. Le chapitre 3 introduit la combinaison des logiques temporelle et déontique. Tout d’abord, nous présentons rapidement les autres propositions pour combiner ces notions, et les mettons en relation avec notre approche. Ensuite, nous appliquons la plus simple des combinaisons logiques, appelée fusion, aux logiques temporelle et déontique, et discutons les variantes déontiques des propriétés d’interaction temporelles-épistémiques connues. Enfin, nous présentons le produit de logiques modales, une manière générique de combiner des logiques en garantissant certaines propriétés d’interaction. Dans le chapitre 4, nous considérons le produit des logiques temporelle et déontiques comme un point de départ. Nous nous intéressons à une nouvelle propriété d’interaction, que nous appelons propriété de propagation, particulièrement intuitive dans le contexte temporel et déontique. Nous étudions dans un premier temps la propagation des obligations avec délai. Nous proposons alors deux sémantiques possibles pour un opérateur dédié à l’obligation 5 avec délai, et discutons certaines propriétés caractéristiques pour chacune. Dans un deuxième temps, nous présentons une formulation plus générale de la propriété de propagation, qui concerne une disjonction de formules temporelles particulières. Nous proposons ensuite une sémantique intuitive qui valide la propagation, mais perd l’axiome D (garant de la cohérence des obligations entre elles). De plus, si nous considérons seulement la classe des modèles qui satisfait l’axiome D, alors aucune violation n’est satisfiable. Nous prenons alors le problème sous un angle différent, et recherchons une condition nécessaire et suffisante, sur un modèle temporel et déontique arbitraire, pour valider la propriété de propagation. La conclusion est que lorsque une obligation est violée à un certain instant, alors des propriétés indésirables surviennent à partir de cet instant. Nous raffinons alors notre sémantique à l’aide d’une relation de préférence, de manière à ce que l’axiome D soit valide, et que la propriété de propagation ne soit satisfaite que dans les états qui ne violent pas d’obligations immédiates. Le chapitre 5 présente une procédure de décision basée sur une méthode des tableaux, ainsi qu’une axiomatisation, pour le fragment de notre logique sans l’opérateur «until». La sémantique de l’obligation semble trop complexe pour développer des directement de tels outils pour notre logique. En effet, deux quantificateurs différents sont cachés dans la définition sémantique de l’opérateur d’obligation. Nous proposons de décomposer cet opérateur à l’aide de nouveaux opérateurs plus simples. Nous développons alors un système de tableaux, et une axiomatisation pour cette logique. L’axiomatisation comporte deux règles d’inférence non classiques qui correspondent à deux particularités de la logique : d’une part, une des relations d’accessibilité dépend des valuations, et d’autre part, un des opérateurs est interprété par l’intersection de deux relations d’accessibilité. Le chapitre 6 propose une application à la sécurité de l’étude logique présentée dans les chapitres précédents. Nous considérons un modèle d’un système, et une formule temporelle déontique qui spécifie la politique. Le but est de déterminer d’une part si la politique est cohérente, et d’autre part si le système est conforme à la politique. La cohérence d’une politique est réduite à la satisfiabilité de la formule correspondante. La première définition de conformité à laquelle nous parvenons est une version faible appelée compatibilité. Dans le cas général, nous n’avons pas de résultat de décidabilité, ni pour la vérification de cohérence, ni pour la vérification de conformité. Nous exhibons alors un fragment de notre logique temporelle déontique tel que les deux problèmes sont décidables pour une politique exprimée dans ce fragment. Nous réduisons de nouveau le langage pour pouvoir définir une version plus forte de la conformité. En fait, une analyse approfondie montre la nécessité de raffiner la notion de conformité en cinq différents cas de diagnostic qui donnent des «niveaux de conformité». Nous fournissons enfin un algorithme qui permet d’établir ce diagnostic (la correction et la terminaison sont établies). 6 Dans le chapitre 7, nous concluons la thèse et discutons quelques perspectives. Indications bibliographiques Le contenu de cette thèse a été partiellement publié dans différentes communications. La partie 3.2 du chapitre 3 est extraite de [31]. L’étude de l’obligation avec délai dans un produit de logiques (chapitre 4, partie 4.1) vient de [32]. La sémantique qui garantit la propriété de propagation (chapitre 4, partie 4.2) a été publiée dans un travail commun avec Jan Broersen [28, 29]. La procédure de décision et l’axiomatisation pour cette sémantique (chapitre 5) sont extraites d’un travail commun avec Philippe Balbiani et Jan Broersen [17]. Le chapitre 6 est une version enrichie d’un article écrit avec Frédéric Cuppens, Nora Boulahia-Cuppens, et Thierry Sans [33]. Bien entendu, mes directeurs de thèse, Jean-Paul Bodeveix et Mamoun Filali-Amine, ont contribué à toutes les parties ce travail, qu’ils apparaissent ou non en tant que co-auteurs. 1 Introduction This thesis deals with providing a logical framework which handles the notions of time and obligation, with the aim of being useful to computer security. The starting point of this work is a need for formal tools to specify and verify some specific security properties. This introduction presents the security context in which the thesis takes place, and introduces the logical point of view we will adopt. 1.1 Security Electronic systems are present in more and more areas which involve cooperation, distribution, and networking aspects. This growth of systems’ complexity has brought many innovations, but has also raised several new concerns. In particular, ensuring security requirements have become more and more complex. These requirements are usually classified as follows: • confidentiality: assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the confidentiality of information; • integrity: assurance that information is authentic and complete, i.e., that information can be relied upon to be sufficiently accurate for its purpose; • availability: assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those who need them. In order to ensure these requirements, a security policy is traditionally specified. A security policy is a set of regulations and laws that describes 7 8 CHAPTER 1. INTRODUCTION how users may access the system or information. It regulates how entities access objects in a system. Modelling such access control policies has been extensively investigated in the literature [64, 115, 21, 73, 2]. An access control policy corresponds to a set of permission rules which specifies which actions subjects are authorized to perform in the information system controlled by this policy. A permission may only apply when some contextual conditions are satisfied [94, 42, 121]. For instance, in a bank, the access control policy may specify that a clerk is permitted to grant a loan to a customer, only if the amount of the loan is less than 50,000 euros. The access control policy can also include prohibitions that are especially useful to specify exceptions to permissions. More recently, it has also been suggested to consider other requirements in the security policy that correspond to obligations [22, 41]. For instance, the policy may specify that any user in the bank information system is obliged to change his or her password if this password has not been changed for more than 30 days. Models that consider obligations go beyond access control and are used to specify usage control requirements [99]. As an example of usage control requirement, the bank can specify in its policy that it is obligatory to stop the internet transaction of a bank customer if this user has been idle for more than one minute. As in many other scientific areas, formal methods are useful in order to avoid ambiguities and improve quality of understanding and model analysis. In the context of security, applying formal methods allows to verify that a policy is coherent, or that a system complies with a policy. 1.2 Formal methods and logics ’Formal Methods’ [98] refers to mathematically rigorous techniques and tools for the specification, design, and verification of software and hardware systems. The phrase ’mathematically rigorous’ means that the specifications used in formal methods are well-formed statements in a mathematical language and that the formal verifications are rigorous proofs of these statements. The definition of such a language with a way to determine whether a statement is true, is called a logic. A statement in the language is called a formula. The way to determine the truth of a formula can be can be either syntactic or semantic. A syntactic deduction is a finite sequence of formulas, which starts from an axiom (arbitrary true formula), such that each formula in the sequence is obtained from earlier formulas by applying some inference rule. The semantic way aims at giving an intuitive framework to the definition of truth for a formula. Several families of logics have been investigated, depending on the application area. Constructive logics are used in computer science, in particular with the aim of generating code from the specification of a program [67, 100]. Each formula is associated with a proof which 1.2. FORMAL METHODS AND LOGICS 9 demonstrates this formula, instead of a value (true or false). A proof of a formula can also be seen as an algorithm. Another family of logics, originating from philosophy, is called modal logic. It originally studies reasoning that involves the use of the expressions “necessarily” and “possibly”. Modal logics are now used more broadly for concepts such as belief [53], intention [26], program execution [63], obligation [136], and temporal ordering [106]. Modal formulas are built from atomic statements, called propositions, and modal operators, which handle the above-mentioned notions. Here, we focus on obligation and temporal ordering, usually addressed through deontic and temporal logics. Temporal logic was introduced by Prior [106, 107], in order to express sentences as ’henceforth, it will be the case that . . . ’, and ‘it will eventually be the case that . . . ’ corresponding to modal operators G and F respectively. Kamp proposed an extension with binary modal operator U (read until): A U B means that A is true, and remains true until B becomes true. Pnueli proposed in 1977 to use temporal logic for the specification and the verification of reactive systems [101]. This idea gave rise, shortly after, to the verification technique called temporal logic model checking [38, 108]. The first step is to provide a model of the system to verify - usually, a finite state transition graph - in a formalism accepted by a model checking tool. The second step consists in specifying the required property as a logic formula. The model checker then applies a search procedure to determine whether the formula is true in the abstraction of the system. In the 1980s, when temporal model checking was first developed, it was only possible to handle systems with a few thousands states. Even if today, sophisticated procedures have a better efficiency, state space explosion problem remains an important challenge. The first logical system of deontic logic was introduced by Mally in 1926 [90]! Unfortunately, this system had a lot of undesirable theorems, and deontic logic has only become an ongoing active academic area after the first system of von Wright [136], of which the first Kripke-style version is known as Standard Deontic Logic (SDL). Since then, logicians have raised some paradoxes in SDL, and proposed different variants of SDL to avoid them. This we will be discussed in the first chapter. According to us, deontic logic can be useful in computer security in a context where norms can be violated, and where we want to reason explicitly about these violations. This typically concerns a security policy which specifies some soft (violable) constraints. Consider for instance, the following rules in a resource monitoring context: (1) useri has to release resource r after 5 time units of utilization; (2) if useri uses the resource without the permission, then he must not ask for it for 10 time units. CHAPTER 1. INTRODUCTION 10 Rule (1) specifies that useri is obliged to release resource r when some condition is true. This obligation can be violated, and rule (2) explicitly reasons about this violation. Deontic logic seems appropriate to express and reason about these notions. Besides, both rules clearly capture temporal aspects. Our work consists in combining temporal and deontic logics so that we can easily • express such security policies; • check that a policy is coherent; • check that a system is compliant with a policy. 1.3 Outline This dissertation is organized as follows. Chapter 2 deals with basic logical concepts. We review syntactic and semantic aspects of modal logic. Firstly, we present the family of modal logics which model deontic concepts. Secondly, we focus on temporal logics. We especially develop the linear and discrete time case, in which we are particularly interested. We also present the main temporal logics of branching-time and of continuous time. Chapter 3 introduces the combination of temporal and deontic logics. Firstly, we give a brief presentation of other attempts to combine these notions, and express how we are in relation with them. Secondly, we apply the simplest logical combination, called fusion, to temporal and deontic logics, and discuss deontic variants of temporal-epistemic interaction properties. Then, we present the product of modal logics, a natural and generic logic combination, which ensures these interaction properties. In chapter 4, we take the product of temporal and deontic logics as a starting point. We investigate another interaction property, called propagation property, which is particularly intuitive in a temporal and deontic context. We first discuss the propagation of deadline obligations. We propose two possible semantics for an operator dedicated to obligation with deadline, and discuss some characteristic properties for each one. Secondly, we provide a more general formulation of the propagation property, which concerns a special temporal disjunction. We propose an intuitive semantics which validates the propagation, but loses axiom D (which guarantees the coherence of obligations). Moreover, if we only consider the class of models which satisfy axiom D, then no violation is satisfiable. We then consider the problem from a different point of view, and look for a necessary and sufficient condition on an arbitrary temporal deontic model to validate the propagation property. The conclusion is that when an obligation is violated at some moment, undesirable properties necessarily occur from that instant 1.4. BIBLIOGRAPHIC NOTES 11 on. We then refine our semantics with a preference-based deontic relation, so that the propagation property is only satisfied in the states that do no violate any immediate obligations. Chapter 5 deals with a tableaux-like decision procedure and an axiomatization for the until-free fragment of this logic. The semantics of obligation seems too complicated to develop logical tools. Two different quantifiers are hidden in the semantic definition of the obligation operator. We propose to decompose this operator into more simple ones. We then develop a tableau system with explicit accessibility relations, and an axiomatization with nonclassical rules which handle the two following semantic particularities of our logic: one of the accessibility relations depends on valuations, one operator corresponds to the intersection of two accessibility relations. Chapter 6 provides a security application of the logical study. We consider a model of a system, and a temporal deontic formula which specifies the policy. The goal is to determine whether the policy is coherent on the one hand, and whether the system complies with the policy on the other hand. The coherence of a policy is reduced to the satisfiability of the corresponding formula. The first definition of compliance we come up with is a weak version called compatibility. In the general framework, we have no decidability result, neither for coherence checking, nor for compliance checking. We then exhibit a fragment of our temporal deontic logic such that for a policy expressed in this fragment, both problems are decidable. We then constrain again the policy language in order to define a stronger version of compliance. Actually, a careful analysis shows the necessity to refine the notion of compliance into five different diagnostic cases which give ’levels of compliance’. A terminating and correct algorithm is provided to establish the diagnostic. In chapter 7 we conclude the thesis and discuss some perspectives. 1.4 Bibliographic notes The content of this thesis has been partially published in several communications. Section 3.2 of chapter 3 is extracted from [31]. The study of deadline obligations in a product settings (chapter 4, section 4.1) comes from [32]. The semantics which ensures the propagation property (chapter 4, section 4.2) has been published in a joint work with Jan Broersen [28, 29]. Decision procedure and axiomatization for this semantics (chapter 5) are extracted from a joint work with Philippe Balbiani and Jan Broersen [17]. Chapter 6 is the sequel of a paper with Frédéric Cuppens, Nora Boulahia-Cuppens, and Thierry Sans [33]. Of course, my supervisors Jean-Paul Bodeveix and Mamoun Filali-Amine have played an important role in all parts of this work, whether they appear or not as co-authors. 12 CHAPTER 1. INTRODUCTION 2 Basic logical concepts In this chapter, we introduce the basic concepts of logics which are needed in the remainder of the Ph.D. thesis. Section 2.1 deals with some general points of modal logic: we present Hilbert-style axiomatization, possible worlds semantics, and some basics about correspondence between axioms and semantic conditions. Section 2.2 focuses on deontic logic. Section 2.3 introduces temporal logic, and section 2.4 presents model-checking results for temporal logics. 2.1 Modal logic In this section, we present some basics of modal logic. We stay in the framework of unimodal logic because it is simpler to write and sufficient for the remainder of the thesis, although every definition can easily be extended to multimodal logic. Definition 1 (Modal language). Given a set P of atomic propositions, the propositional modal language ML is defined as ϕ ::= p | ⊥ | ϕ ⇒ ϕ | ϕ where ⊥ is a constant (’false’) and p ∈ P is an atomic proposition. The usual boolean operators are defined in terms of the constant ⊥ and the operator ⇒: def def ¬ϕ = ϕ ⇒ ⊥ = ¬⊥ def def ϕ1 ∨ ϕ2 = (¬ϕ1 ) ⇒ ϕ2 ϕ1 ∧ ϕ2 = ¬(¬ϕ1 ∨ ¬ϕ2 ) def is called the necessity modal operator and ♦ = ¬¬, defined as its dual, is called the possibility operator. We can define similarly the propositional n-modal language MLn with n necessity and n possibility operators 1 , . . . , n and ♦1 , . . . , ♦n . 13 CHAPTER 2. BASIC LOGICAL CONCEPTS 14 A logical system in general, and a modal system in particular, consists in singling out and describing a subset of formulas considered as true, no matter what values are assigned to their variables. There are two ways of defining logics: semantic and syntactic. Both complement each other. Usually, the semantic way introduces a semantic domain and explains the meaning of the logical constants and connectives as operators of the semantic domain, while the syntactic way reasons about the structure of a formula. 2.1.1 Axiomatics As a syntactic way, we consider in this thesis Hilbert-style inference systems. They consist in indicating which formulas are chosen as axioms, and defining inference rules. A derivation of a formula ϕ in such a system is a finite sequence ending with ϕ and such that each formula in the sequence is either an axiom or obtained from earlier formulas in the sequence by applying some inference rule. The logic of the inference system is then defined as the set of all derivable formulas. A set of ML-formulas which contains • all axioms of propositional logic • the modal axiom scheme (K) (ϕ1 ⇒ ϕ2 ) ⇒ (ϕ1 ⇒ ϕ2 ) (K) and which is closed under the following inference rules • ϕ1 ϕ1 ⇒ϕ2 Modus Ponens (MP) ϕ2 ϕ(x ,...,x ) • ϕ(ψ /x1,...,ψn /x ) Uniform Substitution (US) 1 1 n n where ϕ(ψ1 /x1 , . . . , ψn /xn ) is obtained from ϕ(x1 , . . . , xn ) by substituting formulas ψ1 , . . . , ψn for the atomic propositions x1 , . . . , xn in ϕ. ϕ • ϕ Necessitation is called a normal modal logic. The minimal normal modal logic is denoted by K (its only axioms and inference rules are the ones listed above). It is too weak to provide an adequate account of necessity. For instance, axiom ϕ ⇒ ϕ, called T , is not provable in K , but it is clearly desirable. It claims that whatever is necessary is the case. On the other hand, axiom T is not correct if we read as it is obligatory that, or some agent believes that. Thus, depending on the concept to be modeled, several modal systems have been introduced. 2.1. MODAL LOGIC 15 Actually, every modal logic L can be obtained be extending system K with a set Γ of extra axioms. In this case, we note L=K⊕Γ Here are some modal systems obtained by enriching K with extra axioms. def ⊕ ϕ ⇒ ♦ϕ def ⊕ ϕ ⇒ ϕ • KD = K • KT = K def • S4 = KT def • S5 = S4 2.1.2 ⊕ ⊕ ϕ ⇒ ϕ ϕ ⇒ ♦ϕ Semantics The semantic way aims at giving an intuitive framework to the definition of truth for a modal formula. It has been developed by Hintikka [69] and Kripke [78, 77]. Necessity is then understood as truth in all possible worlds. Thus, structures in which formulas are interpreted contain different worlds which can have some alternatives. Every world ’lives’ under the laws of classical logic: an atomic proposition is either true or false in it, and the truth-values of a boolean combination of atoms (propositional formulas) is determined by boolean truth-tables. Definition 2 (Possible worlds semantics). The semantics of ML-formulas is given through relational structures F = (W, R) called Kripke frames, or simply frames. • W is non empty a set of worlds • R ⊆ W × W is an accessibility relation on W which associates each world with a set of alternative worlds A valuation V : W → 2P for a structure F = (W, R) is a function which associates each world with a set of atomic propositions. The pair (F, V ) is called a Kripke model, or simply a model. Figure 2.1 shows an illustration of a model, where the states are the circles, the accessibility relation is represented by the arrows, and the valuation by the sets of atomic propositions associated with each state. We can now define the conditions under which a world of a model satisfies a formula. CHAPTER 2. BASIC LOGICAL CONCEPTS 16 {q} {p, q} {p} Figure 2.1: Kripke model Definition 3 (Satisfaction). Given a frame F = (W, R), a valuation V for F , and a formula ϕ, we can define the satisfaction relation |= by induction on ϕ, where F, V, w |= ϕ is read as ’ϕ is satisfied by the world w of the model (F, V )’ or ’ϕ is true in the world w of the model (F, V )’: F, V, w F, V, w F, V, w F, V, w |= p ⊥ |= ϕ1 ⇒ ϕ2 |= ϕ iff p ∈ V (w) iff iff if F, V, w |= ϕ1 then F, V, w |= ϕ2 ∀w ∈ W if wRw then F, V, w |= ϕ where p∈P When there is no ambiguity, we write w |= ϕ instead of F, V, w |= ϕ for the sake of brevity. The semantics of MLn -formulas is then given through structures F = (W, R1 , . . . , Rn ) with n accessibility relations, called n-frames. A model (F, V ) satisfies ϕ if every world in W satisfies it. F, V |= ϕ iff ∀w ∈ W F, V, w |= ϕ A frame F validates ϕ if every model based on F satisfies it. F |= ϕ iff for every valuation V F, V |= ϕ A formula ϕ is valid if every frame validates it. |= ϕ iff for every frame F F |= ϕ A formula ϕ is satisfiable if there exists a model and a world which satisfies it, or equivalently, if its negation is not valid. 2.1. MODAL LOGIC 17 Definition 4 (Logic: a semantic definition). • Given a class C of frames, we can define the set Log(C) of the formulas that every frame of C validates: def Log(C) = {ϕ / ∀F ∈ C F |= ϕ} It is easy to check that Log(C) is a normal modal logic, and we call it the logic of C. • A normal logic L is said to be sound with respect to C if ∀ϕ ∈ L ∀F ∈ C F |= ϕ, i.e., L ⊆ Log(C). L is complete with respect to C if every formula which is valid in every frame of C is in L, i.e., Log(C) ⊆ L. L is determined, or characterized by C if L = Log(C). • A logic L is Kripke-complete if there exists a class C of frames such that L = Log(C). • Then F r(L) denotes the class of all the frames which validate every formula of L. For L Kripke complete, it can be proved that L = Log(F r(L)) [23, 57]. An attractive feature of the possible worlds semantics is that many logics are characterized by classes of frames satisfying simple conditions. For instance, we have the following completeness results concerning the modal logics introduced in section 2.1.1. Theorem 1 (Completeness [78]). The logics K, KD, KT, S4, and S5, are Kripke-complete. Besides, we have: • F r(KD) is the class of all frames (W, R) such that R is serial1 . • F r(KT) is the class of all frames (W, R) such that R is reflexive. • F r(S4) is the class of all frames (W, R) such that R is reflexive and transitive. • F r(S5) is the class of all all frames (W, R) such that R is an equivalence relation, i.e., R is reflexive, transitive, and symmetric. Another related issue is the direct translation of a modal axiom schema into a condition on Kripke frames: Correspondence theory [125, 126] studies the class of frames which is ’defined’ by a given formula. We say that a formula ϕ defines the class C of frames if F ∈ C iff F validates ϕ, for every frame F . Actually, every axiom schema we have considered to enrich the logic K defines a simple class of frame, independently of a deduction in modal logic. 1 ∀w ∈ W ∃w ∈ W such that wRw 18 CHAPTER 2. BASIC LOGICAL CONCEPTS Theorem 2 (Correspondence). Here are the class of frames which are defined by each of the previously considered axiom schemas. (axiom T) (axiom D) (axiom 4) (axiom B) Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such that R is reflexive. Axiom schema ϕ ⇒ ♦ϕ defines the frames (W, R) such that R is serial. Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such that R is transitive. Axiom schema ϕ ⇒ ♦ϕ defines the frames (W, R) such that R is symmetric. Automatic translations of modal formulas into such conditions on frames have been widely studied. In particular, Sahlqvist [114] exhibited a class of formulas, called Sahlqvist formulas, which have nice correspondence properties. Indeed, although in general, every modal formula is equivalent to a second-order condition on frames, a Sahlqvist formula ϕ have a first-order equivalent F O(ϕ) (this first-order equivalent can be obtained in an effective way). Moreover the logic K ⊕ ϕ is characterized by the frames which satisfy F O(ϕ). Definition 5 (Sahlqvist formulas). Let a positive (resp. negative) formula of modal logic be one where all atomic propositions occur in the scope of an even (resp. odd) number of negation signs only. Let a Sahlqvist antecedent be a formula that is built up from atomic proposition prefixed by any finite number of necessity operators and negative formulas, using only ∧ and ∨, and the possibility operator ♦. For example, ♦p is a Sahlqvist antecedent, whereas ♦p and (p ∨ q) are not. Then, a Sahlqvist formula is any formula that may be obtained by applying conjunctions and necessity operators to implications of the form ϕ1 ⇒ ϕ2 , where ϕ1 is a Sahlqvist antecedent, and ϕ2 is a positive formula. Theorem 3 (Sahlqvist theorem [114]). Let ϕ be a Sahlqvist formula. There is a computable first order condition on frames F O(ϕ) such that (1) ϕ defines the frames (W, R) which satisfy F O(ϕ), (2) the logic K ⊕ ϕ is characterized by the frames which satisfy F O(ϕ). Actually, item (2) is more general: it applies not only to K but also to any canonical logic. The notion of canonicity of a logic will not be defined here. Remark 1. Axioms T, D, 4, and B are Sahlqvist formulas. We now provide the results of decidability and complexity for the previously introduced logics. A logic L is said to be decidable if the satisfiability problem for L is decidable. For proofs consult [81, 34]. 2.2. DEONTIC LOGIC 19 Theorem 4 (Decidability). All the logics K, KD, KT, S4, and S5, are decidable. The satisfiability problem for K, KD, KT, and S4 is PSPACEcomplete. The satisfiability problem for S5 is NP-complete. 2.2 Deontic logic Instead of presenting an exhaustive state of the art in deontic logic, we discuss Standard Deontic Logic (SDL) introduced by Von Wright [136], and some direct extension. We will not deal with non-monotonic/defeasible logics [56, 105, 72], which are useful to model argumentation or legal reasoning. 2.2.1 Standard Deontic Logic SDL One of the first logical systems which attempted to capture obligation was published in 1951 by Von Wright [136], of which the modal Kripke-style version is known as Standard Deontic Logic (SDL). Definition 6 (SDL). Standard Deontic Logic SDL is the modal logic KD, where the necessity operator, which expresses obligation, is denoted O instead of , and the possibility operator, which expresses permission, is denoted by P instead of ♦. Axiom D expresses that every obligatory formula is permitted, i.e., not forbidden. Another formulation of axiom D is that a formula cannot be both obligatory and forbidden. Definition 7 (SDL semantics). As stated in theorem 1, SDL can be defined as the logic which is characterized by the class of all the serial frames: SDL = Log({F / F is serial}). A SDL-frame is then a Kripke frame F = (W, R) such that R is serial, a SDL-model is a triple M = (W, R, V ) such that (W, R) is an SDL-frame and V is a valuation on W . Since the modal operators express obligation and permission instead of necessity and possibility, we now consider that the accessibility relation R gives ideal alternative worlds, i.e., worlds in which what is obligatory effectively occurs. The fact that R is serial means that in every world, there exists at least one ideal alternative. If there were a world from which no ideal world is accessible, then everything would be obligatory in this world. 2.2.2 Some theorems and paradoxes Here are some theorems in SDL (see e.g. [95] for a more detailed discussion): • O(ϕ1 ∧ ϕ2 ) ⇔ O(ϕ1 ) ∧ O(ϕ2 ) (distributivity of O over ∧) CHAPTER 2. BASIC LOGICAL CONCEPTS 20 • P (ϕ1 ∨ ϕ2 ) ⇔ P (ϕ1 ) ∨ P (ϕ2 ) (distributivity of P over ∨) • P (ϕ1 ∧ ϕ2 ) ⇒ P (ϕ1 ) ∧ P (ϕ2 ) • O (ϕ1 ∨ ϕ2 ) ∧ O(¬ϕ1 ) ⇒ O (ϕ2 ) • O (ϕ1 ) ⇒ O(ϕ1 ∨ ϕ2 ) (Ross’s paradox) Ross claims [111] that this theorem is not intuitive under a commonsense reading: being obliged to post a letter does not imply being obliged to post it or to burn it. According to many deontic logicians, the paradox is due to an incorrect reading [68]. First, SDL reasons about state propositions, and obligation to satisfy state formulas, whereas the letter example reasons about obligation to perform some action. In order to distinguish these two kinds of obligations, the denominations ’obligation to be’ and ’obligation to do’ are often used. An obvious difference is that the latter implicitly refers to an agent, whereas the former does not. If we read O(ϕ1 ) as ’it is obligatory to satisfy the condition ϕ1 ’, then it makes perfect sense to say that it entails that ’it is obligatory to satisfy the condition ϕ1 ∨ ϕ2 ’, because this latter condition is a logical consequence of the former condition. (Penitent’s paradox) • O (¬ϕ1 ) ⇒ O¬(ϕ1 ∧ ϕ2 ) This theorem is obtained by substituting ¬ϕ1 and ¬ϕ2 for ϕ1 and ϕ2 respectively in the latter theorem. It is considered as Penitent’s paradox. If it is forbidden to do a crime, then it is forbidden to do a crime and do a penitence. Again, if O(ϕ) is correctly interpreted as ’it is forbidden to satisfy the condition ϕ’, then this theorem poses no problem. One of the most serious paradoxes in SDL involves the notion of contraryto-duty (CTD) obligations. These have to do with the specification of norms which apply in case some other norms have already been violated. The best known example is given by Chisholm [37]. Although the four following statements are consistent, their formulation in SDL is not. 1. it is obligatory that John goes to the assistance of his neighbors 2. if John does go then it is obligatory that he tells them he is coming 3. if John doesn’t go, then it is obligatory that he does not tell them he is coming 4. John doesn’t go Let ϕ1 express ’John goes to the assistance of his neighbors and ϕ2 express ’John tells them his coming’. The formalisation of (1) and (4) as O (ϕ1 ) and ¬ϕ1 respectively is straightforward. On the other hand, the formalisation of 2.2. DEONTIC LOGIC 21 conditional obligations (2) and (3) is unclear. Indeed, do we have to model (2) as ϕ1 ⇒ O(ϕ2 ) or as O(ϕ1 ⇒ ϕ2 )? Both formulations seem reasonable, but ϕ1 ⇒ O(ϕ2 ) is derivable from (4) (¬ϕ1 ), whereas all of (1)-(4) are intuitively independent from each other. Similarly, among both formulations of (3) ¬ϕ1 ⇒ O(¬ϕ2 ) and O(¬ϕ1 ⇒ ¬ϕ2 ), the latter is derivable from (1) (O(ϕ1 )). So, the four sentences are traditionally expressed as follows: 1. O(ϕ1 ) 2. O(ϕ1 ⇒ ϕ2 ) 3. ¬ϕ1 ⇒ O(¬ϕ2 ) 4. ¬ϕ1 In SDL, this set (1)-(4) is inconsistent, contrary to the intuition behind the four initial sentences. In conclusion, SDL cannot handle this situation: either the considered statements are logically dependent, or they are inconsistent. Several analyses and solutions have been proposed to solve CTD paradoxes. Some solutions are based on a temporal reading of paradoxes [49, 129, 15, 27]. Temporal deontic logics will be dealt with in the next chapter. Another direction is to handle defeasible reasoning with nonmonotonic logics [112, 93]. Statement 1 is then considered as a defeasible rule, and rule 3 applies in exceptional circumstances (John does not go to the assistance of his neighbours). If these exceptional circumstances hold, then rule 3 ’defeats’ rule 1. There is no conflict because rule 1 and rule 3 does not apply in the circumstances. Many arguments have been developed against the defeasible view of CTD obligations (see, e.g., [104, 127]). Indeed, it fails to model that when the secondary obligation applies (’it is obligatory that John does not tell he is coming’), the primary obligation (’it is obligatory that John goes to the assistance of his neighbours’) is violated. Some works [103, 104, 130, 127] have followed another direction, based a on a dyadic obligation operator, with a preference semantics. 2.2.3 Dyadic deontic logic based on a preference relation In this section, we present Hansson’s Dyadic Standard Deontic Logic 3 (DSDL3) [62], the first logic to propose a semantics based on a preference relation (denoted by ) for a dyadic obligation operator. This idea gave rise to extensions of DSDL3 [104, 127] and other deontic systems [12, 71]. An obligation to satisfy ϕ1 given ϕ2 is true, denoted by O(ϕ1 /ϕ2 ), holds either if there is no world which satisfies ϕ2 , or if ϕ1 is satisfied by the best worlds (maximal for ) among those which satisfy ϕ2 . CHAPTER 2. BASIC LOGICAL CONCEPTS 22 Definition 8 (Preference semantics). A model is a tuple M = (W, , V ) where • W is a set of worlds • ⊆ W × W is a transitive and complete (or total) binary relation, viewed as a preference relation. w w is read as w is at least as good as w. – (transitivity) w ∀w, w , w ∈ W if w w and w w then w – (completeness, or totality) w ∀w, w ∈ W w w or w • V : W → 2P is a valuation function on W The formal semantics of a conditional obligation O(ϕ1 /ϕ2 ) is given as follows: w |= O(ϕ1 /ϕ2 ) iff or ∀w ∈ W w |= ¬ϕ2 ∃w ∈ W such that w |= ϕ2 and ∀w ∈ W if w w then w |= ϕ2 ⇒ ϕ1 Notice that O(ϕ1 /ϕ2 ) is true in a world w iff it is true in every world. The Chisholm scenario, now formulated as follows, is consistent. 1. O(ϕ1 ) 2. O (ϕ2 /ϕ1 ) 3. O (¬ϕ2 /¬ϕ1 ) 4. ¬ϕ1 Notice, however, that from O(¬ϕ2 /¬ϕ1 ) and ¬ϕ1 , we cannot deduce O(¬ϕ2 ), i.e., the derivation usually called ’deontic detachment’ does not hold. This problem has been taken care of in some above-mentioned extensions, which are out of the scope of this thesis. 2.3 Temporal logic Temporal logic corresponds to one of the most usual modal logics, and has become essential in computer science for the specification of reactive systems. Its modal operators may concern the future (it is always true that . . . , it will eventually be true that . . . ) or the past (it has always been true that . . . , ϕ1 is true since ϕ2 was true). Because of two dyadic operators (until and since), the language and the semantics does not fit exactly with the generic 2.3. TEMPORAL LOGIC 23 framework described in section 2.1. Another difference between temporal logic and other modal logics is the presence of initial worlds. Temporal logics are often classified according to whether time is assumed to have a linear or a branching structure. Another classification is made between discrete and continuous models of time. We will introduce temporal logic trough linear temporal logic with discrete time, known as Linear Temporal Logic (LT L). In section 2.3.2, we will present LT L semantics more in details, and in section 2.3.4 we will introduce an axiomatization of LT L. In section 2.3.5, we will present more shortly branching-time temporal logic, and in section 2.3.6 we will be interested in timed logic. 2.3.1 Linear temporal logic Linear Temporal Logic (LT L) studies temporal properties in the framework of a linear and discrete time. Here are the main temporal operators of LT L. Future operators Xϕ next ϕ ϕ1 U ϕ2 ϕ1 until ϕ2 Past operators X −1 ϕ previous ϕ ϕ1 S ϕ2 ϕ1 since ϕ2 Xϕ means that ϕ will hold in the next state, and X −1 ϕ means that there is a previous state, and it satisfies ϕ. The same symmetry stands between U and S: ϕ1 U ϕ2 means that ϕ2 will be true, eventually, at some moment i, and ϕ1 is true from now until the moment before i, whereas ϕ1 Sϕ2 means that ϕ2 was true, in the past, at some moment i, and ϕ1 has been true from the moment after i until now. The usual temporal operators G (always), G−1 (always in the past), F (eventually), and F −1 (eventually in the past ) are defined as the following abbreviations: Future operators Fϕ Gϕ def = U ϕ def = ¬F ¬ϕ Past operators F −1 ϕ def G−1 ϕ def = Sϕ = ¬F −1 ¬ϕ def We also define the weak previous operator as X −1 = ¬X −1 ¬. X −1 ϕ means that there is no previous state (the current instant is 0), or ϕ was true in the previous state. To reason about deadlines, we will often index future operator F with k, to express that a formula will be satisfied before k time steps: ϕ if k = 0 def Fk ϕ = ϕ ∨ XFk−1 ϕ if k > 0 CHAPTER 2. BASIC LOGICAL CONCEPTS 24 Definition 9 (LT L-language). The language L(X, U, X −1 , S) of LT L with all future and past operators is defined by the following syntax: ϕ ::= P | ⊥ | ϕ ⇒ ϕ | X ϕ | ϕ U ϕ | X −1 ϕ | ϕ S ϕ The language LLT L (E), where E ⊆ {X, U, X −1 , S}, corresponds to the fragment of L(X, U, X −1 , S) which only contains the modal operators in E. For instance, L(X, U ) corresponds to the pure future fragment of the language. The logic LT L(E), where E ⊆ {X, U, X −1 , S}, is defined as the set of valid formulas (in the semantic point of view) or theorems (in the syntactic point of view) of L(E). The definitions of valid formulas and theorems of L(X, U, X −1 , S) are given in sections 2.3.2 and 2.3.4 respectively. Many variants and extensions of LT L, which are out of the scope of this thesis, have been investigated (consult, e.g., [83, 44, 45]). 2.3.2 LT L semantics Let us see more in detail the semantics of LT L, i.e., the structures needed to define the truth of temporal formulas. Definition 10 (LT L-model). An LT L-model is a tuple M = (N, <, V ) where • the set N of the natural numbers represents the set of the moments • <⊆ N × N is the usual strict order on N; the immediate <-successor of i ∈ N is denoted i + 1 as usual • V : N → 2P is a valuation function which associates each instant with a set of atomic propositions In the remainder, we use all the usual orders , >, on N which can all be defined from <. Definition 11 (LT L satisfaction relation). Given an LT L-model M = (N, <, V ), an instant i ∈ N, and a formula ϕ, we define |= by induction on ϕ (we write V, i |= ϕ or i |= ϕ for short): i |= p i⊥ i |= ϕ1 ⇒ ϕ2 i |= Xϕ i |= ϕ1 U ϕ2 iff p ∈ V (i) where p ∈ P iff iff iff i |= X −1 ϕ i |= ϕ1 S ϕ2 iff iff if i |= ϕ1 then i |= ϕ2 i + 1 |= ϕ ∃i i such that i |= ϕ2 ∀ i ∈ N if i i < i then i > 0 and i − 1 |= ϕ ∃i i such that i |= ϕ2 ∀ i ∈ N if i < i i then and i |= ϕ1 and i |= ϕ1 2.3. TEMPORAL LOGIC 25 A formula ϕ is said to be satisfied by a model M (denoted by M |= ϕ) if it is satisfied by its first state. A formula is said to be satisfiable if there is a model which satisfies it. A formula is said to be valid if every model satisfies it: Notice that validity and satisfiability are evaluated at the initial instant. This corresponds to the anchored version of LT L [91]. This approach is commonly adopted in the model checking community [85, 39]. Another approach [59, 110] consists in considering that a formula is valid if it is true at all instants of all models. Similarly, a formula is then considered to be satisfiable if it holds at some instant of some model. We will refer to this second approach as the floating version of LT L. This second approach is closer to other modal logics, and allows for instance more standard axiomatizations. Notice that if we consider the pure-future fragment, both notions define the same set of valid formulas. Notice that the semantics of the non-primitive temporal operators X −1 , G, G−1 , F , F −1 , are as follows: i |= X −1 ϕ i |= G ϕ i |= G−1 ϕ i |= F ϕ i |= F −1 ϕ iff iff iff iff iff i=0 ∀i ∈ N ∀i ∈ N ∃i ∈ N ∃i ∈ N or if if such such (i > 0 and i − 1 |= ϕ) i i then i |= ϕ i i then i |= ϕ that i i and i |= ϕ that i i and i |= ϕ Figure 2.2 illustrates an LT L-model which satisfies G p, F q, and p U q, for instance. {p} {p} {p} {p, q} Figure 2.2: model satisfying Gp 2.3.3 Characterization of properties A distinction between safety and liveness properties is often adopted in the specification of behavioural properties. These notions are introduced by Lamport in [82]. Roughly speaking, a safety property expresses that ’something bad will not happen’, and a liveness property expresses that ’eventually, something good will happen’. Here, we consider the semantical view of a property: a property is defined as a set of sequences instead of a formula. In the semantics of LT L, a model (N, <, V ) is a sequence over alphabet 2P of proposition sets. Thus, a LT L-formula can be viewed as the set of sequences (or models) which satisfy it. On the other hand, a set of sequences over CHAPTER 2. BASIC LOGICAL CONCEPTS 26 alphabet 2P cannot necessarily be viewed as a formula, since LT L has only the expressiveness of first order logic over (N, <) (cf theorem 6). Safety properties have been widely studied since the eighties. Indeed, Alpern and Schneider established a strong correspondence between finite automata and safety properties. Abadi and Lamport generalized this correspondence to a particular class of infinite automata [1]. This correspondence seems to be one of the main justifications for the interest of safety properties. A first formal definition was given by Lamport in [82] and has been improved in [3]. Here, we use the standard notations for sequences. If S is an alphabet, the set of infinite (resp. finite) sequences over S is denoted by S ω (resp. S ∗ ). If σ is a sequence over an alphabet S, and I ⊆ N is an interval, σI represents the sequence (σ(i))i∈I . Notice that σI is infinite if and only if σ and I are infinite. For instance, σi , represents the prefix of σ ending at index i, and σ>i denotes the suffix of σ starting from index i + 1. If σ is a finite sequence, and τ is a sequence, σ · τ is the concatenation of σ and τ . Definition 12 (Safety property). A property Γ ⊆ S ω is a safety property iff the following condition holds for every sequence σ if σ∈ /Γ then (∃i ∈ N ∀τ ∈ S ω σi · τ ∈ / Γ) Every sequence which does not belong to property Γ can be characterized by a ’bad’ prefix, i.e., a prefix such that all its continuations do not belong to Γ. An LT L-formula ϕ is a safety formula iff the set of the sequences (or models) which satisfy it is a safety property. A liveness property expresses that ’eventually, something good will happen’. So, checking the violation of a liveness property implies to consider some infinite sequence. Liveness properties were formally defined for the first time in [3]. Definition 13 (Liveness property). A property Γ is a liveness property iff {σi / σ ∈ Γ and i ∈ N} = S ∗ Every prefix can be extended so that it is in Γ. An LT L-formula ϕ is a liveness formula iff the set of the sequences (or models) which satisfy it is a liveness property. An interesting result, called decomposition theorem, states that every property is the conjunction of a safety property and a liveness property. Abadi and Lamport proved this theorem in [1] using a topological characterization of safety and liveness properties. Given an alphabet S, the distance between two sequences in S ω depends on the first index at which they differ from each other: the greater this index is, the lower the distance. 0 if σ = σ dist(σ, σ ) = 1 min{k∈N / σ(k)=σ (k)} otherwise 2.3. TEMPORAL LOGIC 27 If we consider the topological space induced by this distance, safety properties and liveness properties correspond to closed sets and dense sets respectively. Since every set can be written as the intersection of a closed set and a dense set, the decomposition theorem follows straightforwardly. This topology will be used to express conditions on models in section 4.2.3. Some works [119, 86] have studied the syntactical characterizations of safety and liveness properties. Sistla exhibited in [119] the subset of the positive2 LT L(X, U )-formulas built from operators ’next’ (X) and ’weak until’ (W 3 ). Actually, this subset is contained in the set of safety formulas, but there are safety formulas which are not in this subset: consider, e.g., F p ∧ ¬F p, which is a safety formula (equivalent to ⊥) and not in the given subset. 2.3.4 LT L axiomatization Several equivalent axiomatizations of LT L have been studied. We present here the version published in [85], which is sound and complete with respect to the above semantics: a formula ϕ is valid if and only if it is derivable in this deductive system. The axiom schemes are divided into three parts: the future axiom schemes which involve only future operators, the past axiom schemes which involve only past operators, and the mixed axiom scheme, which involves both future and past operators. Definition 14 (The future axiom schemes). F1 F2 F3 F4 F5 F6 F7 F8 Gϕ ⇒ ϕ G (X¬ϕ ⇔ ¬Xϕ) G X(ϕ1 ⇒ ϕ2 ) ⇒ (Xϕ1 ⇒ Xϕ2 ) G G(ϕ1 ⇒ ϕ2 ) ⇒ (Gϕ1 ⇒ Gϕ2 ) Gϕ ⇒ XGϕ (G(ϕ ⇒ Xϕ)) ⇒ G (ϕ ⇒ Gϕ) G ϕ1 U ϕ2 ⇔ ϕ2 ∨ (ϕ ∧ X(ϕ U ϕ )) 1 1 2 G ϕ1 U ϕ2 ⇒ F ϕ2 Here is an intuitive view of the future axiom schemes. • Axiom F1 states that if ϕ holds at all positions of a model, then in particular it holds at the first position. • Axiom F2 states that the next operator X is self-dual. • Axiom F3 states that if in the next instant ϕ1 implies ϕ2 then if in the next instant ϕ1 holds then so does ϕ2 . 2 3 negation can only be applied to atomic propositions def ϕ1 W ϕ2 = Gϕ1 ∨ ϕ1 U ϕ2 CHAPTER 2. BASIC LOGICAL CONCEPTS 28 • Axiom F4 is the analogue of F2 for the G operator. • Axiom F5 states that if ϕ is true at all future instants it must be true at every next instant. • Axiom F6 is a "computational induction" axiom; it states that if a property is inherited over one step transition, it is invariant over any suffix sequence whose first state satisfies it. • Axiom F7 characterizes the until operator by distributing its effect into what is implied for the present and what is implied for the next instant. • Axiom F8 states that ϕ1 U ϕ2 implies that ϕ2 will eventually happen. Definition 15 (The past axiom schemes). P1 P2 P3 P4 P5 G X −1 ϕ ⇒ X −1 ϕ G X −1 (ϕ1 ⇒ ϕ2 ) ⇒ (X −1 ϕ1 ⇒ X −1 ϕ2 ) Gϕ ⇒ GX −1 ϕ G ϕ1 S ϕ2 ⇔ ϕ2 ∨ (ϕ1 ∧ X −1 (ϕ1 Sϕ2 )) X −1 ⊥ Here is an intuitive view of the past axiom schemes. • Axiom P1 establishes the connection between the weak-previous operator and the previous operator. • The axioms P2, P3, P4 have similar descriptions as the axioms F3, F5, F7. • Axiom P5 does not resemble a corresponding future axiom. It states that the first position of every sequence satisfies X −1 ⊥. Definition 16 (The mixed axiom scheme). M1 G ϕ ⇒ XX −1 ϕ The mixed axiom scheme states that if ϕ is true at some instant, then going forwards and backwards leads to an instant (obviously the same instant) which also satisfies ϕ. Definition 17 (Inference rules). The three inference rules are Uniform Substitution, Modus Ponens, and G-necessitation. • Uniform substitution • Modus Ponens • G-Necessitation for propositional tautologies: if ϕ is a substitution instance of a propositional tautology, then G ϕ is a theorem. 2.3. TEMPORAL LOGIC 29 Remark 2. The axiomatization of the floating version of LT L (e.g., in [58, 110]) slightly differs. For instance, the first G operator in the schemes F2,F3,F4,F7,F8, P1,P2,P4,M1 is removed, and the P5 scheme, which states that the first instant of every model satisfies X −1 ⊥, is replaced by F −1 X −1 ⊥, which states that every instant of every model is preceded by an initial instant. Rule G-necessitation is no longer limited to instances of propositional tautologies. Theorem 5 (Soundness and completeness). This axiomatization is sound and complete with respect to the LT L semantics defined in section 2.3.2. Theorem 6 (Expressiveness [74, 58]). L(X, U ) and L(X, U, X −1 , S) have the same expressiveness: for every L(X, U, X −1 , S)-formula ϕ, there is a L(X, U )-formula ϕ such that for every LT L-valuation V , V, 0 |= ϕ iff V, 0 |= ϕ . (The converse is straightforward.) Actually, L(X, U ) has the same expressive power as first order language over (N, =, <) with unary predicates, i.e., for every first order formula ϕ(x) with one free variable x, there is a L(X, U )-formula ϕ such that for every valuation V , V, 0 |=F O[<] ϕ(x)4 iff V, 0 |=LT L ϕ . Although L(X, U ) and L(X, U, X −1 , S) have the same expressiveness, i.e., every L(X, U, X −1 , S)-formula can be translated into a L(X, U, )-formula which is initially equivalent, the translation is not efficient. In other words, adding past operators makes formula shorter, which is interesting in the specification process. Actually, it is shown in [83] that L(X, U, X −1 , S) is exponentially more succinct than L(X, U ). Theorem 7 (Decidability). LT L(X, U, X −1 , S) is decidable. The satisfiability problem for LT L(X, U, X −1 , S) and LT L(X, U ) is PSPACE-complete [118]. 2.3.5 Branching-time temporal logic Linear Temporal Logic can only specify properties along a run. Indeed, we can express in LT L that a proposition will be true in the future, or that it will never be true, but we cannot express that it can be true in the future. We need to represent different alternative future states in the underlying model in order to overcome this lack. Some temporal logics deal with a branchingtime model. One of the most famous is Computation Tree Logic (CT L) [38], which has in particular the very attractive feature of having a polynomial model checking problem (cf section 2.4). It has only future operators. For a discussion about the expression of the past in a branching-time framework, see e.g. [79, 110, 120, 84]. From the linear temporal operators X and U , we get four branching-time temporal operators: EX, AX, E(·U ·), and A(·U ·): 4 as 0 unary predicates in ϕ are interpreted with V , and the free variable x is interpreted CHAPTER 2. BASIC LOGICAL CONCEPTS 30 • EX ϕ means that there is a next state which satisfies ϕ. • E(ϕ1 U ϕ2 ) means that there is a possible future path which satisfies ϕ2 at some instant i, and ϕ1 from now until the moment before i. • A(ϕ1 U ϕ2 ) means that every possible future path satisfies ϕ2 at some instant i and ϕ1 from now until the moment before i. Definition 18 (CT L-syntax). Given a set P of atomic propositions, the language of CT L is defined by the following syntax: ϕ ::= P | ⊥ | ϕ ⇒ ϕ | EX ϕ | E(ϕ U ϕ) | A(ϕ U ϕ) We define the different usual abbreviations as follows: def AXϕ = ¬EX¬ϕ every next state satisfies ϕ def EF ϕ = E( U ϕ) def AGϕ = ¬EF (¬ϕ) def AF ϕ = A( U ϕ) def EGϕ = ¬AF (¬ϕ) there is a path which satisfies ϕ at some instant. every path satisfies ϕ at every instant. in every path satisfies ϕ at some instant. there is a path which satisfies ϕ at every instant. Let us see the semantics of CT L (for an axiomatization of CT L, see for instance [51]). The set N of the natural numbers is no longer appropriate for representing the set of the moments. We thus consider temporal frames (W, R) where W is a set of moments, or states, and the accessibility relation R ⊆ W × W models the passing of time: (w, w ) ∈ R means that w is a possible temporal successor of w. Definition 19 (CT L-frame). A CT L-frame is a Kripke structure with initial states F = (W, I, R), where (W, R) is a Kripke structure and I its set of initial states (or worlds): • W is a set of states, or worlds • I ⊆ W is a set of initial states • R ⊆ W × W is a serial accessibility relation on the states A valuation for a frame F = (W, I, R) is a function V ∈ W → 2P which associates each state with a set of atomic propositions. The pair (F, V ) is a CT L-model. A path σ in M is an infinite sequence σ = w0 w1 . . . such that • every wi is a state of W • ∀i (wi , wi+1 ) ∈ R 2.3. TEMPORAL LOGIC 31 The ith state of σ is denoted σi . The suffix of σ which starts from the ith state is denoted by σ i . The set of the paths σ starting from a given state w, i.e., such that σ0 = w, is denoted by P aths(w). Definition 20 (CT L satisfaction relation). Given a CT L-model M = (W, I, R, V ), a state w, and a formula ϕ, we define |= by induction on ϕ: w |= p w⊥ w |= ϕ1 ⇒ ϕ2 iff p ∈ V (w) iff if w |= EX(ϕ) iff ∃w ∈ W such that (w, w ) ∈ R w |= A(ϕ1 U ϕ2 ) iff w |= E(ϕ1 U ϕ2 ) iff and ∀σ ∈ P aths(w) ∃i ∈ N such that σi |= ϕ2 and ∀j ∈ N if 0 j < i then σj |= ϕ1 ∃σ ∈ P aths(w) ∃i ∈ N such that σi |= ϕ2 ∀j ∈ N if 0j<i then σj |= ϕ1 where w |= ϕ1 p∈P w |= ϕ2 then and w |= ϕ A formula is said to be satisfied by a model if it is satisfied by its initial states: M |= ϕ iff ∀w ∈ I w |= ϕ A formula is said to be valid if every model satisfies it: |= ϕ iff for every model M |= ϕ M w0 w1 w2 w3 {p} {p} {p} {p, q} Figure 2.3: CT L-model Figure 2.3 represents a CT L-model with one initial state (w0 ). Here are some CT L-formulas satisfied by this model. • w0 |= E(p U q) CHAPTER 2. BASIC LOGICAL CONCEPTS 32 • w0 |= EX (EX q ∧ EX p) • w0 |= AF p ∧ EF q • w0 |= EG p One of the main differences between CT L and LT L concerns their respective expressiveness. More precisely, there are properties that one can express in CT L, but that cannot be expressed in LT L, and vice versa. Formally speaking, the expressiveness of CT L and LT L is incomparable. However, if we consider that LT L-formulas are implicitly in the scope of a universal path quantifier, then the expressiveness of CT L and LT L are distinct (both languages contains formulas which cannot be expressed in the other language). An extension of CT L, called CT L∗ [50], unifies both logics. The expressiveness of CT L∗ comprises that of both CT L and LT L. Indeed, a formula can be composed of arbitrary combinations of temporal operators and path quantifiers. In the definition of CT L∗ syntax, we distinguish between path formulas, which can be any LT L formulas, and are true in a specific path, and state formulas, which are propositional, or start with a path quantifier, and are true in a specific state. Definition 21 (CT L∗ -syntax). We define the state formulas by the following syntax: ϕstate ::= p | ⊥ | ϕstate ⇒ ϕstate | E ϕpath where p ∈ P is an atomic proposition. We define the path formulas by the following syntax: ϕpath ::= ϕstate | Xϕpath | ϕpath U ϕpath def The path quantifier A can be defined as the dual of E: Aϕ = ¬E¬ϕ. Definition 22 (CT L∗ satisfaction relation). A CT L∗ -model does not differ from a CT L-model. A state formula ϕstate is interpreted in a state w (we note w |= ϕstate ), whereas a path formula ϕpath is interpreted over a path σ (we note σ |= ϕpath ). State formulas w |= p w⊥ w |= ϕ1 ⇒ ϕ2 iff p ∈ V (w) iff if w |= E(ϕpath ) iff ∃σ ∈ P aths(w) where w |= ϕ1 p∈P then w |= ϕ2 σ |= ϕpath 2.3. TEMPORAL LOGIC 33 Path formulas σ |= ϕstate σ |= Xϕpath σ |= ϕpath 1 U ϕpath 2 iff σ0 |= ϕstate iff σ 1 |= ϕpath iff ∃i ∈ N such that and ∀j ∈ N if 0 j < i then σ i |= ϕpath 2 σ j |= ϕpath 1 CT L∗ has been hard to provide with usable reasoning systems: although CT L∗ syntax and semantics was published in the 80’s [50], important results concerning reasoning systems appeared at the beginning of the 2000s: a combined rewrite and proof system in [102] and a complete Hilbert-style axiomatization in [109] using a rather complex inference rule. Theorem 8 (Decidability). CT L∗ is decidable [52] and the satisfiability problem is 2EXPTIME-complete [51]. 2.3.6 Timed logic Timed logic extends temporal logic in order to express properties where durations are explicitly involved, such as deadline constraints (ϕ will hold before five minutes). Such constraints are called timed or real-time constraints. Several real-time logics have been developed both in branching time and in linear time frameworks. Another distinction is between discrete and continuous time models. Verification techniques which use discrete time models apply to a wider range of real-time properties, while continuous time models are well adapted for composing systems. For a more detailed comparison, see e.g. [66]. In this section, we focus on continuous semantics. We present the realtime extension Timed Linear Temporal Logic (T LT L) [9] of LT L and the the real-time extension Timed Computation Tree Logic (T CT L) [5, 4] of the branching time logic CT L. The semantics of T LT L is based on timed sequences whereas the semantics of T CT L is based on timed automata. It is clear that temporal models based on Kripke frames are useless in a context of continuous time. Indeed, transitions from one state to another are always made by one or more ‘jumps’, which gives to Kripke frames an inherently discrete nature. Instead of considering such ’jumps’, we measure the elapse of time through a set C of variables called clocks. Clock valuations are functions from C to the set R+ of non-negative real numbers. For every valuation v : C → R+ and d ∈ R+ , we use v+d to denote the time assignment which maps each clock x ∈ C to v(x) + d. For every set r ⊆ C of clocks, we write v[r := 0] for the valuation which maps each clock in r to 0, and each clock x in C\r to v(x). Definition 23 (Clock constraint). Given a set C ⊆ C of clocks, we define the set B(C) of the clock constraints g on C inductively: g ::= ⊥ | g ⇒ g | x ≺ c | x − y ≺ c CHAPTER 2. BASIC LOGICAL CONCEPTS 34 where x, y ∈ C are clocks, c ∈ N is a natural number, and ≺∈ {, <}. Given a valuation v and a clock constraint g, we define the satisfaction relation |= as follows: v v v v ⊥ |= g1 ⇒ g2 |= x ≺ c |= x − y ≺ c iff iff iff if v |= g1 then v(x) ≺ c v(x) − v(y) ≺ c v |= g2 In T LT L and T CT L, we introduce a reset operator x.ϕ which allows to measure the time elapsed starting from the present state. Every occurrence of x in ϕ is then bound. When a formula x.ϕ is interpreted in a state of a timed system (timed sequence in the case of T LT L, and timed automata in the case of T CT L) we require that x is never reset by the timed system. Indeed, the formula x.F (ϕ ∧ x < 5) means that ϕ will be true before 5 time units. If we interpret this formula in a timed sequence which reset x, the meaning of ϕ is warped. Timed Linear Temporal Logic (T LT L) We present here the syntax and the semantics of T LT L [9]. Definition 24 (T LT L-syntax). Given a set P of atomic propositions, a set C ⊆ C of clocks, the T LT L language is defined by the following syntax: ϕ ::= p | g | ⊥ | ϕ ⇒ ϕ | ϕ U ϕ | x.ϕ where p ∈ P is an atomic proposition, g ∈ B(C) is a clock constraint, and x ∈ C is a clock. Definition 25 (Timed sequence). Given a set Q of control states and a set C ⊆ C of clocks, we define a timed sequence ρ on C as a (finite or infinite) t0 t1 sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . such that • every qi is a control state in Q, the pair (qi , vi ) is called a configuration state • every vi+1 : C → R+ is the clock valuation when entering the control state qi+1 after having stayed in qi for ti time units. Only the clocks in C can be reset: for each i and each clock x: – if x ∈ C, then we require that either vi+1 (x) = 0 or vi+1 (x) = vi (x) + ti – if x ∈ / C, then vi+1 (x) = vi (x) + ti • at each step, if the control state is unchanged, then at least one clock is reset: for each i, if qi+1 = qi then there exists x ∈ C such that vi+1 (x) = 0 2.3. TEMPORAL LOGIC 35 • every time t ∈ R+ “belongs” to the timed sequence: ∀t ∈ R+ ∃k ∈ N such that Σ ti > t i∈0..k A sequence ρ actually defines an infinite and dense set of configuration states. Indeed, between two ’steps’ qi and qi+1 , the system goes through all the configuration states (qi , vi + t) such that t ti . If si denotes the configuration state (qi , vi ) and t ∈ R+ is a time duration, then si + t denotes t0 t1 the configuration state (qi , vi + t). So, for every timed sequence ρ = s s1 s2 . . ., we define • the domain dom(ρ) of ρ as def dom(ρ) = domi (ρ) i∈N def where domi (ρ) = {(si + t, i) / t ti } • and as the following complete ordering on dom(ρ): ∀i, j ∈ N ∀t, t ∈ R+ (si +t, i) (sj +t , j) iff i<j or (i = j and t t ) t0 Definition 26 (T LT L-semantics). Given a timed sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . on a clock set C, a pair (s, i) ∈ dom(ρ), a valuation V : Q → 2P , and a T LT L-formula ϕ, we define |= by induction on ϕ: s, i, V s, i, V s, i, V s, i, V |= p iff |= g iff ⊥ |= ϕ1 ⇒ ϕ1 iff s, i, V |= ϕ1 U ϕ2 s, i, V |= x.ϕ p ∈ V (q) where s = (q, v) v |= g where s = (q, v) s, i, V |= ϕ1 if then s, i, V |= ϕ2 ∃(s , i ) ∈ dom(ρ) such that (s, i) (s , i ) and s , i , V |= ϕ2 and ∀(s , i ) ∈ dom(ρ) if (s, i) (s , i ) ≺ (s , i ) then s , i , V |= ϕ1 ∨ ϕ2 iff (q, v[x := 0]), i, V |= ϕ where s = (q, v) iff Note that we require x not to be reset in ρ, i.e., x ∈ C \ C t0 t0 A timed sequence ρ = s0 s1 . . . satisfies ϕ given a valuation V if its first configuration state satisfies ϕ: ρ |= ϕ s0 , 0, V |= ϕ Notice that another timed extension of LT L, called Metric Temporal Logic (M T L) [8, 75] introduces timed operators by adding subscripts to the until operator. pUI q, where I is an interval with integer end points (possibly 36 CHAPTER 2. BASIC LOGICAL CONCEPTS unbound), means that q will hold at some instant in the interval I, and p holds from now until this instant. It is clear that such a formula can be translated into the following T LT L-formula which is satisfied by the same timed sequences: x. p U (q ∧ x ∈ I) , where x ∈ I can be expressed as a clock constraint. For instance, the formula pU>3 q expresses that q will hold at some instant greater than 3, and p holds from now until this instant. It can be expressed in T LT L as x.(p U (q ∧ x > 3)). It has been shown in [24] that T LT L is strictly more expressive than M T L. While both T LT L ans M T L are undecidable, the restriction of M T L where the until subscripts are not singular, called Metric Interval Temporal Logic (M IT L [7]) is decidable. Theorem 9. T LT L and M T L are undecidable [9]. M IT L is decidable, its satisfiability problem is EXPSPACE-complete [7]. Timed Computation Tree Logic (T CT L) We now present a real-time extension of the branching time logic CT L, called T CT L [8]. We first define its syntax, and then its semantics which is based on timed automata [6, 25]. Definition 27 (T CT L-syntax). Given a set P of atomic propositions, a set C ⊆ C of clocks, the language of T CT L is defined by the following syntax: ϕ ::= p | g | ⊥ | ϕ ⇒ ϕ | E(ϕ U ϕ) | A(ϕ U ϕ) | x.ϕ where p ∈ P is an atomic proposition, g ∈ B(C) is a clock constraint, and x ∈ C is a clock. Definition 28 (Timed automata). A timed automaton on a set C ⊆ C of clocks (which can be reset) is a tuple (Q, Q0 , −→, Inv, V, F ), where • Q is a finite set of control states • Q0 ⊆ Q is a set of initial state • −→⊆ Q×B(C)×2C ×Q is a finite set of transitions: for (q, g, r, q ) ∈−→ g,r (we will prefer the notation q −→ q , q is the starting state, g is the guard, or enabling condition, r is the set of clocks to be reset by the transition, and q is the destination state. • Inv : Q → B(C) associates each state with a clock constraint, named invariant • V : Q → 2P associates each state with a set of atomic propositions • F ⊆ Q is a set of accepting states 2.4. MODEL CHECKING 37 t0 t0 A timed sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . on a clock set C is said to be an accepting path (or simply a path) over the automaton A = (Q, Q0 , −→ , Inv, V ) (on the same set C of clocks) if • for each i and each t ∈ R+ if t ti then vi + t |= Inv(qi ) g,r • for each i there exists a transition qi −→ qi+1 such that vi + ti |= g and vi + ti [r := 0] = vi+1 • if ρ is finite, then its last state qn is accepting, i.e., qn ∈ F A configuration state s = (q, v) is said to be accessible in a timed automaton A if there exists a path ρ over A and an integer i such that (s, i) ∈ dom(ρ). Definition 29 (T CT L-semantics). Given a timed automaton A, a configuration state s accessible in A, and a T CT L-formula ϕ, we define |= by induction on ϕ: s |= E(ϕ1 U ϕ2 ) iff there exists a path ρ over A starting from s such that ∃(s, i) ∈ dom(ρ) such that s |= ϕ2 and ∀(s , i ) ∈ dom(ρ) if (s, 0) (s , i ) ≺ (s, i) then s |= ϕ1 ∨ ϕ2 s |= A(ϕ1 U ϕ2 ) iff for every path ρ over A starting from s ∃(s, i) ∈ dom(ρ) such that s |= ϕ2 and ∀(s , i ) ∈ dom(ρ) if (s, 0) (s , i ) ≺ (s, i) then s |= ϕ1 ∨ ϕ2 s |= x.ϕ iff s[x := 0] |= ϕ We require, as for T LT L, that x is not reset by A, i.e., that x ∈ C \ C. Theorem 10. T CT L is undecidable [8]. 2.4 Model checking Temporal logics have proved to be useful for specifying properties of reactive systems. One of the main verification methods, called model checking is an automatic technique for verifying finite state concurrent systems. The first task is to convert a program into a Kripke model which formally describes its behaviour. Then, the properties which must be satisfied by the system are expressed in temporal logic. Definition 30 (Model checking in the linear time case). For linear temporal logics, we define the model checking as follows: Given a model M (Kripke-model in a discrete time framework, timed automata in a continuous time framework) and a formula ϕ, does every M -path σ (starting from an initial state) satisfy ϕ? CHAPTER 2. BASIC LOGICAL CONCEPTS 38 ``` ``` logic ``` ` ` decision problem ``` satisfiability model checking ``` ``` logic ``` ``` decision problem `` satisfiability model checking LT L CT L CT L∗ PSPACE-c PSPACE-c EXPTIME-c PTIME-c 2EXPTIME-c PSPACE-c T LT L M IT L T CT L undecidable undecidable EXPSPACE-c EXPSPACE-c undecidable PSPACE-c Figure 2.4: Complexity results for usual temporal logics The standard technique for LT L model checking consists in translating ¬ϕ into a Büchi automaton A¬ϕ , and then checking that the product M × A¬ϕ has an empty language [61, 60]. Definition 31 (Model checking in the branching time case). For branching time temporal logics such as CT L, CT L∗ and T CT L, the model checking is specified as follows: Given a model M (Kripke-model in a discrete time framework, timed automata in a continuous time framework) and a formula ϕ, is it the case that every initial state satisfies ϕ ? The standard technique for CT L model checking consists in labeling each state with the set of satisfied subformulas, and checking that every initial state is labeled by ϕ. Theorem 11 (Model checking complexity). We have the following complexity results for temporal logics introduced in the previous sections. • Model checking for LT L(X, U, X −1 , S) and LT L(X, U ) is PSPACEcomplete [118]. • Model checking for CT L is PTIME-complete [40]. • Model checking for CT L∗ is PSPACE-complete [40]. • Model checking for T CT L is PSPACE-complete [5, 4]. Figure 2.4 sums up complexity results for the different temporal logics we have considered. 3 Combining temporal and deontic logics: introduction In natural language as well as in computer security, norms do not concern a single moment. It seems more natural to speak of obligations which arise and last for a certain period of time. For instance, consider an obligation to submit a paper before a deadline, or a prohibition for some user to use some resource between 1 pm and 3 pm. In order to set up a formal framework to deal with these concepts, logicians have investigated relations between deontic and temporal modalities from a philosophical point of view, since the 1980s [48, 49, 16, 71, 13]. However, the proposed formalisms have a rich but complex semantics, and the temporal language is very different from actual standard temporal logics. They also have the following drawback: every propositional formula which is true in a given state is also obligatory in the same state. Moreover, decidability issues are not tackled, which makes it difficult to take these logics as a basis for a formal method. More recently, some works have investigated relations between time and obligation from the point of view of computer science [46, 88, 41, 27]. In [88], the framework of Deontic Interpreted Systems is presented, in which no temporal-deontic interaction is considered. Notice that an interesting securityoriented case study is investigated with this logic [89]. In [46, 30, 27], the authors study the representation of deadline obligations. They use a reductionist approach: they encode obligation inside a temporal framework. This is less expressive than a combination, in which we can talk about both dimensions independently. In [41], the logic N OM AD is presented, which actually corresponds to a generic combination called product between LT L(X, X −1 ) (enriched with an action language), and a deontic logic. Deadline obligations are expressed with a dedicated operator. It can be viewed as a starting point of the investigations of the next chapter (chapter 4). In a temporal and deontic framework, it can also be interesting to rea39 40 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS son about norm updates, in particular using non-monotonic/defeasible logics [105, 72, 56]. For instance, there may be an unexpected extension of the deadline for the paper, or it may become permitted to use the resource at 2 pm in case the security policy has changed. In the remainder of the Ph.D. thesis, we do not consider defeasible reasoning and stay in a framework where norms do not change over time. In this chapter, we review classical ways of combining modal logics in the temporal-deontic case. Section 3.1 presents the simplest way to combine modal logics, called fusion, in which there is no interaction between both dimensions. Section 3.2 introduces the deontic variant of some classical temporal-epistemic interactions [53, 47, 131], considering both axiomatic and semantic points of view. Section 3.3 presents the product of temporal and deontic logics, which is a natural way to combine logics in order to ensure these interactions, and will be taken as a starting point for the sequel of the logical study. 3.1 Fusion of modal logics The first (and simplest) way of combining two modal logics is called fusion [80]. Given two modal logics L1 and L2 , the language of their fusion is the multi-modal language which contains every modal operator of both logics1 . The fusion logic L1 ⊗ L2 is defined as the smallest modal logic which contains all the theorems of L1 and L2 . In particular, if L1 is axiomatized by a set Ax1 of axioms, and L2 by Ax2 , then the fusion L1 ⊗ L2 is axiomatized by the union Ax1 ∪ Ax2 . An attractive feature of fusions is that several properties of the component logics L1 and L2 are transferred to their fusion L1 ⊗ L2 . First there exists an interesting semantic characterization of fusions. Theorem 12. If L1 is characterized by a class C1 of frames, and L2 by a class C2 , with C1 and C2 closed under the formation of isomorphic copies and disjoint unions, then L1 ⊗ L2 is characterized by the class of the frames (W, R1 , R2 ) such that (W, R1 ) ∈ C1 and (W, R2 ) ∈ C2 [76, 57, 80]. Another important transfer result concerns the decidability. Theorem 13. If L1 and L2 are decidable modal logics, then L1 ⊗ L2 is also decidable [134, 57]. Remark 3. There is no general transfer result concerning complexity. In the remainder, we study the fusion of some temporal and deontic logics. We consider a slightly different definition of the temporal logics LT L 1 Notice that we consider for each logic a multi-modal language with unary operators k and/or operators U (until) and S (since) 3.1. FUSION OF MODAL LOGICS 41 and CT L. Indeed, in chapter 2, we defined temporal frames as Kripke frames with initial states. In this context, a valid formula is defined as a formula which is true in every initial state of every frame, and a satisfiable formula is true in some initial state of some frame. This point of view is commonly adopted in the model checking community [85, 39], and defines the anchored version [91] of temporal logics. On the other hand, modal logicians consider Kripke frames without initial states for other kind of modal logics (alethic, epistemic, deontic, etc.). Then, a formula is said to be valid if it is true in every state (or world) of every frame. This second point of view is also adopted in some works on temporal logics [59, 110], and defines the floating version of temporal logics. In order to have a homogeneous framework, we will adopt floating definition of temporal logics in the proposed combinations. 3.1.1 Fusion of LT L and SDL For instance, let us consider the fusion of the future fragment of LT L and SDL, defined on the modal language with temporal operators X and U , and deontic operator O. Definition 32 (L(X, U, O ) language). Given a set P of atomic propositions, the language L(X, U, O) of LT L(X, U ) ⊗ SDL is defined by the following syntax: ϕ ::= ⊥ | p | ϕ ⇒ ϕ | Xϕ | ϕ U ϕ | O ϕ where p ∈ P is an atomic proposition. The axiomatization of LT L ⊗ SDL consists of the axiom schemes F1-F8 for the temporal operators X and U (cf section 2.3.4), the axiom schemes K and D for the deontic operator O (cf section 2.1.1), and the inference rules Uniform Substitution, Modus Ponens, G-Necessitation (where G is defined in terms of U ), and O-Necessitation. As we saw in section 2.3.2, LT L(X, U ) is characterized by the class of the unique frame (N, <). Clearly, this singleton class is not closed under the formation of isomorphic copies and disjoint unions. Therefore, we cannot use the above-mentioned semantic characterization (theorem 12) for the fusion LT L ⊗ SDL. Indeed, let us consider a frame (N, <, R) where R is a serial relation on N. Figure 3.1 illustrates such a frame, where the temporal accessibility relation (of which < is the transitive closure) is represented by solid arrows, and the deontic relation by dotted arrows. It is clear that such frames validate for instance G(¬p) ⇒ O(F ¬p), which cannot be inferred from the axiomatization of LT L ⊗ SDL which does not contain any interaction axiom schemes, i.e. axiom schemes in which both temporal and deontic modalities are involved. In order to avoid interactions between temporal and deontic relations (due to the fact that < is a complete order on N), we have to relax constraints 42 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS temporal relation deontic relation Figure 3.1: Incorrect fusion frame on <. A less natural class of frames which also characterizes LT L(X, U ) is the class of the frames (N × W, ≺) such that: 1. W is a set 2. ≺⊆ (N × W ) × (N × W ) is defined by (i, w) ≺ (i , w ) iff w = w and i < i . Property 1. LT L(X, U ) is characterized by the class of the frames (N × W, ≺) such that (1) and (2) are satisfied. Proof. We show that this class of frames defines the same logic as (N, <). Suppose that ϕ is satisfiable by a model based on (N, <). Then, ϕ is clearly satisfiable by a model based on (N × {w0 }, ≺), where {w0 } is a singleton. Suppose that ϕ is satisfiable by a model based on (N × W, ≺) for some set W . Then, there is a valuation V and a state (i, w) ∈ N × W such that i, w |= ϕ. According to the definition of ≺, we also have i |= ϕ in (N, <, V ), where V is defined as ∀j ∈ N V (j) = V (j, w). The latter class is closed under the formation of isomorphic copies and disjoint unions. The semantic characterization (theorem 12) then applies, and provides the following property. Property 2. LT L ⊗ SDL is characterized by the class of the frames (N × W, ≺, R) such that (N × W, ≺) satisfies (1) and (2), and R is a serial2 relation on N × W . Figure 3.2 illustrates such a frame. For the sake of readability, the deontic relation is partially pictured. Theorem 14. LT L ⊗ SDL is decidable (consequence of theorem 13). 2 ∀w ∈ N × W ∃w ∈ N × W such that wRw 3.1. FUSION OF MODAL LOGICS 43 temporal relation deontic relation Figure 3.2: LT L ⊗ SDL-frame 3.1.2 Fusion of CT L and SDL Let us now consider the fusion CT L ⊗ SDL of branching time temporal logic CT L and SDL. Unlike LT L ⊗ SDL, the semantic characterization of fusions applies for CT L ⊗ SDL because both logics are characterized by frames which are closed under the formation of disjoint unions. Definition 33 (CT L ⊗ SDL language). Given a set P of atomic propositions, the language L(EX, AU, EU, O) of LT L ⊗ SDL is defined by the following syntax: ϕ ::= ⊥ | p | ϕ ⇒ ϕ | EXϕ | E(ϕ U ϕ) | A(ϕ U ϕ) | O ϕ where p ∈ P is an atomic proposition. The following property states that the semantic characterization of fusions applies. Property 3 (CT L ⊗ SDL-frame). CT L ⊗ SDL is characterized by the frames (W, RX , RO ) such that • W is a set of worlds • RX ⊆ W × W is a serial (temporal) accessibility relation • RO ⊆ W × W is a serial (deontic) accessibility relation A CT L ⊗ SDL-model is a tuple (W, RX , RO , V ) where (W, RX , RO ) is a frame and V ∈ W → 2P is a valuation function which associates each world with a set of atomic propositions. A path σ in M is an infinite sequence σ = w0 w1 . . . such that • every wi is a state of W • ∀i (wi , wi+1 ) ∈ RX 44 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS The ith state of σ is denoted σi . The set of paths σ starting from a given state w, i.e., such that σ0 = w, is denoted by P aths(w). The semantics of temporal operators is defined as in CT L, and the semantics of O is defined as in SDL by the relation RO . Theorem 15. CT L ⊗ SDL is decidable (consequence of theorem 13). 3.2 Interaction properties Fusion of temporal and deontic logics is an easy way to combine time and obligation in a unique formalism. It allows to reason about obligations and permissions in a temporal context under the assumption that no interaction between both dimensions is needed. For instance, we can express that p is obligatory today, and ¬p will be obligatory tomorrow. Actually, if we only need to reason about evolution of immediate obligations, i.e., if temporal operators are not in the scope of some deontic operator, then fusion of temporal and deontic logics is a very interesting framework. On the other hand, if we need to reason about temporal obligations (it is obligatory to satisfy p before 3 time units, it is obligatory to satisfy p today or q tomorrow) then the absence of interaction between temporal and deontic dimensions becomes questionable, in particular in our framework where norms are not explicitly updated. It is indeed natural to consider that a temporal obligation which holds today implies another obligation tomorrow. For instance, if “always p” is obligatory in a world w, we cannot in a fusion deduce that “p”, or “always p” will be obligatory in the future states. In other words, in a branching time framework, w O(AGp) ⇒ AG O(p) In this section, we consider several interesting interaction axioms and study the corresponding conditions on frames. 3.2.1 ’Perfect recall’ property A first interesting property says that if today, there is the obligation to satisfy ϕ tomorrow, then tomorrow, there will be the obligation to satisfy ϕ immediately. In a branching time setting, we will consider more precisely the following property: if today, it is obligatory that every possible successor satisfies ϕ, then in every possible successor, ϕ will be obligatory: O(AXϕ) ⇒ AXO(ϕ) (recall_branching) We borrow the terminology ’perfect recall’ from epistemic logic [53] to name this property. Indeed, this property ensures that obligations cannot be withdrawn (we would say ’forgotten’ for knowledge) when time passes. This 3.2. INTERACTION PROPERTIES 45 property corresponds to the following condition on frames: if (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO ∀w1 , w2 , w4 ∈ W (1) then ∃w3 ∈ W such that (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX Property 4. The ’perfect recall’ property (recall_branching) is valid in a CT L ⊗ SDL-frame F = (W, I, RX , RO ) iff F satisfies condition (1). w3 w4 RX RO RO RX w1 w2 Figure 3.3: ’perfect recall’ condition on a CT L ⊗ SDL-frame Proof. Let F = (W, I, RX , RO ) be a CT L ⊗ SDL-frame. ’⇒’: We assume that F satisfies the ’perfect recall’ condition and prove that for every formula ϕ, F validates O (AXϕ) ⇒ AXO(ϕ). Let V be a valuation and w1 ∈ W a world such that w1 |= O (AXϕ). Let w2 , w4 ∈ W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO . Then , according to the ’perfect recall’ condition on F , there is a world w3 such that (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX . Since w1 |= O(AXϕ), then w4 |= ϕ. So, w1 |= AXO(ϕ). ’⇐’: We prove that if F does not satisfy the ’perfect recall’ condition, then F does not validate O (AXϕ) ⇒ AXO (ϕ). If F does not satisfy the ’perfect recall’ condition, then there are w1 , w2 , w3 ∈ / W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO and ∀w3 ∈ W (w1 , w3 ) ∈ / RX . Let p ∈ P be an atomic proposition. Consider the valRO or (w3 , w4 ) ∈ uation function V : W → 2P defined by V (w4 ) = {p} and ∀w = w4 V (w) = ∅. Then, w1 |= O(AX¬p). Indeed, for any world w such that (w1 , w) ∈ RO and (w, w4 ) ∈ RX , w is distinct from w4 and thus w |= ¬p. Besides, w1 |= AXO (ϕ) since w4 |= p. In a linear time context, the ’perfect recall’ property is expressed as follows: O(Xϕ) ⇒ XO (ϕ) (recall_linear) The corresponding condition on frame is if (w1 < w2 ) and (w2 , w4 ) ∈ R0 ∀w1 , w2 , w4 ∈ W (2) then ∃w3 ∈ W such that (w1 , w3 ) ∈ RO and w3 < w4 46 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS 3.2.2 ’No learning’ property We now consider the dual property which states that no new obligation “appears” when time passes: AX(Oϕ) ⇒ O (AXϕ) (nolearn_branching) In a branching time setting, this property expresses that if in every possible successor state it will be obligatory to satisfy ϕ, then today it is already obligatory to satisfy ϕ in every possible successor. We name this property ’no learning’ by analogy with epistemic logic. Property 5. The ’no learning’ property (nolearn_branching) is valid in a CT L ⊗ SDL-frame F = (W, I, RX , RO ) iff F satisfies condition (3). if (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX ∀w1 , w3 , w4 ∈ W (3) then ∃w2 ∈ W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO The linear-time version of the ’no learning’ property is expressed as follows: XO (ϕ) ⇒ O(Xϕ) (nolearn_linear) The corresponding condition on frames is if (w1 < w3 ) ∈ RO and w3 < w4 ∀w1 , w3 , w4 ∈ W (4) then ∃w2 ∈ W such that w1 < w2 and (w2 , w4 ) ∈ RO 3.2.3 ’Confluence’ property A more questionable property, considered as the existential version of the ’no learning’ property in a branching time setting (AX is replaced by EX), states that if there is a successor state in which it is obligatory to satisfy ϕ, then it is obligatory in the current state that there exists a successor satisfying ϕ. EXO (ϕ) ⇒ O(EXϕ) (conf ) We name this property ’confluence’ property because of the corresponding condition on frames. Property 6. The ’confluence’ property (conf ) is valid in a CT L ⊗ SDLframe F = (W, I, RX , RO ) iff F satisfies condition (5). if (w1 , w2 ) ∈ RX and (w1 , w3 ) ∈ R0 ∀w1 , w2 , w3 ∈ W (5) then ∃w4 ∈ W such that (w3 , w4 ) ∈ RX and (w2 , w4 ) ∈ RO 3.2. INTERACTION PROPERTIES 47 Notice that in a linear-time framework, the ’confluence’ property is equivalent to the ’no learning’ property. Another point of view consists in associating ’perfect recall’ and ’confluence’ properties with particular refinement relations between the restriction to the ideal states of a CT L ⊗ SDL and the whole Kripke frame. Let us formally define a refinement relation between an abstract system and a concrete one. Definition 34 (Refinement relation). Given two Kripke frames Sa = (Wa , Ra ) (abstract system) and Sc = (Wc , Rc ) (concrete system), and a relation R ⊆ Wc × Wa . The abstract system Sa is refined by R into the concrete system Sc if ∀wa ∈ Wa if (wc , wa ) ∈ R ∧ (wc , wc ) ∈ Rc ∀wc , wc ∈ Wc then ∃wa ∈ Wa such that (wc , wa ) ∈ R and (wa , wa ) ∈ Ra In a CT L ⊗ SDL-frame F = (W, I, RX , RO ), let Wc and Wa be respectively the domain and the co-domain of RO . Wa is the set of the ideal worlds, and we will see it as the set of the abstract worlds. Wc = W , since RO is serial, it will be considered as the set of the concrete worlds. We note Ra the restriction of RX to Wa and Rc = RX . Given such a frame F , the following properties hold: (i) F satisfies the ’confluence’ property iff (Wa , Ra ) is refined into (Wc , Rc ) by RO (ii) F satisfies the ’no learning’ property iff (Wa , Ra−1 ) is refined into (Wc , Rc−1 ) by RO 3.2.4 Obligation and branching time Depending on the model of time we consider (linear or branching-tree), obligatory formulas have a different kind. A linear-time formula describes a behaviour (or a set of behaviours) whereas a branching-time formula describes a state (or a set of states) in a tree-like model. For instance, O(pU q) can read as it is obligatory to have a behaviour which satisfies pU q, whereas O(E(pU q)) can be read as it is obligatory to be in a state such that there exists an outgoing path satisfying pU q. These are clearly distinct kinds of obligations. In the literature, we only find the former kind of temporal obligations. However, the latter can have practical applications. For instance, it can be interesting to specify that it is always obligatory to be in a state such that it is possible to re-initialize the system. This property can be expressed by the formula AG (O(EXreinit)). In the remainder of this Ph.D. thesis, we only deal with the former kind of obligations, where the temporal formulas which are in the field of a deontic operator are linear-time formulas. 48 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS 3.3 Product This section deals with the product of temporal and deontic logics. It provides a strong interaction between temporal and deontic dimensions. Product seems well suited to our framework without norm updates. For instance, ’no learning’, ’perfect recall’, and ’confluence’ properties all stand in a product logic. This strong interaction makes product more complex than fusion. For instance, decidability is much more difficult to establish, and the complexity of the satisfiability problem is not elementary for the product LT L K [57]. Section 3.3.1 introduces product of general modal logics. Section 3.3.2 studies product of linear temporal logic and standard deontic logic. 3.3.1 Product of modal logics We define here the two-dimensional product of unimodal logics [117, 57]. That is, we are dealing with product logics formulated in the bimodal language ML2 . (We can easily generalize this definition to two-dimensional product of multimodal logics.) Product logics are defined in a semantic way. Thus, we have to begin with the definition of the product of two 1-frames, that is two frames of 1 dimension. Definition 35 (Product frame). Let F1 = (W1 , R1 ) and F2 = (W2 , R2 ) be F2 as the 2-frame (W1 × two 1-frames. We define the product frame F1 W2 , Rh , Rv ), where ∀u1 , v1 ∈ W1 , u2 , v2 ∈ W2 (u1 , u2 )Rh (v1 , v2 ) (u1 , u2 )Rv (v1 , v2 ) iff iff u1 R1 v1 and u2 = v2 u2 R2 v2 and u1 = v1 W2 v2 R1, R2 u2 Rh, Rv u1 v1 W1 Figure 3.4: Illustration of the product (W1 , R1 ) (W2 , R2 ) 3.3. PRODUCT 49 The names Rh and Rv , for “horizontal” and “vertical”, are used to give a geometrical point of view. Figure 3.4 shows an illustration of a product (W2 , R2 ). frame (W1 , R1 ) Given a set P of atomic propositions, a product model based on the prod (W2 , R2 ) is then a pair ((W1 , R1 ) (W2 , R2 ), V ) uct frame (W1 , R1 ) where V : W1 × W2 → 2P associates each product state with a set of atomic propositions. A product logic is then defined as the logic determined by a class of product frames. More precisely, given two Kripke complete modal logics L1 and L2 , the product logic L1 L2 is defined as def L1 L2 = Log({F1 F2 / F1 ∈ F r(L1 ) and F2 ∈ F r(L2 )}) L2 is a two-modal Note that if L1 and L2 are unimodal logics, then L1 logic. If the name of the modal necessity operators of L1 and L2 are both , then we call h and v the modal operators associated with the horizontal relation and the vertical relation respectively. Similarly, we call ♦h and ♦v the possibility operators. To define the product of multimodal logics, we have to define the product L2 of n-frames. If L1 and L2 are respectively in MLn and MLm , then L1 is in MLn+m . The following properties which correspond to ’perfect recall’, ’no learning’, and ’confluence’ properties studied in section 3.2, are valid in every product frame. In this generic framework, the ’perfect recall’ and ’no learning’ properties are considered as commutativity properties, and we name them com1 and com2 respectively. v h ϕ ⇒ h v ϕ (com1) h v ϕ ⇒ v h ϕ (com2) ♦ h v ϕ ⇒ v ♦ h ϕ (conf ) We have seen that these three interaction axioms are valid in every product frame. However, there is no general result concerning a complete axiomatization of products [80]. Indeed, these axioms are not enough to characterize product frames in general although they are sufficient for the product of several standard modal logics. In [57], such logics are called ’product matching’: L1 and L2 are called ’product matching’ if L2 = (L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf L1 In particular, if L1 and L2 are logics from the list (K, KD, KT, S4, S5), then L2 = (L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf [80]. L1 Notice that we always have the following inclusion: L2 (L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf ⊆ L1 50 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS Another important issue is decidabilty: the product of two decidable logics is not necessarily decidable. For instance LT L(X, U ) LT L(X, U ) is not decidable [57]. 3.3.2 Product LT L SDL Here, we focus on the product of Linear Temporal Logic (LT L) and Standard Deontic Logic (SDL). If T = (N, <) is a linear temporal frame, and D = (W, R), where R is serial, a deontic frame, then we denote (S, <t , Rd ) the product frame T D (see section 3.3.1, definition 35). Figure 3.5 provides an illustration. Each element of W represent a whole flow of time, and is then called a history. Elements of S = N × W , i.e., moment/history pairs, are called states. W, R w2 w1 R Rd w0 0 1 2 N, < Figure 3.5: Illustration of the product (N, <) (W, R) Given a set P of atomic propositions, a valuation V for T D is a function V : S → 2P that associates each state with a set of atomic propositions. The pair (T D, V ) is then called a product model based on T D. The language of the product logic LT L SDL is L(X, U, O ). Notice L2 , we need subscripts to that in the general definition of a product L1 distinguish the operators which come from L1 from those which come from L2 (see section 3.3.1). Since temporal and deontic operators have different names in the original language, we do not need subscripts here and keep original names for product operators. The semantics of obligation is defined as the vertical necessity operator v , and the semantics of the temporal operators needs to be taken care of because they differ from usual necessity operators. We can now define the satisfaction relation for the deontic and temporal product logic. A formula ϕ of LT L SDL is interpreted on a state of a product model. Because of the temporal operators, the generic possible worlds semantics 3.3. PRODUCT 51 given in chapter 2 does not match exactly. Definition 36 (Satisfaction). Given a product model ((S, <t , Rd ), V ), a state s = (i, w) ∈ S, and a formula ϕ, we can define the satisfaction relation |= by induction on the structure of ϕ: s |= Xϕ s |= ϕ1 U ϕ2 where “ t ” is defined by (i + 1, w) |= ϕ where s = (i, w) ∃s t s such that s |= ϕ2 and ∀s” ∈ S if s t s <t s then s |= ϕ1 s t s iff s <t s or s = s s |= Oϕ ∀s ∈ S iff iff iff if sRd s then s |= ϕ Let us discuss the interaction between the two dimensions (deontic and temporal). For instance, there is no difference between “it is permitted that ϕ holds tomorrow”, and “tomorrow, it will be permitted that ϕ holds”. This corresponds to the validity of P (Xϕ) ⇔ XP ϕ. Indeed, let s = (i, w) ∈ W be a state. Suppose that s |= P (Xϕ). Then there is a state s = (i, w ) such that sRd s and s |= Xϕ. So (i+1, w ) |= ϕ. And thus (i+1, w) |= P ϕ. So we can deduce s |= XP ϕ. In the same way, we can show that |= XP ϕ ⇒ PXϕ. Then, |= P Xϕ ⇔ XP ϕ In fact, this formula is equivalent to the conjunction of the ’perfect recall’ and ’no learning’ properties: |= OXϕ ⇔ XO ϕ Notice that the confluence property is equivalent to the ’no learning’ property in the linear-time framework. The above commutativity properties are typical for product logics. In our context of temporal and deontic product, they reflect the fact the deontic realm is not updated, as we said in the introduction. So, if it is obligatory to go to Paris tomorrow, then tomorrow it will be obligatory to go to Paris immediately, and vice versa. An important question is the following “are these two properties (’perfect recall’ and ’no learning’) enough to characterize LT L SDL? ”. To the best of our knowledge, there is no result for LT L(X, U ). However, we have that LT L(X, X −1 ) and KD are productmatching. SDL = (LT L(X, X −1 ) ⊗ SDL) ⊕ com1 ⊕ Property 7. LT L(X, X −1 ) com2 ⊕ conf Proof. The result can be deduced from the axiomatization of N OM AD [41], which has a richer language, but similar axiomatization and semantics. 52 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS Let us consider decidability results for LT L SDL. A standard way to demonstrate decidability is to show that the considered logic has the finite model property. In our case, the logic LT L(X, U ) SDL lacks the finite model property but remains decidable. Property 8. LT L(X, U ) SDL has not the finite model property. Proof. Let us exhibit a formula in L(X, U ) which may be satisfiable only for infinite product frames. Consider the following statement “p is always permitted, and p ought to happen at most once”. It corresponds to the formula def ϕ = GP p ∧ O(AtMostOne(p)), where p ∈ P is an atomic proposition, and AtMostOne(p) is the abbreviation of G(p ⇒ XG¬p), which means p happens at most once. Then there is no finite frame (N × W, <t , Rd ) on which ϕ is satisfiable. Indeed a model of ϕ necessarily contains a infinite number of ’alternatives’, i.e., W is necessarily infinite. Indeed, let (i, w) a state which satisfies ϕ. Then every (i + k, w) satisfies P p. So, for each of these future states, there is an ideal alternative state (i + k, w ) satisfying p. The subformula AtM ostOne(p) ensures that each such ideal state is different from the others. It follows that there are as many alternatives w as points in the future. Property 9. LT L(X, U ) SDL is decidable. Proof. The proof directly follows from the decidability of LT L(X, U ) K [57] and the existence of a translation T such that ϕ is valid for LT L(X, U ) def SDL if and only if T (ϕ) is valid for LT L(X, U ) K (with T (ψ) = (T (ψ)) ∧ ♦) 4 Propagation property This chapter deals with a family of interaction properties which corresponds to a strong intuition: if a future-directed obligation is not fulfilled, then it is propagated to the next moment. Section 4.1 studies obligations with deadline, which are especially concerned with propagation. We propose different semantic definition for an operator dedicated to deadline obligations, in the framework of the product LT L SDL. In section 4.2, we study a more general form of propagation property and propose a framework for validating it. Starting from LT L SDL, we change the semantics of obligation in order to validate the propagation property. We come to a problem in section 4.2.2, which has to do with the violation of propositional formulas. We then consider the problem from a different point of view in section 4.2.3, and look for a necessary and sufficient condition for an arbitrary temporal deontic model to validate the propagation property. It turns out that when an ’immediate obligation’ is violated at some moment, undesirable properties necessarily occur from that instant on. We then refine our semantics in section 4.2.4 with a preference-based deontic relation, so that the propagation property is only satisfied in the states that do not violate any immediate violations. 4.1 Deadline obligation Obligations with deadline constitute one of the most natural ways to reason about temporal and deontic notions. They involve a strong interaction between both dimensions: if I have to go to Paris before Sunday, and I do not go to Paris today, then it seems natural to deduce that tomorrow I will have to go to Paris. These interactions have been studied in different frameworks. In [30, 27], Broersen et al. use a reductionist approach: the goal is to model obligations with deadline in CT L, or AT L, using a violation constant, and 53 CHAPTER 4. PROPAGATION PROPERTY 54 an ideality constant. [43] studies deadline obligations, where the deadline is a formula instead of a concrete duration. This can be considered as a more abstract point of view. Cuppens et al. also study deadline obligations in N OM AD [41]. Their logic is close to a product and can be considered as a starting point of our work. Nevertheless, the deontic dimension is not tackled similarly. There is a distinction between two kinds of obligations: contextual obligations, which are defined in terms of a necessity modality and do not interact with ’what happens’, and effective obligations, which can interact with the temporal dimension. In this section, we propose different definitions for obligation with deadline, and for each of them, we study the properties presented in the following subsection. We work in the framework of product LT L SDL, i.e., we consider the satisfaction relation, the validity, and the satisfiability of LT L SDL. 4.1.1 Studied properties In this section, the obligation to satisfy ϕ before k time units, where k ∈ N, is denoted by Ok (ϕ). We propose different definitions for Ok , and study the following properties for each definition: • monotonicity properties – with respect to the deadline if it is obligatory to satisfy ϕ before a deadline k, is it obligatory to satisfy ϕ before a greater deadline k ? ? with k k |= Ok (ϕ) ⇒ Ok (ϕ) – with respect to the obligatory formula If ϕ1 implies ϕ2 , is it the case that Ok (ϕ1 ) implies Ok (ϕ2 )? if |= ϕ1 ⇒ ϕ2 then ? |= Ok (ϕ1 ) ⇒ Ok (ϕ2 ) Notice that the two following properties, sometimes also named monotonicity properties, are equivalent to the latter property: ? |= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 ) and ? |= Ok (ϕ1 ) ⇒ Ok (ϕ1 ∨ ϕ2 ) • ’perfect recall’ for Ok If it is obligatory to satisfy Xϕ before k then in the next state, will it be obligatory to satisfy ϕ before k? ? |= Ok (Xϕ) ⇒ XOk (ϕ) 4.1. DEADLINE OBLIGATION 55 Notice that the original ’perfect recall’ property (O (Xϕ) ⇒ XO(ϕ)) only concerns the operator O. In this section which deals with deadline obligation, we use the denomination ’perfect recall’ property for this Ok property. A similar clarification stands for the ’no learning’ property. • ’no learning property’ for Ok If in the next state it will be obligatory to satisfy ϕ before k then in the current state, is it obligatory to satisfy Xϕ before k? ? |= XOk (ϕ) ⇒ Ok (Xϕ) • propagation property If it is obligatory to satisfy ϕ before k, and ϕ is not satisfied now, or ϕ is prohibited now, then in the next state, will it be obligatory to satisfy ϕ before k − 1? ? |= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ) This property is essential for an obligation with deadline, and more generally, it is a key property of the interaction between the deontic and the temporal dimensions. A more general form of propagation property will be dealt with in the next section. In the present form, the property expresses that an obligation with deadline is propagated while it is not fulfilled. Let us justify the formalization of ’not fulfilled’ by ¬ϕ ∨ O(¬ϕ), i.e., the formalization of ’fulfilled’ by ϕ ∧ ¬O(¬ϕ). Consider it is obligatory to satisfy ϕ before k, and it is forbidden to satisfy it at some moments between i and i + k, where i is the current moment. For instance, O10 (ϕ) ∧ O(¬Xϕ) ∧ O(¬XXϕ) means that it is obligatory to satisfy ϕ before i + 10, but it is forbidden to satisfy it at i + 1, and at i + 2. Then, fulfilling the obligation naturally corresponds to satisfying ϕ at any moment between i and i + 10, except i + 1 and i + 2, i.e., any moment where ϕ is permitted. In other words, we consider that fulfilling def ϕ means satisfying ϕ ∧ P(ϕ) (let us remind that P (ϕ) = ¬O(¬ϕ)). • D-like axiom Is it unsatisfiable that ϕ and ¬ϕ are both obligatory (in the sense of O0 )? ? |= ¬ (O0 (ϕ) ∧ O0 (¬ϕ)) • interaction between Ok1 and Fk2 1 Is there a distinction between the obligation to satisfy Fk2 ϕ before k1 1 Fk ϕ means ’ϕ will be satisfied before k time units’, cf. section 2.3.1 CHAPTER 4. PROPAGATION PROPERTY 56 and the obligation to satisfy ϕ before k1 + k2 ? ? |= Ok1 (Fk2 (ϕ)) ⇔ Ok1 +k2 (ϕ) At first sight, all these properties are desirable. Actually, we will see that different readings of Ok are possible, and some of these properties may be desirable according to one reading and undesirable according to another. Besides, we argue against the ’no learning’ property independently of Ok ’s reading. Indeed, let us consider more closely the relation between the ’no learning’ property and the propagation property. The propagation property specifies that obligations in the current state together with propositions in the current state, imply some obligations in the next state. On the other hand, the ’no learning’ property expresses that every obligation in the next state already holds in the current state. So the obligations in the next state which are deduced from the propagation property are already true in the current state according to the ’no learning’ property. This is not intuitive. Indeed, let us consider the following situation: • it is obligatory to satisfy p before tomorrow, but it is not obligatory to satisfy p tomorrow. This is expressed by the formula O1 (p) ∧ ¬O(Xp). Intuitively, this should be satisfiable (what is obligatory is to satisfy p today or tomorrow, not to satisfy p tomorrow). • p is not satisfied now: ¬p. The deadline obligation is not fulfilled today and it propagates. Thus, tomorrow, it will be obligatory to satisfy p. Thus, the conjunction O1 (p) ∧ ¬O (Xp) ∧ ¬p seems perfectly satisfiable, and yet it is not the case with our definition of Ok . Indeed, from the propagation property we deduce XO0 (p), and from the ’no learning’ property, we deduce O0 (Xp), which is in contradiction with ¬O(Xp). 4.1.2 A first attempt for defining deadline obligation The natural way to specify an obligation Ok (ϕ) to satisfy ϕ before k time def units is: Ok (ϕ) = O(Fk ϕ) Property 10 (Properties of Ok ). • The properties of monotonicity (with respect to the deadline and with respect to the obligatory formula) hold. • ’Perfect recall’ and ’no learning’ properties for Ok hold. |= Ok (Xϕ) ⇔ XOk (ϕ) 4.1. DEADLINE OBLIGATION 57 These are consequences of the original ’perfect recall’ and ’no learning’ properties for the operator O. • The pure-deontic part of the propagation property holds: |= Ok (ϕ) ∧ O(¬ϕ) ⇒ XOk−1 (ϕ) But the other part, which involves an interaction between what happens and what is obligatory, does not hold: Ok (ϕ) ∧ ¬ϕ ⇒ XOk−1 (ϕ) Indeed, a state (i, w) satisfies Ok ϕ if all the ideal states of (i, w) satisfy ϕ before k time units. But one of these ideal states may satisfy ϕ now, and ¬ϕ thereafter. In this case, the obligation does not hold in one time unit, even if ϕ has not been satisfied. • Axiom D for O0 is valid since O0 (ϕ) = O(ϕ). |= ¬(O0 (ϕ) ∧ O0 (¬ϕ)) • The interaction between Ok1 and Fk2 validates the following property |= Ok1 (Fk2 (ϕ)) ⇔ Ok1 +k2 (ϕ) This property follows from |= Fk1 Fk2 (ϕ) ⇔ Fk1 +k2 (ϕ). 4.1.3 Validation of the propagation property Now we consider another definition so that the ’complete’ propagation property holds. Based on the idea developed in [43], we consider that the obligation with deadline Ok (ϕ) is true if O(Fk ϕ) remains true (with k decremented at each time step) while ϕ is not satisfied or ϕ is prohibited, until the deadline is reached. Definition 37 (Obligation with deadline). O(ϕ) if k = 0 def Ok (ϕ) = O(Fk ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ X Ok−1 (ϕ)) otherwise Property 11 (Properties of Ok ). • Monotonicity properties (with respect to the deadline and with respect to the obligatory formula) are valid. • ’Perfect recall’ and ’no learning’ properties are valid: |= Ok (Xϕ) ⇔ XOk (ϕ) CHAPTER 4. PROPAGATION PROPERTY 58 • The propagation property is valid: |= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ) • Axiom D for O0 is valid because O0 (ϕ) = O(ϕ). |= ¬(O0 (ϕ) ∧ O0 (¬ϕ)) • There is no interaction between Ok1 and Fk2 : Ok1 (Fk2 ϕ) ⇒ Ok1 +k2 (ϕ) Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 ϕ) Proofs of these properties are given in the appendix. This definition validates most of the properties that we have specified as desirable, at a first sight. However, as argued in section 4.1.1, the ’no learning’ property is not desirable. Moreover, properties which relate Ok and Fk do not hold. The next proposition for Ok overcomes these problems. 4.1.4 New operator Ok Another point of view consists in considering that O(Fk ϕ) still makes sense, and corresponds to the starting point of an obligation to satisfy ϕ before k. Let us remember that the latter definition of Ok imposes that O(Fk ϕ) remains true while the deadline obligation propagates. On the other hand, we now consider the following definition. Ok (ϕ) holds from the moment at which the obligation is posted, i.e., when O(Fk ϕ) is true, and Ok (ϕ) remains true (with k decremented at each time step) while ϕ is not satisfied and the deadline is not reached. So, the moment where an obligation with deadline is posted plays an important role. We then define an operator Ok (ϕ, k ) which means that “k time units ago, an obligation to satisfy ϕ before k + k was posted, and the obligation has not been fulfilled yet”. The corresponding semantic characterization is then as follows. (i, w) |= Ok (ϕ, k ) iff (i − k , w) |= OFk+k ϕ and (i − k , w) O Fk+k −1 ϕ and ∀j ∈ N if i − k j < i then (j,w) |= ¬ϕ ∨ O(¬ϕ) The first line of the semantic characterization expresses that k’ time units ago, an obligation O(Fk+k ϕ) was true. The second line means that k time units ago, there was no obligation to satisfy ϕ before a shorter deadline. Thus k is the shortest deadline before which there is an obligation to satisfy ϕ. We need this ’minimality’ criterion because of the past moment k . Indeed, it is clear in the following example. Consider an instant i > 0, and suppose that 4.1. DEADLINE OBLIGATION 59 (1) at i − 1, O(ϕ) ∧ ¬ϕ holds. (2) at i, O(¬ϕ ∧ ¬Xϕ) holds. Intuitively, there is no conflict between (1) and (2). Yet, from (1) we deduce that O(F2 ϕ) ∧ ¬ϕ holds at i − 1. Thus, without the second line of the definition, we can deduce that O2 (ϕ, 0) and O1 (ϕ, 1) holds respectively at instants i − 1 and i. So, at i, there is an obligation to satisfy ϕ before 1 time unit. This intuitively conflicts with the prohibition (2) to satisfy ϕ at i and at i + 1. So, in the definition, we only consider at the past moment k the minimal deadline k + k for which there is O(Fk+k ϕ). In fact, the meaning of Ok (ϕ, k ) is “k time units ago, there was an obligation to satisfy ϕ before k+k , but not before k+k −1, and the obligation has not been fulfilled yet”. The third line of the semantic characterization means that the obligation has not been fulfilled yet. This semantic definition is equivalent to the following definition in the logic LT L SDL: Definition 38. def Ok (ϕ, k ) = X −k O(Fk+k ϕ) ∧ ¬O(Fk+k −1 ϕ) ∧ G<k (¬ϕ ∨ O(¬ϕ) if k = 0 def . where G<k ϕ = ϕ ∧ XG<k−1 ϕ otherwise Notice that contrary to the previous definitions, we need a past operator to define Ok . The definition of the obligation with deadline is then straightforward. Definition 39 (Obligation with deadline). Given a product model ((S, <t , Rd ), V ), a state (i, w) ∈ S, a natural number k ∈ N, and a formula ϕ of LT L SDL, we define the truth relation for Ok (ϕ) as follows i, w |= Ok (ϕ) iff ∃k ∈ N such that i, w |= Ok (ϕ, k ) Notice that Ok is not defined in our logical language because of the existential quantifier, and we do not have a decidability result concerning our logic enriched with Ok . Figure 4.1 illustrates this definition. In the fist state, an obligation to satisfy p before 2 time units is posted, since O (F2 p) is true and O(F1 p) is false. So O2 (p) holds in the first state. Since p is not satisfied in this first state, the deadline obligation is propagated: O1 (p) is true in the next state. Since it is prohibited to satisfy p in the second state (O (¬p) holds), the deadline obligation is propagated again: O0 (p) holds in the third state. CHAPTER 4. PROPAGATION PROPERTY 60 p p p O(F2(p) O2(p) p O(¬p) O1(p) O0(p) Figure 4.1: Deadline obligation Notice that in this example, the obligation with deadline is violated because p does not hold in the third state, and the prohibition in the second state is also violated, because p is true in this state. Actually, we can express, from the behaviour of the ideal histories, the following rules: it is obligatory to satisfy p either in the first or in the third state, and it is prohibited to satisfy p in the second state. In this example, the current history does not comply with any rule. Now we study the properties which are satisfied by this new operator. Property 12 (Properties of Ok ). • Because of the ’minimality’ criterion, the monotonicity property with respect to the deadline is not valid. Indeed, Ok (ϕ) means that it is obligatory to satisfy ϕ before k, and not obligatory to satisfy ϕ before a shorter deadline. • The monotonicity property with respect to the obligatory formula does not hold either. This is problematic, and will be discussed at the end of this section. • The ’no learning’ property does not hold, which is a positive result. XOk (ϕ) ⇒ Ok (Xϕ) • The ’perfect recall’ property is valid. |= Ok (Xϕ) ⇒ XOk (ϕ) 4.1. DEADLINE OBLIGATION 61 • The propagation property is valid. |= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ) • Axiom D for O0 is valid: |= ¬(O0 (ϕ) ∧ O0 (¬ϕ)) • Ok1 and Fk2 interact as follows: If it is obligatory to satisfy ϕ before k1 + k2 , then it is obligatory to satisfy Fk2 ϕ before k1 . |= Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 ϕ) On the other hand, the converse property is not valid. Ok1 (Fk2 ϕ) ⇒ Ok1 +k2 (ϕ) Given a state (i, w) the first two lines of the semantic definition of Ok1 (Fk2 ϕ) and Ok1 (Fk2 ϕ) are equal, because Fk1 Fk2 . Indeed, according to our definition, Ok1 (Fk2 ϕ) implies that Fk2 ϕ has not been fulfilled since the obligation were posted, whereas Ok1 +k2 (ϕ) only implies that ϕ has not been fulfilled since the obligation were posted, which is a weaker condition. Proofs are given in the appendix. Let us further investigate the properties of Ok . The following question arises from the ’minimality’ criterion: although the deadline k is ’minimal’ in Ok , i.e., Ok (ϕ) does not imply necessarily Ok (ϕ), for k k, is it possible anyway to have Ok1 (ϕ) and Ok2 (ϕ), for k1 = k2 in the same state? The answer is positive. Indeed, it may be the case that • k1 time units ago, an obligation to satisfy ϕ before k1 + k1 was posted, i.e., Ok1 (ϕ, k1 ) is satisfied • and k2 time units ago, an obligation to satisfy ϕ before k2 + k2 was posted, i.e., Ok2 (ϕ, k2 ) is satisfied Figure 4.2 illustrates such a situation. If we consider the instant 2, we have: • an obligation to satisfy p before 2 time units was posted two time units ago • an obligation to satisfy p before 3 time units was posted one time unit ago • p has not been satisfied yet CHAPTER 4. PROPAGATION PROPERTY 62 p p p p 0 O(F2(p) 1 2 O0(p) 3 4 O(F3(p) O2(p) Figure 4.2: Obligation to satisfy p before two distinct deadlines Thus, instant 2 satisfies O0 (ϕ) and O2 (ϕ). Another question concerns the monotonicity property with respect to the obligatory formula. In order to validate it, a solution could be to change again the semantic definition of our operator as follows: Definition 40 (Monotonous obligation with deadline). |= ψ ⇒ ϕ (i, w) |= Okm (ϕ) iff ∃ψ ∈ LLT L SDL and (i, w) |= Ok (ψ) So, this operator has the monotonicity property. |= Okm (ϕ1 ∧ ϕ2 ) ⇒ Okm (ϕ1 ) ∧ Okm (ϕ1 ) It also has the following properties we have studied for Ok : • propagation property m (ϕ) |= Okm (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1 • interaction between Ok1 and Fk2 |= Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 (ϕ) But this monotonous operator lacks the ’perfect recall’ property and axiom D: • Okm (Xϕ) ⇒ XOkm (ϕ) 4.2. GENERAL PROPAGATION PROPERTY 63 • ¬(O0m (ϕ) ∧ O0m (¬ϕ)) Thus, although the two definitions we have proposed for a deadline obligation operator in a product setting are interesting in many points, we have not obtained a fully satisfactory solution. Rather than defining an operator dedicated to deadline obligations, the next section proposes another semantics for the (general) obligation in a temporal framework which takes into account interactions and validate a generalized propagation property. 4.2 General propagation property We want to consider a propagation property as general as possible. For instance we want to capture the obligation with deadline, or the obligation to meet something eventually (without deadline). The obligation to satisfy ϕ now, or ψ next seems to be the most general kind of obligation for which we want to study the propagation. Indeed, the obligation with deadline O(Fk (ϕ)) (with k > 0) can be re-written O(ϕ ∨ XFk−1 (ϕ)), and the obligation to satisfy ϕ eventually O(F ϕ) can be re-written O(ϕ ∨ XF (ϕ)). Starting from the product LT L SDL of temporal and deontic logics, we propose a logical framework which guarantees this propagation property. 4.2.1 Propagation property and product As a first attempt for formalizing a propagation property to be added to the product logic, we consider: O(ϕ ∨ Xψ) ∧ ¬ϕ ⇒ XO(ψ) (4.1) If it is obligatory to meet ϕ now, or ψ next, and ϕ is not satisfied now, then it will be obligatory next to meet ψ. Let us first discuss the nature of the formula ϕ. Intuitively, ϕ only concerns the present. Indeed, the propagation property expresses that what will be obligatory at the next step may depend on what happens now (ϕ not being true). So it is natural to consider that ϕ is a propositional formula. Otherwise, if ϕ contained future operators, what will be obligatory at the next step would depend on something which has not happened yet. Let us now refine the formalization of the propagation property. We do not want that from the propagation property and the properties of the temporal deontic logic it follows that Oϕ∧¬ϕ ⇒ XO (ψ). Yet this property does follow from 4.1 in combination with (a temporal variant of) weakening of obligations: Oϕ ⇒ O(ϕ∨Xψ). To solve this problem, we re-formalize the propagation property, in order to prevent that in combination with temporal weakening it can be used to derive this unwanted property. To achieve this, we restrict the propagation property (4.1) to the case where O (ϕ) is false2 , 2 Another strategy might be to attack the temporal weakening property directly. 64 CHAPTER 4. PROPAGATION PROPERTY and we thus arrive at the following property instead of (4.1): O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XO (ψ) (4.2) for any propositional formula ϕ, and any temporal formula ψ Similarly, we may explicitly exclude that O (Xψ) holds in the premise of the property. So we may formulate the propagation formula as follows: O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬OXψ ∧ ¬ϕ ⇒ XO (ψ) (4.3) for any propositional formula ϕ, and any temporal formula ψ However, the conjunction of the ’perfect recall’ property for temporal formulas (O(Xϕ) ⇒ XO (ϕ) for any temporal formula ϕ) and property (4.3) is equivalent to property (4.2). Indeed, property (4.2) obviously implies property (4.3) and the ’perfect recall’ property (with ⊥ for ϕ in property (4.2)). On the other hand, suppose that property (4.3) and the ’perfect recall’ property hold. Also suppose that O(ϕ∨Xψ)∧¬O ϕ∧¬ϕ holds, for a propositional formula ϕ, and a formula ψ. If ¬O(Xψ), then, from property (4.3) we can deduce XO (ψ). Otherwise, from the ’perfect recall’ property, we also deduce XO(ψ). So, property (4.2) holds. So, in the product setting, since, the ’perfect recall’ property is valid, properties (4.2) and (4.3) are equivalent. But, now we have to conclude that the propagation property is not compatible with a genuine product: we can consistently add property (4.2) to the product logic, but we will never have a case where XO (ψ) is really a consequence of O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ being true. In fact, a product model satisfies property (4.3) only if it does not satisfy the hypothesis O(ϕ∨ Xψ)∧ ¬O (ϕ)∧ ¬O(Xψ)∧ ¬ϕ. (Indeed, if a product model satisfied the hypothesis O (ϕ∨ Xψ)∧ ¬O (ϕ)∧ ¬O (Xψ)∧ ¬ϕ, in some state s, for some ϕ and ψ, then, from the ’no learning’ property, we could deduce ¬XO(ψ) in s.) This corresponds to a product model where all the ideal states of a given state have the same valuation, which is clearly not interesting to work with. We then propose to drop the ‘no learning’ property XO ϕ ⇒ OXϕ. So, we will no longer have a genuine product. But this is in accordance with intuitions. Indeed, looking at the propagation property, it may be the case that obligation O(ψ) holds in the next state while it does not hold in the current state (even if O(ϕ ∨ Xψ) holds in the current state). The above discussion shows that this is incompatible with a product; we have to allow some dynamics in the deontic dimensions because obligations may be inherited from earlier states. We do however preserve the ‘perfect recall’ property O Xϕ ⇒ XO ϕ that expresses that no obligations are ‘forgotten’ over time. So, in the remainder, we will study property (4.2), which is shorter. 4.2. GENERAL PROPAGATION PROPERTY 4.2.2 65 Semantics based on the restriction of the ideal states In this section, our goal is to define a semantics that satisfies the propagation property and the perfect recall property. To account for propagation, in the semantics we have to introduce a stronger interaction between what happens and what is obligatory, i.e., between what is true in the current state and what is true in the (next) ideal states. If we want to satisfy the perfect recall property, the set of ideal histories in the next state is a subset of the set of the ideal histories in the current state. The principle of propagation then should point us to what subset to take. Our idea is that for ideal histories at a next moment we should only take into account the histories that share the same past as the current history until the present moment. The reason for this is that we assume obligations do not apply to the past, but only to the present and the future. Then, clearly, we do not want to consider a past which is different from the ‘current’ past, as ideal. We thus only assess ideality for the histories that share their past with the current history. The collective past of the set of histories thus obtained then represents what actually has happened. And what actually has happened, is going to influence what is obliged currently, according to the preservation property we aim at. Let us define the predicate SamePast(s, s ) which says that the states s and s of a temporal deontic product model share the same past : SamePast((i, w), (i , w )) def = i = i ∧ ∀j < i V (j, w) = V (j, w ) This can also be formulated as follows SamePast((i, w), (i , w )) def = i = i ∧ V (w)<i = V (w )<i When interpreting an obligation in a state s, we only consider the states s which satisfy sRd s and SamePast(s, s ). Definition 41 (Semantics of the obligation (2)). Given a product model (S, <t , Rd ), a state s, and a formula ϕ, we now consider the following semantics for obligation: s |= Oϕ iff ∀s ∈ S if SamePast(s, s ) and sRd s then s |= ϕ Remark 4 (Ideal state, ideal history). For any instant i ∈ N, histories w, w , if SamePast((i, w), (i, w )) and (i, w)Rd (i, w ), then, we say that • (i, w ) is an ideal state for (i, w) • w is an ideal history for (i, w) With this new semantics, the deontic realm is described by fewer and fewer histories (which means that more and more formulas are obligatory) CHAPTER 4. PROPAGATION PROPERTY 66 when time passes. This is conform to the fact that we keep O(Xϕ) ⇒ XO (ϕ), and avoid XO(ϕ) ⇒ O(Xϕ); no obligations are forgotten, but some obligations may appear (in particular when they are propagated from a more general obligation in the previous state). w3 w2 w1 w0 {q} {} {p, q} {} {} {q} {} {p} {p} {p} {p} {p} {q} {q} {} {q} {} {p} 0 1 2 {p} {} 3 4 Figure 4.3: Semantics of obligation Propagation of obligations Let us illustrate, by the way of an example, how an obligation may propagate. Consider the product model illustrated in Figure 4.3, where, in state (0, w0 ), histories w1 , w2 , and w3 , are ideal. Then, we have for instance 0, w0 |= O(p ∨ XXp) ∧ ¬p. Since w0 does not satisfy p at instant 0, the history w1 which satisfies p at instant 0 is not ideal anymore at the next instant. So, only w2 and w3 (which satisfy XXp at instant 0) remain ideal at instant 1. Thus, the propagation applies, and we have 0, w0 |= XO (Xp). Let us now state the propagation property and propose a proof in the general case where ϕ is a propositional formula and ψ can be any formula. Property 13 (Propagation property). Let M be a temporal deontic product model. Then it satisfies the propagation property (4.2) for the obligation operator of definition 41: M |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ ⇒ XO(ψ) for ϕ propositional formula, and ψ any temporal formula. Proof. Let M = ((S, <t , Rd ), V ) be a temporal deontic model, and s = (i, w) ∈ S a state such that s |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ. Every s which is ideal in s, i.e., such that SamePast(s, s ) and sRd s , satisfies ϕ ∨ Xψ, and it is not the case that every such s satisfies ϕ. If some of these states s = (i, w ) have the same valuation as s, then they satisfy ¬ϕ (since ϕ is propositional, and s |= ¬ϕ), and ϕ ∨ Xψ. So, 4.2. GENERAL PROPAGATION PROPERTY 67 they satisfy Xψ. Thus, every state (i + 1, w ) which is ideal in (i + 1, w) satisfies ψ, i.e., (i + 1, w) |= Oψ. Otherwise (if none of the states s have the same valuation as s), there is no ideal state having the same past as (i + 1, w). So, every formula is obligatory in (i + 1, w). In particular, (i + 1, w) |= Oψ. Notice that we have proved the propagation property for any formula ψ although we are only interested in temporal formulas ψ. So we have that some of the obligations that may appear at a next state are due to the propagation property. In fact, the following property claims that the propagation property completely characterizes the new obligations that appear. New obligations We consider that an obligation O(ψ) is new if it holds in a state (i + 1, w) whereas it was not obligatory to satisfy Xψ in the previous state (i, w), i.e. if i, w |= XO(ψ) ∧ ¬O(Xψ). Property 14 (Characterization of new obligations). We suppose that the set P of atomic propositions is finite. For any formula ψ, if in a state s both the formulas XO(ψ) and ¬O(Xψ) hold, then there exists a propositional formula ϕ such that s |= O(ϕ ∨ Xψ) ∧ ¬ϕ So, if, in the next state, there will be an obligation to satisfy ψ and if this obligation is new (i.e., now, there is no obligation to meet ψ next), then it is due to a current obligation to satisfy ϕ ∨ Xψ where ϕ is propositional and not fulfilled. Proof. Let ψ a formula and s a state such that s |= XO(ψ) ∧ ¬O(Xψ). Let E the set of the ideal states of s which do not satisfy Xψ: def E = {s ∈ S / sRd s and SamePast(s, s ) and s |= ¬Xψ} We now define the set V (E) of all the valuations of states in E. This set is def finite (even if E is infinite) because it belongs to 22 . V (E) = {V (s) / s ∈ E}. Then we define the propositional formula P def ϕ = ( v∈V (E) p∈v p ∧ ¬p) p∈v / Then every ideal state of s either satisfies Xψ or is in E and satisfies ϕ. So s |= O(ϕ ∨ Xψ). Moreover, since s |= XO (ψ), the states in E - which do not satisfy Xψ - become not ideal at the next step. So they do not share the same atomic propositions with s. Thus s |= ¬ϕ. CHAPTER 4. PROPAGATION PROPERTY 68 Axiom D Unfortunately, not everything is fine. In particular, the deontically ideal histories may shrink to the empty set when time passes, as we saw in the proof of property 13. This conflicts with our desire to stay in accordance with SDL where obligations are always consistent: ¬O⊥. Another formulation is axiom D: Oϕ ⇒ Pϕ. Then, if from a state s, there is no ideal state with the same past, these properties cannot be satisfied, and every formula is obligatory in s, including ⊥. In particular this occurs if there is a violation of a proposition p in a state s = (i, w), i.e., if s |= O (p) ∧ ¬p. In this case no ideal state is associated with (i + 1, w). Property 15. With this semantics of obligation, axiom D is not valid: ¬O(⊥) and Oϕ ⇒ Pϕ for any formula ϕ As a solution to this problem, we might consider to add a constraint on the models expressing that from every state there exists an ideal state with the same past. Definition 42 (Ideal existence constraint on models). Let M = ((Sd , <d , Rd ), V ) be a temporal deontic product model. We say that M satisfies the ideal existence constraint if ∀s ∈ S ∃s ∈ S such that sRd s and SamePast(s, s ) This constraint now guarantees validity of axiom D. Property 16 (Axiom D). Let M be a temporal deontic product model that satisfies the ideal existence constraint. Then M |= ¬O⊥ or equivalently M |= Oϕ ⇒ Pϕ for any formula ϕ. However, again we have to face a problem: the ideal existence constraint interacts with the identical past criterion in an undesirable way. In particular, the above-mentioned situation where an obligation Op is violated in the current state (i, w) (i.e., i, w |= O(p) ∧ ¬p) is no longer possible. Indeed, in this situation, let us recall that no ideal state is associated with (i + 1, w), which directly conflicts with the ideal existence constraint. So, if in our logic, we impose both properties (axiom D and the propagation property), we actually get that obligations can never be violated. Property 17 (No violation). Let M be a model satisfying the ideal existence constraint and ϕ a formula. Then M |= ¬(O(ϕ) ∧ ¬ϕ). The conclusion has to be that we still have to refine the semantics: the violation of obligations should be possible, without losing the interaction between what happens and the deontic realm. We will propose a solution based on a preference deontic relation in section 4.2.4. 4.2. GENERAL PROPAGATION PROPERTY 4.2.3 69 Correspondence between the propagation property and a condition on models We have proposed a semantics which ensures the propagation property (4.2), and guarantees that every new obligation that appears in some state is ’due’ to the propagation of an obligation in the previous state. We have also expressed a sufficient condition on models for validating axiom D. Another possibility would be to follow the approach of the correspondence theory [125, 126] : the question would be to determine the class of the LT L⊗SDL-models which satisfy property (4.2). Notice that, because of the restriction on ϕ and ψ in property (4.2), to propositional formulas and temporal formulas respectively, we cannot determine the class of frames which characterize our property, as usually done in the correspondence theory. In fact, we need valuations and thus, we reason about models instead of frames. General temporal and deontic framework We first exhibit a class of frames which characterizes the fusion LT L ⊗ SDL. We consider a sub-class C1 of the class given in chapter 3, section 3.1.1, in order to stay closer to the notation of product frames. Indeed, it is then easier to establish the link with the semantics proposed in the previous section. This sub-class C1 still defines the same set of valid formulas, so it also characterizes LT L ⊗ SDL. Definition 43 (Class C1 of frames). We consider frames (N × W, <t , Rd ) where • N × W is the set of states. W represents a set of histories, and time is represented by N. • <t ⊆ (N × W ) × (N × W ) is defined from the usual strict order on N, as for the product LT L SDL, and from which we define the semantics of temporal operators, as usual. It is straightforward to show that <t satisfies the three conditions given in section 3.1.1, page 42. • Rd ⊆ (N × W ) × (N × W ) is a serial relation on (N × W ), and allows to define the semantics of obligation as usual. Without loss of generality, we assume that Rd only associates states which belong to the same instant: if (i, w)Rd (i , w ) then i = i 3 . Given a frame F in C1 , a valuation F is a function V : N × W → 2P which associates each state with a set of atomic propositions. A model based on F is a pair (F, V ), where V is a valuation for F . 3 Indeed, if a model based on (W, <t , Rd ) satisfies a formula ϕ, then we can build a model based on (Z × W, <t , Rd ) which also satisfies ϕ, such that Rd only associates states which belong to the same instant. CHAPTER 4. PROPAGATION PROPERTY 70 The definition of the satisfaction relation between a state (i, w) and a formula, denoted by |= 4.2.3 in remark 5 below, is defined straightforwardly: the satisfaction of temporal operators is defined with <t , and the satisfaction of obligation is defined with Rd . Remark 5. Notice that the semantics we have defined in section 4.2.2 (we denote the satisfaction relation by |= 4.2.2 ) can be defined in the framework of the present section (with satisfaction relation denoted by |=4.2.3 ): iff i, w |=4.2.2 ϕ i, w |=4.2.3 ϕ in the product model (N × W, <t , Rd , V ) in the model (N × W, <t , Rd ∩ SamePast, V ) (W, R), and where (N × W, <t , Rd , V ) is based on a product frame (N, <) satisfies the ideal existence constraint (cf definition 42) which ensures that (Rd ∩ SamePast) is serial. We are going to state a necessary condition on the one hand, and a sufficient condition on the other hand, on a C1 -model for satisfying the propagation property. Then, we will state a necessary and sufficient condition for satisfying the propagation property for safety formulas. Before stating these conditions, let us define some notations on sequences. • Given a temporal deontic model (N × W, <t , Rd , V ), and a history w ∈ W , we denote (w) the infinite sequence (V (0, w), V (1, w), . . .) of all the valuations along history w. If I is an infinite (resp. finite) interval, (w)I represents the infinite (resp. finite) sequence (V (i, w))i∈I . For instance, (w)]i,j] , with i < j, represents the finite sequence (V (i + 1, w), V (i + 2, w), . . . , V (j, w)); the infinite sequence (w)i denotes the suffix of (w) starting from index i. • Idi,w is the set of the sequences of valuations of the histories which are ideal from (i, w): def Idi,w = {(w )i / (i, w)Rd (i, w )} • Ai,w (resp. Bi,w ) is the set of the sequences of valuations of the histories which are ideal and have (resp. have not) the same valuation as w at i: def Ai,w = {(w )i ∈ Idi,w / V (i, w) = V (i, w )} def Bi,w = Idi,w − Ai,w • In the space of infinite sequences, we use the topology induced by the distance defined in chapter 2, section 2.3.3. Let us remind some basic properties. If two sequences x, y have the same elements until index k, def then their distance is d(x, y) = 1/k. A sequence x is in the closure of 4.2. GENERAL PROPAGATION PROPERTY 71 a set E of sequences if ∀k ∈ N ∃y ∈ E such that x and y have the same elements until index k. (Since we consider a metric space, the closure of E also equals the set of the limits of sequences in E.) Given a set E of sequences, the closure of E is denoted by E. Necessary condition Property 18 (Necessary condition). If a model (F, V ), where F = (N × W, <t , Rd ) is in C1 , satisfies the propagation property (4.2) then Rd satisfies one of the three following conditions: for every i ∈ N, w, w ∈ W such that w ∈ Idi+1,w (a) either (w )i is in the closure of Ai,w (w )i ∈ Ai,w (b) or Ai,w is empty and a strong constraint on (w )i applies Ai,w = ∅ and ∀cl ∈ Idi,w /≡i (w )i ∈ cl where the equivalence relation ≡i on Idi,w is defined as follows (Idi,w is then the quotient set): w ≡i w” iff V (i, w ) = V (i, w”). /≡i (c) or all the states which are ideal in (i, w) have the same valuation at i, and (w )i is in the closure of Idi,w Idi,w /≡i is a singleton and (w )i ∈ Idi,w Proof. Suppose that a model M = (N × W, <t , Rd , V ) in C1 satisfies the propagation property (4.2), and that w ∈ Idi+1,w , for some i ∈ N and w ∈ W . We consider three cases. First case: suppose that Ai,w = ∅ and that Idi,w /≡i is not a singleton (i.e., there are two ideal states which have a different valuation at i). We show that condition (a) holds. Indeed, suppose that it is not the case. Then / Ai,w,k where Ai,w,k is the there is an instant i + k such that (w )[i+1..i+k] ∈ def set of the valuations of any history in Ai,w between i + 1 and i + k: Ai,w,k = {(w )[i+1..i+k] / (w )i ∈ Ai,w }. For each seq ∈ Ai,w,k , we define the formula def p ∧ ¬p) ∧ . . . ∧ X k−1 ( p ∧ ¬p), where ψseq = ( seq(i) is p∈seq(1) p∈seq(1) / th the i element of seq. def can define the formula ψ = p∈seq(k) / p∈seq(k) P Since Ai,w,k is finite (contained in 2k∗2 ), we ψseq . Since Idi,w /≡i is not a singleton, seq∈Ai,w,k def Bi,w is not empty. So, we can define ϕ = v∈V (Bi,w ) p∈v p ∧ p∈v / ¬p, where V (Bi,w ) is the set of all the valuations of the states in Bi,w . Since all histories CHAPTER 4. PROPAGATION PROPERTY 72 in Ai,w satisfy Xψ at i, and all histories in Bi,w satisfy ϕ at i, we can deduce that i, w |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ. So, i + 1, w |= O (ψ), and then / i + 1, w |= ψ, which is in contradiction with the fact that (w )[i+1..i+k] ∈ Ai,w,k . Thus, if Ai,w = ∅ and Idi,w /≡i is not a singleton, then condition (a) holds. Second case: suppose that Ai,w = ∅ and Idi,w /≡i is a not singleton. Let cl ∈ Idi,w /≡i be an equivalence class. We show that (w )i ∈ cl. Suppose that it is not the case. There is an instant i + k such that the valuation of w differs from any w” in cl at least in one instant between i + 1 and i + k. We build ψ as in the case (a), with cl instead of Ai,w . We define def ( p ∧ ¬p). Therefore, i, w |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ). ϕ = v∈V (Idi,w \cl) p∈v p∈v / Moreover, i, w |= ¬ϕ since none of the ideal states have the same valuation as (i, w) (Ai,w = ∅). So, i + 1, w |= ψ, and this is in contradiction with / cl. So, if Ai,w = ∅ and Idi,w /≡i is not a singleton, the fact that (w )i ∈ then condition (b) holds. Therefore, we can deduce that if Idi,w /≡i is a not singleton, then either (a) holds or (b) holds. Third case: now, we have to prove that if Idi,w /≡i is a singleton, then (w )i ∈ Idi,w . Actually, we can prove (w )i ∈ Idi,w without any hypothesis. We only need the ’perfect recall’ property for temporal formulas (O (Xψ) ⇒ XO(ψ) for any temporal formula ψ) which is a consequence of the propagation property. The construction of ψ during the proof follows the same idea as in the previous proof. Thus, we have a precise characterization of the histories that are candidate to be ideal in a given state (i + 1, w): they have to satisfy one of the three conditions (a), (b), and (c), which concern valuations at future instants. Condition (a) expresses that a candidate is arbitrary close (if we only look at the future) to a history which is ideal in (i, w), and which has the same valuation as w at i. We can consider that conditions (b) and (c) apply in ’degenerate cases’. Condition (b) applies if there is no state which is ideal in (i, w) and has the same valuation as w at i. It states that a candidate is arbitrary close to some history in every equivalence class of Idi,w , according to equivalence relation ≡i . A candidate to be ideal in (i + 1, w) can be viewed as a candidate to be a permitted behaviour in (i + 1, w). Therefore, (b) is a very strong constraint on the number of different behaviours which can be permitted in (i + 1, w). Condition (c) applies if all the ideal states in (i, w) have the same valuation. In this context, two contradictory propositional formulas cannot be permitted in (i, w). Another undesirable property is that in (i, w), every permitted propositional formula is also obligatory. Besides, if i, w |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) for some propositional formula ϕ and some temporal formula ψ, then ϕ is necessarily equivalent to ⊥. So, in a such a state (i, w), the propagation property is necessarily reduced to the ’perfect recall’ property. 4.2. GENERAL PROPAGATION PROPERTY 73 So condition (c) applies in a context which imposes very strong constraints, and it states that a candidate is arbitrary close to some history which is ideal in (i, w). From this characterization, we can deduce that the problem we had with ’propositional violations’ in the semantics of section 4.2.2 was inevitable. Let us remind that we have exhibited in section 4.2.2 a class of models which validate the propagation property and axiom D, but ’propositional violations’ are not satisfiable in this class of models. On the other hand, let M be an arbitrary temporal deontic model which validates the propagation property (and axiom D), and (i, w) a state in M which satisfies some ’propositional violation’, such as, for instance, O(p)∧¬p, for p ∈ P atomic proposition. We can easily deduce that Ai,w = ∅. Therefore, it follows from property 18 that one of the ’degenerate conditions’ (b) and (c) holds. Remark 6. Form these considerations we can deduce that if we consider the class of models exhibited in section 4.2.2 in the framework of the present section, as suggested by remark 5, then for every state (i, w), and every history w ∈ Idi+1,w , condition (a) holds. Sufficient condition In this section, we present a sufficient condition to satisfy the propagation property. Actually, a ’suppression’ of the closure operators in conditions (a), (b), and (c) provides a sufficient condition. Property 19 (Sufficient condition). Given a model (F, V ), where F = (N × W, <t , Rd ) is in C1 , • if for every i ∈ N, w, w ∈ W such that w ∈ Idi+1,w , either (a ), or (b ), or (c ) holds • then (F, V ) satisfies the propagation property (4.2). (a ) w has the ’same future’ as some history w” in Ai,w (w )i ∈ Ai,w (b ) or Ai,w is empty, and a strong constraint on the valuation of w applies (for the future instants) Ai,w = ∅ and ∀cl ∈ Idi,w /≡i (w )i ∈ cl (c ) or all the states which are ideal in (i, w) have the same valuation as each other, and w has the ’same future’ as some history w” which is ideal at i Idi,w /≡i is a singleton and (w )i ∈ Idi,w 74 CHAPTER 4. PROPAGATION PROPERTY Proof. Let (N × W, <t , Rd , V ) be a model in C1 , i ∈ N a nonnegative integer, and w, w ∈ W two histories. Suppose that (i, w) satisfies O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ, for a given propositional formula ϕ and a temporal formula ψ. Let w ∈ Idi,w be an ideal history. We have to prove that i + 1, w |= ψ in each one of the cases (a ), (b ), and (c ). Suppose that (a ) holds. Since every history in Ai,w satisfies ψ at i + 1, then w also satisfies ψ at i + 1. The proof in the cases (b ) and (c ) is left to the reader. (Notice that in the case (c ), the propositional formula ϕ of the propagation property is necessarily ⊥.) Necessary and sufficient condition Now, we propose a restriction of propagation property (4.2) so that the necessary condition provided in property 18 becomes also sufficient. Definition 44 (Propagation property for safety formulas). O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XO(ψ) (4.4) for any propositional formula ϕ, and any safety formula ψ Property 20. A model (F, V ), where F = (N × W, <t , Rd ) is in C1 , satisfies the propagation property (4.4) if and only if for every i ∈ N, w, w ∈ W such that w ∈ Idi,w , one among the three conditions (a), (b), and (c), defined in property 18, is satisfied. Proof. Let (N × W, <t , Rd , V ) be a model in C1 , i ∈ N a nonnegative integer, and w, w ∈ W two histories. Suppose that (i, w) satisfies O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ, for a given propositional formula ϕ and a temporal safety formula ψ. Let w ∈ Idi,w be an ideal history. We have to prove that i + 1, w |= ψ in each one of the cases (a), (b), and (c). Suppose that (a) holds. Since every history in Ai,w satisfies ψ at i + 1, and ψ is a safety formula, then every history in Ai,w also satisfies ψ at i + 1. So, (i + 1, w ) satisfies ψ. The proof is similar for cases (b) and (c). 4.2.4 Semantics with levels of deontic ideality In this section, we refine the semantics given in section 4.2.2 in order to validate axiom D without losing the ability to deal with ‘contrary to duty’ (CTD) situations. In states where there is a violation, something happens that is contrary to what is obligatory for that state. It should not be the case that such situations cause the deontic realm to collapse. So when there is a violation, it should still be possible to point out what is obligatory and what is not, despite of the violation in the present state. We look for a solution to the problem by switching to levels of ideality. Rather than an accessibility relation which gives the ideal states, we consider 4.2. GENERAL PROPAGATION PROPERTY 75 a preference relation d , where s d s means that the state s is “at least as good as” the state s. This allows us to have several “levels of ideality”. The ideal states will be the best states among those which share the same past as the current state. The idea is now that if a state (i, w) violates an obligation of a propositional formula then the ideal states of (i + 1, w) are states which were not ideal for (i, w): the deontic realm thus switches to a lower level of ideality. This contrasts with the setting of the previous section, where in this case there would be no ideal states left. Definition 45 (Temporal deontic frame and model). A temporal deontic frame (S, <t , d ) is defined as the product (N, <) × (W, ) of a temporal frame (N, <) and a deontic frame (W, ), where , considered as a preference relation, is a total quasi-order (total and transitive relation) on W . A temporal deontic model is defined as a product model based on a temporal deontic frame. For the temporal and boolean operators the satisfaction relation is defined as above. For the obligation operator it is defined as follows. Definition 46 (Semantics of the obligation (3)). Given a temporal deontic model ((S, <t , d ), V ), and a state s ∈ S, ϕ is obligatory if there is a state with the same past as s such that every “better” state with the same past satisfies ϕ. s |= Oϕ iff ∃s ∈ S such that SamePast(s, s ) and ∀s ∈ S if (SamePast(s, s ) ∧ s d s ) then s |= ϕ Remark 7. If every set of histories has at least one maximum element for the quasi-order (i.e., the relation , defined by w w iff w w, is a well-quasi-order), then we can define the set of the best states among those having the same past: def BestSamePast(s) = {s ∈ S / SamePast(s, s ) and ∀s ∈ S if SamePast(s, s ) then s d s } In this case, the semantic definition of O(ϕ) becomes more simple: s |= Oϕ iff ∀s ∈ BestSamePast(s) s |= ϕ In a state s, the states in BestSamePast(s) are called the ideal states. In the remainder, during informal discussions, we will implicitly suppose that is a well-quasi-order so that reasoning about ideal states makes sense. For the newly defined models (definition 45) with levels of ideality, there is no need for a constraint to guarantee the validity of axiom D. CHAPTER 4. PROPAGATION PROPERTY 76 Property 21 (Axiom D). Axiom D is valid for this semantics of obligation: |= ¬O(⊥) and |= O(ϕ) ⇒ P(ϕ) for any formula ϕ The proof is obvious. So axiom D is valid and violations can be satisfied. However, there is still a phenomenon that has to be considered more closely. When an obligation of a proposition p is violated in a state (i, w), then the ideal histories at the step i + 1 are completely disjoint from the ideal histories at the step i. This is easy to see: if (i, w) |= ¬p ∧ Op, then all the ideal states of (i, w) satisfy p. On the other hand, the ideal states of (i + 1, w) have the same past as (i + 1, w), and thus they are states (i + 1, w ) such that (i, w ) does not satisfy p. So none of the ideal histories of (i, w) are ideal for (i + 1, w) and vice versa. The problem is now that in such states, the propagation property is not guaranteed anymore because of the change to a completely different set of lower level ideal histories. Actually, the condition that makes the set of ideal histories change between (i, w) and (i + 1, w) is a little more general than suggested by the example with the violation of an atomic proposition. More generally, the condition concerns the violation of an obligation for any propositional formula which can be seen as an immediate obligation, that is, any propositional formula concerning the present moment. So, if such an obligation is violated, the current ideal histories will not be considered as ideal in the future. The current norms become obsolete, and we switch to the norms of a lower level. If not, we have a strong link between what is obligatory now and next, and the propagation property holds. To characterize these two kinds of states, we define the condition IdealPropagate(s) on a state s which expresses that for every state with the same past as s, there is better state which still has the same past at the next step. This condition ensures that some of the current ideal histories are still ideal at the next step. Given a temporal deontic model ((S, <t , d ), V ) and a state s ∈ S, def IdealPropagate(s) = ∀s ∈ S if SamePast(s, s ) then ∃s ∈ S such that SamePast(s, s ) and V (s) = V (s ) and s d s Remark 8. If (W, ) is a well-quasi-order, then IdealPropagate(s) is defined in a more simple way: IdealPropagate(s) def = ∃s ∈ BestSamePast(s) such that V (s) = V (s ) Property 22. We suppose that the set P of atomic propositions is finite. Given a temporal deontic model ((S, <t , d ), V ) and a state s ∈ S, the condition IdealPropagate(s) holds iff there is no violation of a propositional formula in s, that is, iff for any propositional formula ϕ, s |= ¬(O(ϕ) ∧ ¬ϕ). 4.2. GENERAL PROPAGATION PROPERTY 77 Proof. We first prove that if IdealPropagate(s) does not hold, then there is some propositional formula ϕ such that s |= O(ϕ) ∧ ¬ϕ. We then prove the other direction. ’⇐’ : Suppose that IdealPropagate(s) does not hold, i.e., ∃s ∈ S such that SamePast(s, s ) and ∀s d s if SamePast(s, s ) then V (s) = V (s ) Then, we consider such a state s and define the set V AL(s ) of all the valuations of the states which are at least as good as s and share the same past. def V AL(s ) = {V (s”) / s d s” and SamePast(s , s”)} V AL(s ) is finite since it is included in the set 22 . Let us consider the propositional formula ϕ defined as follows: P def ϕ = v∈V AL(s ) ( p∈v p ∧ ¬p) p∈v / Since every such state s has a valuation which is distinct from the valuation of s, then s |= ¬ϕ. Besides, from the definition of obligation we have that s |= O (ϕ). Thus, s |= O(ϕ) ∧ ¬ϕ. ’⇒’ : Let us suppose now that there exists some propositional formula ϕ such that s |= O (ϕ) ∧ ¬ϕ. Then, ∃s ∈ S such that SamePast(s, s ) and ∀s d s if SamePast(s, s ) then s |= ϕ Every such s has a valuation which differs from the valuation of s, i.e., V (s ) = V (s), since s |= ¬ϕ and s |= ϕ. Therefore, IdealPropagate(s) does not hold. In a state s that satisfies IdealPropagate(s), the deontic realm that will be considered next is a subset of the current deontic realm. So we still have, as in section 4.2.2, that no obligations are forgotten, but some may appear. If IdealPropagate(s), then s |= O(Xϕ) ⇒ XO(ϕ), but XO(ϕ) ⇒ O(Xϕ) does not hold necessarily. Let us illustrate this preference semantics with the example on Figure 4.4. For the sake of simplicity, the preference relation between histories is modeled by the fact each history is associated with an integer which represents the level of ideality of this history. w5 , w4 , and w3 , are the best histories (level 10). The level of w1 and w2 is 5, and w0 has the worst level: 2. The quasi-order on histories which is implicitly defined by these levels is a wellquasi-order, so every set of histories has a set of maximum elements, and CHAPTER 4. PROPAGATION PROPERTY 78 w5, 10 w4, 10 w3, 10 w2, 5 w1, 5 w0, 2 {p} {p, q} {p, q} {} {p} {} {p} {p, q} {} {} {p} {} {q} {} {p, q} {} {p} {} {p} {p, q} {p} {} {p} {p} {p} {p, q} {p} {} {p, q} {q} {p} {p, q} {p} {} {p} 0 1 2 3 4 {p} 5 Figure 4.4: Preference semantics the set of the ideal histories can be defined in each state. For the successive states of w0 , the ideal states are surrounded in Figure 4.4. From state (0, w0 ), the ideal states are w3 , w4 , and w5 . While one of these histories has the same valuation as w0 everything works as in the semantics of section 4.2.2. At instant 2, every ideal history has a valuation which differs from the valuation of w0 . Therefore, IdealPropagate(2, w0 ) does not hold (the obligatory formula p ⇔ q is violated). So, at the next instant, the set of the ideal histories switch to the lower level of ideality. In this example, in every state of w0 except (2, w0 ), IdealPropagate is satisfied. Property 23 (Propagation). A state which does not satisfy any violation of a propositional formula satisfies the propagation property. If IdealPropagate(s) then s |= O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XOψ for ϕ propositional formula, and ψ any formula. Proof. The proof is similar to the proof of property 13 in section 4.2.2, except that we have not the case where every formula is obligatory in the temporal successor of s. We still have, as in section 4.2.2, property 14, a more precise characterization. Property 24 (Characterization of new obligations). We suppose that the set P of atomic propositions is finite. For any formula ψ, if in a state s, 4.2. GENERAL PROPAGATION PROPERTY 79 which satisfies IdealPropagate(s), both the formulas XO(ψ) and ¬O(Xψ) hold, then there exists a propositional formula ϕ such that s |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ When an obligation appears, it is necessarily due to the propagation of some more general obligation in the previous state. So the propagation property completely characterizes the new obligations that appear. Proof. The proof follows the same idea as the proof of property 14 in section 4.2.2. As said in the introduction of section 4.2, as a consequence of the general propagation property, if a state s satisfies IdealPropagate(s), then it satisfies the following property of propagation for an obligation with deadline, since Fk ϕ ⇔ ϕ ∨ XFk−1 ϕ, for k > 0: s |= O (Fk ϕ) ∧ ¬O(ϕ) ∧ ¬ϕ ⇒ XO(Fk−1 ϕ) for any deadline k > 0, and ϕ propositional formula. This property expresses that if it is obligatory to satisfy ϕ before a deadline k (and it is not obligatory to satisfy it now) then, if ϕ is not true now, the obligation is propagated. In a state which does not satisfy IdealPropagate, that is, a state which violates an obligation of some propositional formula, the deontic realm of the next state switches to a lower level. We consider that when a state violates the present rules, then they become obsolete. In such a state, O (Xϕ) ⇒ XO(ϕ) is not guaranteed, and neither is any link between what is satisfied in the current state, and what is obligatory next. 4.2.5 Branching time structures Many proposals to combine temporal and deontic concepts use a branching time structure, where the ideal alternatives are subsets of the possible future worlds [71, 16, 13, 43]. It is also possible to consider a preference relation instead of an ideality relation. For the sake of simplicity, in this section, we will only consider ideality relations. In this section, we investigate the relation between this branching time point of view and our product-based point of view. Our identical past criterion (given through the predicate SamePast) may be viewed as an encoding of such a branching time structure in our product framework. Figure 4.5 illustrates a natural translation of a product model (without deontic relation) into a branching time model. Notice that we need to add a starting state which belongs to every history in order to ensure that the obtained model is a tree. Nevertheless, the translation of the ideality relation is not straightforward. Indeed, in our product view, ideal histories CHAPTER 4. PROPAGATION PROPERTY 80 w3 w2 w1 w0 {p} {p} {q} {q} {} {q} {} {p, q} {} {} {q} {} {p} {p} {} {q} {} {p} {p} {p} 0 1 2 3 4 {p} {p} {q} {q} {} {q} {} {p, q} {} {} {p} {p} {} Figure 4.5: Tree-like representation of a product structure are taken among histories that have the same past as the current history until the current instant. So, in the branching time view, we have the following statement: (a) in a given state s, ideal histories are part of the histories which go through the predecessor of s In order to illustrate (a), let us come back to the product view of the example, and consider history w0 . Suppose that initially, i.e., in (0, w0 ), histories w1 , w2 , and w3 are ideal. Then, the identical past criterion imposes that • at instant 1 and 2, only w1 and w2 remain ideal • at instant 3 and 4, only w1 remain ideal In the branching time view, it is easy to see that the corresponding ideality relation, which associates a instant/history pair with a set of ideal instant/history pairs, verify statement (a) in the successive states of w0 . This differs from the standard way to model ideal histories in a branching time setting. Indeed, in a given state s, usual approaches, as, e.g., in [13, 16], consider that ideal histories are part of the histories that go through s, i.e., the histories which can still happen in s. (A path formula is then obligatory if every ideal history satisfies it.) In such a framework, an atomic proposition p cannot be true in the current state s, and, at the same time, false in some ideal history. Indeed, the present state of every ideal history is s. These approaches thus have problems modelling immediate obligations. For example, O(p) ∧ ¬p, where p is an atomic proposition, is not satisfiable in such logics. {p} w3 w2 w1 w0 5 Decision procedure and axiomatization This chapter deals with a decision procedure and an axiomatization of our logic. Different quantifiers are hidden in the semantic definition of obligation. This makes it difficult to establish logical results. So, we propose to decompose the modality O into more primitive normal operators. Two accessibility relations are involved: the relation ’at least as good as’, which models preference between histories, and the relation ’has the same past as’ which will be denoted by SamePast. Indeed, let us remember that the semantics of obligation is defined as follows: O(ϕ) is satisfied in state s if : there is a state s with the same past as s such that every state with the same past, which is at least as good as s , satisfies ϕ. s |= Oϕ iff ∃s ∈ S such that SamePast(s, s ) and ∀s ∈ S if (SamePast(s, s ) ∧ s d s ) then s |= ϕ In order to define O in terms of more primitive modal operators, it is natural to introduce a modal operator [SP ] which corresponds to the relation ’has the same past’, and another operator [SP ∩ ] which corresponds to the intersection of both semantic relations. The obligation operator O will be defined in terms of the primitive operators [SP ] and [SP ∩ ]. Let us define the obtained language. Definition 47 (Language with primitive operators). Given a set P of atomic propositions, the language obtained after the decomposition of obligation into more primitive operators is defined by the following syntax: ϕ ::= | p | ¬ϕ | ϕ ∨ ϕ | Xϕ | ϕU ϕ | [SP ]ϕ | [SP ∩ ]ϕ where is a logical constant (’true’), and p ∈ P is an atomic proposition. We define the following usual abbreviations: def def < SP > ϕ = ¬[SP ]¬ϕ < SP ∩ > ϕ = ¬[SP ∩ ]¬ϕ 81 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION 82 • [SP ]ϕ means in every state that has the same past as the current state, ϕ holds. • [SP ∩ ] means in every state that has the same past and is at least as good as (or preferred to) the current state, ϕ holds. Let us formally define the semantics of these new operators. Definition 48 (Semantics of the primitive operators). Given a product model (S, <t , d , V ), a state s ∈ S, and a formula ϕ, we define the semantics of the primitive operators as follows: s |= [SP ]ϕ iff ∀s ∈ S s |= [SP ∩ ]ϕ iff ∀s ∈ S if SamePast(s, s ) then s |= ϕ if s s and SamePast(s, s ) then s |= ϕ A formula is satisfiable if there is a state which satisfies it. A formula is valid if every state satisfies it. Definition 49 (Obligation). We define the obligation operator as follows: def O(ϕ) = < SP > [SP ∩ ]ϕ Notice that the semantic characterization of O coincides with the abovementioned semantic definition of obligation. In section 5.1, we give a tableaux-like decision procedure for a fragment of our language. In section 5.2, we give an axiomatization of this fragment. 5.1 Tableaux decision procedure for satisfiability As a first remark, our logic lacks the finite model property. Indeed, it can easily be shown that the following formula has only infinite models, i.e., models ((N, <) (W, ), V ) where W is an infinite set of histories: [SP ]AtM ostOnce(p) ∧ G < SP > p where AtM ostOnce(p) stands for G(p ⇒ XG¬p). To establish the decidability of this logic would require complex techniques, such as quasi-model method [135, 57]. In this section, we show the decidability of the until-free fragment of the logic, using a tableaux-like decision procedure. We describe a tableaux method with explicit accessibility relations. We use the notation of prefixed formulas i, w : ϕ, where the prefix i, w intuitively represents a state that satisfies the formula ϕ. i is a non-negative integer, and w is a history. Contrary to usual prefixed tableaux [55, 92], we do not encode accessibility relation into the node names. We represent explicitly the 5.1. TABLEAUX DECISION PROCEDURE FOR SATISFIABILITY 83 three distinct accessibility relations (’temporal successor’, ’at least as good as’, and ’same past’). We suppose that the set P of atomic propositions is finite. A tableau T is a structure we keep as close to a model as possible. It consists of a set of histories W , a set of moments M ⊆ N, a labelling function L which associates each moment/history pair with a set of formulas, a quasiordering R on W , and a set of equivalence relations (RSP i )i∈M on W . Intuitively, (w, w ) ∈ R means that history w is at least as good as w; (w, w ) ∈ RSP i means that histories w and w have the same past until i (they satisfy the same propositions until the moment before i). Tableaux rules specify how, and under which conditions, T is updated. Let us describe, in the next section, the tableau data structure and update operations. 5.1.1 Tableau data structure and update operations A tableau for a formula φ is a tuple T = (W, M, v0 , L, R, (RSP i )i∈M ) where • W is a set of histories • M ⊆ N is a set of moments; a node of the tableau is then a moment/history pair (i, w) ∈ M × W • v0 ∈ M × W is the root • L : M × W → 2sub(φ) is a label function which associates each node with a set of sub-formulas of φ. In the remainder, we write i, w : ϕ for ϕ ∈ L(i, w). The label of the root contains φ: φ ∈ L(v0 ). • R ⊆ W × W is a reflexive and transitive relation on W • RSP i ⊆ W × W for each i ∈ M , is an equivalence relation on W . The following property between the different RSP i is satisfied: (∗) ∀w, w ∈ W ∀i ∈ M (w, w ) ∈ RSP i ⇒ ∀j ∈ M j < i ⇒ (w, w ) ∈ RSP j We now give the procedural semantics of our tableau operations add_f orm, new_world, new_instant, and add_pair, which update a data structure T . • add_f orm(i, w, ϕ) adds the formula ϕ to the label L(i, w). • add_pair(R ; (w, w )), for R = R or R = RSP i , adds pair (w, w ) to relation R, and updates R with its reflexive and transitive closure in case R = R, with its reflexive, transitive, and symmetric closure in case R = RSP i . Moreover, if R = RSP i , then for every j ∈ M such that j < i, RSP j is updated so that constraint (∗) is satisfied. 84 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION • new_history adds a new history to W and returns the corresponding name. • add_inst(i) adds instant i to the set M if i ∈ / M. We can combine these atomic actions with the two following combinators: the sequential operator ’;’ and the nondeterministic choice operator ’[]’. 5.1.2 Tableaux rules In this section, we present our tableaux rules. • double negation rule i,w:¬¬ϕ add_f orm(i,w,ϕ) ¬¬ • rule α (resp. β) is the usual rule for conjunction (resp. disjunction). i, w : ¬(ϕ1 ∨ ϕ2 ) α add_f orm(i, w, ¬ϕ1 ); add_f orm(i, w, ¬ϕ2 ) i, w : ϕ1 ∨ ϕ2 β add_f orm(i, w, ϕ1 ) [] add_f orm(i, w, ϕ2 ) This presentation of rule β corresponds to a depth-first computation, as in [54], whereas other presentations (equivalent to ours) compute both possibilities in parallel (width-first computation). • rules X and ¬X extend the label of the successor node as follows: i, w : Xϕ X add_inst(i + 1) ; add_f orm(i + 1, w, ϕ) i, w : ¬Xϕ ¬X add_inst(i + 1) ; add_f orm(i + 1, w, ¬ϕ) • rules Π add a new history if a node is labelled by a ’diamond’ formula of the form ¬[SP ]ϕ or of the form ¬[SP ∩ ]ϕ. w i, w : ¬[SP ]ϕ ΠSP := new_history ; add_f orm(i, w , ¬ϕ) : add_pair(RSP i , (w, w )) i, w : ¬[SP ∩ ]ϕ ΠSP ∩ w := new_history ; add_f orm(i, w , ¬ϕ) ; add_pair(R , (w, w )) ; add_pair(RSP i , (w, w )) 5.1. TABLEAUX DECISION PROCEDURE FOR SATISFIABILITY 85 • rules K adds formula ϕ to a node i, w if node (i, w) is labeled by a ’box’ formula of the form [SP ]ϕ, or of the form [SP ∩ ]ϕ, and w is an accessible history from w. i, w : [SP ]ϕ and (w, w ) ∈ RSP i add_f orm(i, w , ϕ) KSP i, w : [SP ∩ ]ϕ and (w, w ) ∈ RSP i and (w, w ) ∈ R add_f orm(i, w , ϕ) KSP ∩ • rule update_SP applies if two states which share the same past until moment i still satisfy the same propositions at i. Besides, for each atomic proposition, either this proposition or its negation has to be satisfied in both states (i.e., the states have to be saturated). Then RSP i+1 is updated so that w and w are considered as having the same past until i + 1. (w, w ) ∈ RSP i and ∀p ∈ P (i, w : p and i, w : p) or (i, w : ¬p and i, w : ¬p) update_SP add_pair(RSP i+1 ; (w, w )) • rule Saturation aims at saturating the states in atomic propositions so that rule update_SP can be applied. p∈P and i ∈ M and w ∈ W saturation add_f orm(i, w, p ∨ ¬p) • rule −totality aims at guaranteeing the totality of R. / R and (w , w) ∈ / R (w, w ) ∈ −totality add_pair(R, (w, w )) [] add_pair(R, (w , w)) Definition 50 (Closed tableau). A tableau is said to be closed if • ϕ and ¬ϕ label some node i, w, • or ∃w, w ∈ W i, w : p ∃i ∈ M and ∃p ∈ P such that i, w : ¬p and (w, w ) ∈ RSP i+1 Definition 51 (Completed and open tableau). A tableau T is completed if for every rule r • either r is not enabled, i.e., the premise of r is not satisfied • or r is enabled, and the application of the consequent of r has no effect We consider that add_inst(i) has no effect if i ∈ M , add_f orm(i, w, ϕ) has no effect if ϕ ∈ L(i, w), and add_pair(R, (w, w )) has no effect if (w, w ) ∈ R, with R = R or R = RSP i . A tableau is open if it is completed and not closed. 86 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION 5.1.3 Soundness and completeness Theorem 16 (Soundness). If a formula ϕ is satisfiable then there is an open tableau whose root is labeled by ϕ. Definition 52 (Tableaux interpretation). ˆ V) (Ŵ , ), Let T = (W, M, v0 , L, R, (RSP i )i∈M ) be a tableau and ((N, <) ˆ be a model. An interpretation of T in ((N, <) (Ŵ , ), V ) is a mapping ι from W to Ŵ such that for every w1 , w2 in W , and every nonnegative integer i: ˆ • (w1 , w2 ) ∈ R implies ι(w1 )ι(w 2 ), and • (w1 , w2 ) ∈ RSP i implies ∀j < i V (j, ι(w1 )) = V (j, ι(w2 )) Definition 53 (Satisfiable tableau). A tableau T for a formula φ is satisfiable if there is a model ((N, <) (W, ), V ) and a tableau interpretation ι of ˆ T in ((N, <) (Ŵ , ), V ) such that for every node (i, w) and every formula ϕ ∈ L(i, w), we have i, ι(w) |= ϕ. Lemma 1. Let T be a satisfiable tableau. The tableau T (or one of the two tableaux T , T ”, in case the nondeterministic choice operator is used) obtained by the application of some rule is also satisfiable. ˆ V̂ ) and a Proof. Let T be a satisfiable tableau. There is a model (Ŵ , , tableau interpretation ι such that for every node (i, w) and every formula ϕ ∈ L(i, w), we have i, ι(w) |= ϕ. We have to consider each rule and prove that the application of this rule preserves the tableau satisfiability. • ¬¬, α, β, X, ¬X, saturation, −totality: the proof is left to the reader. • rule KSP (the proof for KSP ∩ is similar). Suppose that i, w : [SP ]ϕ. Then rule KSP adds ϕ to any node (i, w ) such that (w, w ) ∈ RSP i . By hypothesis, i, ι(w) |= [SP ]ϕ, and, since (w, w ) ∈ RSP i , we have SameP ast(i, ι(w), ι(w )). Thus, i, ι(w ) |= ϕ, and so T is still satisfiable. • rule ΠSP (the proof for ΠSP ∩ is similar): Suppose that i, w : ¬[SP ]ϕ. Then the application of ΠSP creates a new history w , labels it with ¬ϕ, and adds (w, w ) to RSP i . We have to extend the mapping ι so that it associates a history with the new prefix w . By hypothesis, i, ι(w) |= ¬[SP ]ϕ. Then there is some ŵ ∈ Ŵ such that SameP ast(i, ι(w), ŵ ) and i, ŵ |= ¬ϕ. Then we define ι by: ι(s) = ŵ ι(s) if s = w else ι is a tableau interpretation, and T is satisfiable. 5.1. TABLEAUX DECISION PROCEDURE FOR SATISFIABILITY 87 • rule update_SP : Let i, w and i, w be two nodes of T such that (w, w ) ∈ RSP i and ∀p ∈ P (i, w : p and i, w : p) or (i, w : ¬p and i, w : ¬p). Then the pair (w, w ) is added to RSP i+1 . We must show that ∀j < i + 1 V̂ (j, ι(w)) = V̂ (j, ι(w )). Since ι is a T -interpretation, then ∀j < i V̂ (j, ι(w)) = V̂ (j, ι(w )). Besides, ∀p ∈ P (i, w : p and i, w : p) or (i, w : ¬p and i, w : ¬p). So ∀p ∈ P i, ι(w) |= p iff i, ι(w ) |= p. So V̂ (i, ι(w)) = V̂ (i, ι(w )). Proof of the soundness theorem (16). Suppose ϕ is a satisfiable formula. then there is a model (W, , V ), a nonnegative integer i ∈ N and a history w ∈ W such that i, w |= ϕ. Then the tableau whose only node (i, w) is labelled by ϕ, and whose relations (RSP i ) and R are reduced to singleton {(w, w)}, is satisfiable (with the identity function as a tableau interpretation). Then, by lemma 1, the application of any rule provides a satisfiable tableau. Since a closed tableau is obviously unsatisfiable, we can generate a (possibly infinite) open tableau whose root is labelled by ϕ. Theorem 17 (Completeness). If there is an open tableau whose root (i, w) is labeled by ϕ, then ϕ is satisfiable. Proof. Let T = (W, M, v0 , L, R, (RSP i )i∈M ) be an open tableau whose root ˆ V ) from T such that (Ŵ , ), v0 is labeled by φ. We build a model ((N, <) for every w ∈ W and i ∈ M , i, w : ϕ iff i, ŵ |= ϕ. We define def Ŵ = W and ˆ def = R We can now define the valuation V as follows, for any i ∈ N, w ∈ Ŵ : def • if i ∈ M then V (i, w) = {p ∈ P / (i, w : p)} def • if i ∈ / M then V (i, w) = ∅ We now prove by induction on the structure of ϕ that for every i ∈ M , ˆ V )). Cases ϕ1 ∨ ϕ2 , w ∈ W , if i, w : ϕ then i, w |= ϕ (in the model (Ŵ , , ¬(ϕ1 ∨ ϕ2 ), Xϕ, ¬Xϕ, are obvious. • Suppose i, w :< SP > ϕ. Rule ΠSP ensures the existence of a node i, w labeled by ϕ such that (w, w ) in RSP i . Then, since T is open, ∀p ∈ P, ∀j < i, j, w : p iff j, w : p. So, ∀j < i V (j, w) = V (j, w ), and i, w |= ϕ (by induction hypothesis). So i, w |=< SP > ϕ. The proof for < SP ∩ > ϕ is similar. 88 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION • Suppose i, w : [SP ]ϕ. i, V (j, w) = V (j, w ). By rule KSP , we have i, w |= ϕ, and thus i, w Let w ∈ Ŵ be a history such that ∀j < Thanks to rule update_SP , (w, w ) ∈ RSP i . that i, w : ϕ. By the induction hypothesis, |= [SP ]ϕ. The proof for [SP ∩ ]ϕ is similar. 5.1.4 Termination We now define a terminating strategy which is still sound and complete. Termination is based on loop detection. Although it is clear that the number of created instants is bounded by the modal depth of ϕ with respect to X, the tableau construction may create an infinite number of histories. We have to block the creation of new histories when a loop is detected. Since we have two modal operators that can create new histories, we define looping histories with respect to each one. • a history w is looping with respect to < SP > if – rule ΠSP is applicable in (i, w), for some i ∈ M – w has been created by rule ΠSP at instant i and there exists an older history w such that (w , w) ∈ RSP i and L(i, w) ⊆ L(i, w ) (such a history w is denoted by loopSP (w)) • a history w is looping with respect to < SP ∩ > if – rule ΠSP ∩ is applicable in (i, w), for some i ∈ M – w has been created by rule ΠSP ∩ at instant i and there exists an older history w such that (w , w) ∈ RSP i , (w , w) ∈ R and L(i, w) ⊆ L(i, w ) (such a history w is denoted by loopSP ∩(w)) Definition 54 (Strategy). Let us consider the algorithm which consists in applying successively the following steps while the tableau is not closed, starting from the tableau such that W = {w}, M = {0}, v0 = (0, w), L(v0 ) = {φ}, R = {(w, w)}, and RSP 0 = {(w, w)}. • Application of classical rules ¬¬, α, β as much as possible. • Loop detection step for < SP >: mark every looping history with respect to < SP >. • Loop detection step for < SP ∩ >: mark every looping history with respect to < SP ∩ >. • Application of rules ΠSP and ΠSP ∩ on every state on which they have not already been applied, and which is not marked with respect to < SP > and < SP ∩ >, respectively. 5.1. TABLEAUX DECISION PROCEDURE FOR SATISFIABILITY 89 • Application of rule saturation and then rule update_SP as much as possible. • Application of rule −totality on every pair (w, w ) on which it has not been applied. • Application of rules X, ¬X, KSP , and KSP ∩ as much as possible. Property 25 (Termination). The strategy given above terminates. Proof. First, remark that (1) M is finite (bounded by the modal depth of the initial formula φ with respect to X) (2) there are finitely many sets of sub-formulas of the initial formula φ We show that there cannot be an infinite sequence of histories (w0 , w1 , w2 , . . .) such that each wk+1 is created by the application of rule ΠSP or ΠSP ∩ to some point of the history wk . Indeed, suppose it is the case. Suppose that there are infinitely many applications of rule ΠSP . Since there are finitely many sub-formulas of φ, there is a formula ¬[SP ]ϕ which triggers rule ΠSP infinitely often. Suppose that ΠSP is triggered infinitely often by ¬[SP ]ϕ at instant 0. Then, ¬[SP ]ϕ appears necessarily in the scope of [SP ] or [SP ∩ ] in L(0, wk ) for some wk in the sequence, and we can prove that there exists k from which ¬[SP ]ϕ labels every history of the sequence (∀k” > k ¬[SP ]ϕ ∈ L(0, wk” )). So, there is an application of ΠSP which creates a history wk0 (at instant 0) such that • ¬[SP ]ϕ ∈ L(0, wk0 ) • ∃k < k0 such that L(0, wk0 ) ⊆ L(0, wk ) (because of remark (2)) and (wk , wk0 ) ∈ SP0 Therefore, wk0 is looping with respect to ΠSP , and our strategy cannot generate such an infinite sequence. We then prove that ΠSP cannot be triggered infinitely often at instant 1, 2, . . . , and max(M ). (Existence of max(M ) follows from remark (1).) The same reasoning shows that there cannot be infinitely many applications of ΠSP ∩. Property 26. The strategy given above is sound and complete. Proof. The soundness of the strategy obviously follows from the soundness of the tableaux system (theorem 16). On the other hand, in order to prove the completeness of the strategy, the completeness proof of theorem 17 has to be adapted. Suppose that 90 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION T = (W, M, v0 , L, R, (RSP i )i∈M ) is an open tableau resulting from our ˆ V ) where Ŵ contains every history which strategy. We build a model (Ŵ , , is not marked as a looping history (at the last iteration of the strategy). Every pair (w, wloop ) in R, where wloop is a looping history with respect to < SP > (resp. < SP ∩ >), is replaced by the pair (w, loopSP (wloop )) ˆ We then have to prove that i, w : ϕ implies (resp. loopSP ∩(wloop )) in . i, w |= ϕ by induction on the structure of ϕ, for every non-looping history w. The proof for cases ϕ1 ∨ ϕ2 , ¬(ϕ1 ∨ ϕ2 ), Xϕ, ¬Xϕ, [SP ]ϕ, and [SP ∩ ]ϕ is similar to the proof of theorem 17. Suppose that i, w :< SP > ϕ. Rule ΠSP ensures the existence of a node i, w labeled by ϕ such that (w, w ) ∈ RSP i . If w is not looping, then we can conclude i, w |= ϕ as in the proof of theorem 17. If w is looping with respect to < SP >, then we can prove that i, loopSP (w ) |= ϕ. Notice that w cannot be looping with respect to < SP ∩ > since we suppose it has been created by application of rule ΠSP in node i, w. The proof for case < SP ∩ > is similar. 5.2 Axiomatization In this section, we present an axiomatization of our logic. For technical reasons, we enrich our language with three modal operators: X −1 , [], and []. X −1 is needed for the axiomatization of [SP ], and [] and [] are needed for the axiomatization of [SP ∩ ]. Our axiomatic system is complete with respect to a semantics which slightly differs from the one given in the introduction of this chapter. Firstly, time is modeled by the set Z of integers instead of the set N of non-negative integers. Second, we drop the constraint of totality of the quasi-ordering . We call Lmin the logic defined by this semantics, and whose language contains the modal operators X, X −1 , [SP ], [SP ∩ ], [], []. The predicate SamePast is defined as follows in the context where time is modeled by Z: def SameP ast((i, w), (i , w )) = i = i and ∀j ∈ Z if j < i then V (j, w) = V (j, w ) Let us give the semantics of these new operators. i, w |= X −1 ϕ i, w |= []ϕ i, w |= []ϕ iff iff iff i − 1, w |= ϕ ∀w ∈ W if w w ∀w ∈ W if w w then i, w |= ϕ then i, w |= ϕ A formula is satisfiable if there is a state (i, w) ∈ Z × W which satisfies it. A formula is valid if every state satisfies it. In this section we will propose an axiomatic system for Lmin . For all fordef def mulas ϕ, we define X 0 ϕ = ϕ, for each positive integer i, X i ϕ = X i−1 Xϕ, def and for each negative integer i, X i ϕ = X i+1 X −1 ϕ. 5.2. AXIOMATIZATION 5.2.1 91 Admissible forms For the definition of the special rules of inference, we will need expressions of a special form, called admissible forms, denoted by capital Latin letters A, B, etc. They are necessary to prove lemma 2 (items 1 and 2) in section 5.2.4. More precisely, if a formula φ matches the premise of a rule, we will need to apply this rule to Lφ and ϕ ⇒ φ, for L ∈ {X, X −1 , [SP ], [SP ∩ ], [], []}, and ϕ an arbitrary formula. This will allow to prove that if a set x of formulas is closed under inference rules, then {Lφ / φ ∈ x} and {ϕ ⇒ φ / φ ∈ x} are also closed under inference rules. Let the language of Lmin be extended with a new atomic proposition . Admissible forms are defined by the following syntax (ϕ denotes an arbitrary Lmin -formula): A ::= | (ϕ ⇒ A) | XA | X −1 A | [SP ]A | []A | []A | [SP ∩ ]A Note that in each admissible form, has a unique occurrence. Let A be an admissible form and ϕ be a formula. The result of the replacement of the unique occurrence of in its place in A with φ will be denoted by A(φ). 5.2.2 Axiomatization Our axiomatic system for Lmin is based on the following set of axioms and rules of inference: Axioms (A0) Classical tautologies (K) For all L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]}, L(ϕ1 ⇒ ϕ2 ) ⇒ (Lϕ1 ⇒ Lϕ2 ). (A1) ¬Xϕ ⇔ X¬ϕ, ϕ ⇒ XX −1 ϕ. (A2) ¬X −1 ϕ ⇔ X −1 ¬ϕ, ϕ ⇒ X −1 Xϕ. (A3) [SP ]ϕ ⇒ ϕ, [SP ]ϕ ⇒ [SP ][SP ]ϕ, ϕ ⇒ [SP ]SP ϕ. (A4) []ϕ ⇒ ϕ, []ϕ ⇒ [][]ϕ, ϕ ⇒ []ϕ. (A5) []ϕ ⇒ ϕ, []ϕ ⇒ [][]ϕ, ϕ ⇒ []ϕ. (A6) if i < j then for all p ∈ P , the following formulas are axioms: X i p ⇒ X j [SP ]X i−j p, X i ¬p ⇒ X j [SP ]X i−j ¬p. (A7) X[]ϕ ⇔ []Xϕ, X −1 []ϕ ⇔ []X −1 ϕ. (A8) X[]ϕ ⇔ []Xϕ, X −1 []ϕ ⇔ []X −1 ϕ. 92 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION (A9) [SP ]ϕ ∨ []ϕ ⇒ [SP ∩ ]ϕ. Rules of inference Modus ponens: From ϕ1 and ϕ1 ⇒ ϕ2 infer ϕ2 . necessitation: For all L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]}, from ϕ infer Lϕ. [SP ] special rule: If ∈ {[], []} and i < 0, then from {A(¬(ϕ ∨ X i p) ∨ X i p) : p ∈ P } infer A(¬[SP ]ϕ). [SP ∩ ] special rule: From {A(SP (ϕ ∧ p) ∨ (ϕ ∧ ¬p)) : p ∈ P } infer A(SP ∩ ϕ). Special rules are needed because of two non-standard aspects of our logic: • the semantic relation associated with [SP ] refers to the valuation of a given model • operator [SP ∩ ] corresponds to the intersection of two semantic relations Their origin is more technical that intuitive: they have been exhibited so that the truth lemma (lemma 4) can be proved for formulas of the form [SP ]ϕ and [SP ∩ ]ϕ. Special rule [SP ∩ ] follows the idea already developed in [124, 18] to give a complete axiomatization for the intersection of some semantic relations. Although intersection is not modally definable in ordinary quantifier-free modal languages, it becomes definable in languages with propositional quantifiers. Indeed, the following quantified axiom modally defines semantic intersection. < R1 ∩ R2 > ϕ ⇔ ∀p (< R1 > (ϕ ∧ p)∨ < R2 > (ϕ ∧ ¬p))) Rule [SP ∩ ] ’simulates’ right to left direction while axiom (A9) corresponds to the left to right direction. A formula ϕ is a theorem of Lmin if it belongs to the least set of formulas containing all axioms and closed under the rules of inference. 5.2.3 Soundness and completeness Theorem 18. (Soundness of Lmin ) Let ϕ be a formula. If ϕ is a theorem of Lmin then ϕ is valid in every model. 5.2. AXIOMATIZATION 93 Proof. By induction on the length of a deduction of ϕ in Lmin , we show that ϕ is valid in every model. We only develop the special rule cases . We treat the case where admissible form is . [SP ] special rule: Let ∈ {[], []}∗ and i<0. Let ϕ be a formula such that ∀p ∈ P (ϕ ∨ X i p) ⇒ X i p is a valid. We show that ¬[SP ]ϕ is valid. Suppose that it is not the case: there is a model ((Z, <) (W, ), V ), and a state j, w ∈ Z × W such that j, w |= [SP ]ϕ. Let p be an atomic proposition which does not appear in ϕ. Let V a valuation such that V −1 (p) = {(j + i, w ) / ¬SamePast((j, w), (j, w ))}. Considering the model ((Z, <) (W, ), V ), we have j, w |= (ϕ ∨ X i p). Indeed, let w a history accessible from w by the composition of relations corresponding to . Either (j, w ) has the same past as (j, w) and j, w |= ϕ, or (j, w ) has not the same past as (j, w), and j, w |= X i p. Thus, we deduce that j, w |= X i p. This is in contradiction with the definition of V since (j, w) has the same past has itself. [SP ∩ ] special rule: Suppose that there is a model M = ((Z, <) (W, ), V ), and a state (i, w) in M such that i, w |= [SP ∩ ]ϕ. We have to show that ∃p ∈ P and ∃M , (i , w ) such that i , w |= [SP ](ϕ∨p)∧[](ϕ∨¬p). Consider an atom p which does not appear in ϕ. Let us define a valuation V such that V −1 (p) = {(i, w ) / SamePast((i, w), (i, w )) and ¬(w w )}, (W, ), V ), and V −1 (q) = V −1 (q)∀q = p. Then, in the model ((Z, <) i, w |= [SP ](ϕ ∨ p) ∧ [](ϕ ∨ ¬p). Theorem 19. (Completeness of Lmin ) Let ϕ be a formula. If ϕ is valid in every model then ϕ is a theorem of Lmin . The completeness of Lmin is more difficult to establish than its soundness and we defer proving that Lmin is complete with respect to the class of all models till section 5.2.5. 5.2.4 Theories In this section we introduce the notions of theories and maximal theories, the latter having a key role in the proof of the completeness theorem. A set x of formulas is called a theory if it satisfies the following conditions: (th 1) x contains the set of all theorems of Lmin . (th 2) x is closed under modus ponens. (th 3) x is closed under the [SP ] special rule. (th 4) x is closed under the [SP ∩ ] special rule. 94 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION Obviously the smallest theory is the set T Hmin of all theorems and the greatest theory is the set of all formulas. The later theory is called trivial theory. A theory x is called consistent if ⊥ ∈ / x, otherwise it is called inconsistent. It is a well-known fact that a theory x is consistent iff it is not trivial and that x is inconsistent if it contains a formula ϕ together with its negation ¬ϕ. A theory x is called a maximal theory if it is consistent and for any formula ϕ: ϕ ∈ x or ¬ϕ ∈ x. A set Σ of formulas is called consistent if it is contained in a consistent theory. It can be shown that a single formula ϕ is consistent (considered as a singleton {ϕ}), iff it is not equivalent to ⊥. In the literature (see, e.g., [23]) instead of maximal theory, the notion of a maximal consistent set is used, where consistency is defined without using the notion of theory. It can be proved that each maximal theory is a maximal consistent set in the classical sense, and each maximal consistent set which is closed under the special rules for [SP ] and [SP ∩ ] is a maximal theory. We will use the following properties of maximal theories without explicit reference (x is a maximal theory): • ∈x • ¬ϕ ∈ x iff ϕ ∈ / x, • ϕ1 ∨ ϕ2 ∈ x iff ϕ1 ∈ x or ϕ2 ∈ x, • ϕ1 ∧ ϕ2 ∈ x iff ϕ1 ∈ x and ϕ2 ∈ x. Let x be a set of formulas. If L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]} then define Lx = {ϕ : Lϕ ∈ x}. If ϕ is a formula then define x + ϕ = {ϕ : ϕ ⇒ ϕ ∈ x}. For all sets x of formulas, we define X 0 x = x,for each def def positive integer i, X i ϕ = X i−1 Xϕ, and for each negative integer i, X i ϕ = X i+1 X −1 ϕ. In the next lemma we summarize some properties of theories. Lemma 2. Let x be a theory. The following statements hold. 1. Lx is a theory too. 2. x + ϕ is the smallest theory containing x and ϕ. 3. x + ϕ is inconsistent iff ¬ϕ ∈ x. 4. If x is consistent and ¬A(¬[SP ]ϕ) ∈ x then for all ∈ {[], []} , and for all i < 0, there exists p ∈ P such that x + ¬A(¬(ϕ ∨ X i p) ∨ X i p) is consistent. 5. If x is consistent and ¬A(SP ∩ ϕ) ∈ x then there exists p ∈ P such that x + ¬A(SP (ϕ ∧ p) ∨ (ϕ ∧ ¬p)) is consistent. 5.2. AXIOMATIZATION 95 Proof. We show statements 1 and 4. Statement 1. Let ϕ be a theorem. Then by the necessitation rules, Lϕ is a theorem too. Hence, Lϕ ∈ x, so ϕ ∈ Lx. Thus, Lx contains the set of all theorems. Let ϕ1 ∈ Lx and ϕ1 ⇒ ϕ2 ∈ Lx. Then Lϕ1 ∈ x and L(ϕ1 ⇒ ϕ2 ) ∈ x. By the axiom (K), L(ϕ1 ⇒ ϕ2 ) ⇒ (Lϕ1 ⇒ Lϕ2 ) ∈ x. Applying modus ponens twice, we obtain that Lϕ2 ∈ x, so ϕ2 ∈ Lx. Thus Lx is closed under modus ponens. To show that Lx is closed under the [SP ] special rule, let ∈ {[], []} and i < 0. Suppose that we have A(¬(ϕ∨X i p)∨X i p) ∈ Lx. Then, for all p ∈ P , we obtain LA(¬(ϕ ∨ X i p) ∨ X i p) ∈ x. Notice that LA(¬(ϕ ∨ X i p) ∨ X i p) is an admissible form. Since x is closed under the [SP ] special rule, we obtain LA(¬[SP ]ϕ) ∈ x. Hence, A(¬[SP ]ϕ) ∈ Lx. Thus, Lx is closed under the [SP ] special rule. Similarly, one can prove that Lx is closed under the [SP ∩ ] special rule. Statement 4. Suppose that ¬A(¬[SP ]ϕ) ∈ x. Since x is consistent, then A(¬[SP ]ϕ) ∈ / x. Thus, since x is closed under the [SP ] special rule, then for all ∈ {[], []}∗ and for all i < 0, there exists p ∈ P such that / x. (Otherwise, A(¬[SP ]ϕ) would necessarily be A(¬(ϕ ∨ X i p) ∨ X i p) ∈ in x.) Since x is a theory, ¬A(¬(ϕ ∨ X i p) ∧ ¬X i p) ∈ x. From statement 3, we deduce that x + ¬A(¬(ϕ ∨ X i p) ∨ X i p) is consistent. The proof of statement 5 is similar. Now we are ready for the main lemma in this section: Lemma 3 (Lindenbaum’s lemma). Each consistent theory can be extended to a maximal theory. Proof. Suppose x is a consistent theory and let ϕ0 , ϕ1 , . . . be an enumeration of all formulas. We define an increasing sequence of consistent theories x0 , x1 , . . . by induction as follows. Let x0 = x and suppose that for some integer n, the consistent theory xn has already been defined. For the definition of xn+1 we consider two cases. Case 1: xn + ϕn is consistent. Then define xn+1 = xn + ϕn . Case 2: xn + ϕn is not consistent. Then ¬ϕn ∈ x. In this case we consider two sub-cases: Sub-case 2.1: ϕn is neither in the form of a conclusion of the [SP ] special rule nor in the form of a conclusion of the [SP ∩ ] special rule. Then let xn+1 = xn . Sub-case 2.2: ϕn is in the form of a conclusion of the [SP ] special rule or in the form of a conclusion of the [SP ∩ ] special rule. We only consider the case where ϕn is in the form of a conclusion of the [SP ∩ ] special rule, i.e. ϕn is in the following form A(SP ∩ ϕ) where A is an admissible form. Therefore, there are finitely many such representations for ϕn : Ai (SP ∩ 96 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION ϕi ) for i = 1, . . . , k. We define inductively an increasing sequence of consistent theories xin for i = 0, . . . , k, as follows. Let x0n = xn . Suppose xin is defined and consistent. Then it contains ¬ϕn = ¬Ai (SP ∩ ϕi ) and, by the properties of theories mentioned above, there exists a propositional variable pi ∈ P such that xin + ¬Ai (SP (ϕi ∧ p)∨ (ϕi ∧ ¬p)) is consistent. We define xi+1 as follows: xi+1 = xin + ¬Ai (SP (ϕi ∧ p) ∨ (ϕi ∧ ¬p)). n n . Now, we put xn+1 = xkn Finally, we define y = ∞ i=0 xi . It is straightforward to demonstrate that y is a maximal theory which extends x. 5.2.5 Canonical model construction The canonical model of Lmin is the structure Mc = ((N, <) (Wc , c ), Vc ) defined as follows: • Wc is the set of all maximal theories, • c is the binary relation on Wc defined by x c y iff []x ⊆ y, • Vc is the function which associates each pair (i, x) ∈ Z × Wc with the set Vc (i, x) = {p : X i p ∈ x} of atomic propositions. To prove the completeness of our axiomatic system, it suffices to demonstrate the following lemma. Lemma 4 (Truth lemma). Let ϕ be a formula. For all integers i ∈ Z and for all maximal theories x ∈ Wc , Mc , (i, x) |= ϕ iff X i ϕ ∈ x. Proof. The proof is done by induction on the complexity of ϕ. We only consider the cases ϕ = Lφ for L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]}. Case ϕ = Xφ. Assume Mc , (i, x) |= Xφ. Consequently, Mc , (i + 1, x) |= φ. By induction hypothesis, X i+1 φ ∈ x. Hence, X i Xφ ∈ x. Reciprocally, assume X i Xφ ∈ x. Therefore, X i+1 φ ∈ x and, by induction hypothesis, Mc , (i + 1, x) |= φ. Thus, Mc , (i, x) |= Xφ. Case ϕ = X −1 φ. Similar to the previous case. Case ϕ = [SP ]φ. Assume Mc , (i, x) |= [SP ]φ. For the sake of the contradiction, assume X i [SP ]φ ∈ x. Consequently, [SP ]φ ∈ X i x and φ ∈ [SP ]X i x. Hence, the theory [SP ]X i x + ¬φ is consistent. By Lindenbaum’s lemma, there exists a maximal theory y such that [SP ]X i x + ¬φ ⊆ y. Remark that [SP ]X i x ⊆ y and ¬φ ∈ y. Let z = X −i y. Remark that X i z = y. Since ¬φ ∈ y, then X −i X i ¬φ ∈ y and X i ¬φ ∈ z. Therefore, X i φ ∈ z and, by induction hypothesis, Mc , (i, z) |= φ. Since Mc , (i, x) |= [SP ]φ, then x and z do not have the same past with respect to i. Thus, there exists an integer j ∈ Z such that i > j and for some atomic proposition p, either X j p ∈ x and X j p ∈ z or X j p ∈ x and X j p ∈ z. Without loss of generality, let us suppose that X j p ∈ x and X j p ∈ z. Remark that [SP ]X i x ⊆ X i z. Since 5.2. AXIOMATIZATION 97 X j p ∈ z, then X j−i p ∈ X i z. Since [SP ]X i x ⊆ X i z, then [SP ]X j−i p ∈ X i x. Consequently, we have X j p ∈ x and X i [SP ]X j−i p ∈ x: a contradiction with i > j and axiom (A6). Reciprocally, assume that X i [SP ]φ ∈ x and let us show that Mc , (i, x) |= [SP ]φ. For the sake of the contradiction, assume that Mc , (i, x) |= [SP ]φ. Consequently, there exists y ∈ Wc such that x and y have the same past with respect to i and Mc , (i, y) |= φ. By induction hypothesis, X i φ ∈ y and φ ∈ X i y. Since X i [SP ]φ ∈ x, then ¬[SP ]φ ∈ X i x. Let ∈ {[], []} be such that x ⊆ y and j ∈ Z be such that i > j. Remark that j −i < 0. Since X i x is a theory, then X i x is closed under the [SP ] special rule. Since ¬[SP ]φ ∈ X i x, then there exists an atomic proposition p such that ¬(φ ∨ X j−i p) ∨ X j−i p ∈ X i x. Therefore, X i (φ ∨ X j−i p) ∈ x and X j ¬p ∈ x. Thus, (X i φ ∨ X j p) ∈ x. Since x ⊆ y, then X i φ ∈ y or X j p ∈ y. If X i φ ∈ y then φ ∈ X i y: a contradiction. If X j p ∈ y then X j p ∈ x, seeing that x and y have the same past with respect to i and i > j. This contradicts the fact that X j ¬p ∈ x. Case ϕ = [SP ∩ ]φ. Similar to the previous case (use the special rule for [SP ∩ ] and the axiom (A9) instead of the special rule for [SP ] and the axiom (A6). Case ϕ = []φ. Assume Mc , (i, x) |= []φ. For the sake of the contradiction, assume X i []φ ∈ x. Consequently, []φ ∈ X i x and φ ∈ []X i x. Hence, the theory []X i x + ¬φ is consistent. By Lindenbaum’s lemma, there exists a maximal theory y such that []X i x + ¬φ ⊆ y. Remark that []X i x ⊆ y and ¬φ ∈ y. Let z = X −i y. Remark that X i z = y. Since ¬φ ∈ y, then X −i X i ¬φ ∈ y and X i ¬φ ∈ z. Therefore, X i φ ∈ z and, by induction hypothesis, Mc , (i, z) |= φ. Since Mc , (i, x) |= []φ, then x c z. Thus, there exists a formula ψ such that []ψ ∈ x and ψ ∈ z. Hence, X −i ψ ∈ y, X −i ψ ∈ []X i x + ¬φ, X −i ψ ∈ []X i x and X i []X −i ψ ∈ x. Thus, []X i X −i ψ ∈ x and []ψ ∈ x: a contradiction. Reciprocally, assume that X i []φ ∈ x and let us show that Mc , (i, x) |= []φ. For the sake of the contradiction, assume that Mc , (i, x) |= []φ. Consequently, there exists y ∈ Wc such that x c y and Mc , (i, y) |= φ. By induction hypothesis, X i φ ∈ y. Since x c y, then []x ⊆ y. Consequently, X i φ ∈ []x and []X i φ ∈ x. Hence, X i []φ ∈ x: a contradiction. Case ϕ = []φ. Similar to the previous case. Now, we are ready for proving the main theorem of this section. Proof of theorem 19. Let ϕ be a formula. Assume ϕ is not a theorem of Lmin . Consequently, T Hmin + ¬ϕ is a consistent theory. By Lindenbaum’s lemma, there exists a maximal theory x such that T Hmin + ¬ϕ ⊆ x. Hence, ¬ϕ ∈ x, ϕ ∈ x and X 0 ϕ ∈ x. By the lemma 4, Mc , (0, x) |= ϕ. Thus, ϕ is not valid. 98 CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION 6 Computer security application: coherence, compatibility, and compliance In this chapter, we investigate an application of the proposed logic to the specification and the verification of security properties. We want to consider independently a (formal model of a) system, a (formal specification of a) policy, and then to determine whether the system is compliant with the policy. The first way to deal with this problematics is to consider the system as a set of possible behaviours, the policy as a set of authorized/correct behaviours, and then to check whether the system is included in the policy. Two main approaches deal with this: on-the-fly methods and static methods. The former consists in representing the policy by a security automaton [116] and to run the system in tandem with a simulation of the security automaton. Each step of the system generates an input symbol sent to the security automaton. If the security automaton is able to perform a transition on this input symbol, then the system is allowed to perform the step, else, the system is terminated. Ligatti et al. proposed in [87] an extension of security automata called edit automata, which are not only able to terminate the system, but also to suppress or add actions so that the policy is satisfied. Static methods consist in using model-checking techniques [39]. If the policy is modeled by a temporal formula and the system by an automaton, then we can check that the system enforces the policy. If it is not the case, some works study the synthesis of a controller so that the synchronized product [14] of the initial system and the controller meets the policy, considered here as the system specification. Thus the role of the controller is to guide the system so that the specification is satisfied. Notice that in the first approach, the policy is viewed as an automaton, whereas in the second approach it is viewed as a formula. Using a combination of deontic and temporal logic allows a richer analysis. Indeed, we are then able to express and reason about obligations, permissions, violations, and sanctions in the policy. 99 100 CHAPTER 6. COMPUTER SECURITY APPLICATION The first section of this chapter deals with the temporal formalism used to specify a system. Section 2 formally defines the compatibility (which is a weak version of compliance) of a system with a policy. Section 3 focuses on some interesting restrictions for which checking compatibility is decidable. Section 4 refines the definition of compatibility with five different diagnostic cases, which allow to define the notion of compliance. An algorithm is then provided to establish the diagnostic. 6.1 Specification of the system In this section, we define the model used to describe a system. We firstly discuss the representation of actions, and secondly we present Labeled Kripke Structures and State/Event LT L. 6.1.1 Events or actions? The notion of event is close to an action in dynamic logic [63]. But an event is atomic, and has no duration. Actions can be composed with several combinators: sequence, choice, iteration. Some propositions to combine dynamic and temporal logics [65] strengthen the temporal operator U (until). ϕ1 U α ϕ2 means that ϕ1 U ϕ2 is satisfied along some path which corresponds to the execution of action α. The expressive power of the obtained logic called DLT L is then increased to ω-regular language, i.e., the same expressiveness as the Monadic Second Order Theory of ω-sequences S1S. On the other hand, the specification of properties can be less intuitive, if we explicitly reason about action occurrences. For instance, consider the sentence “If useri uses the resource, he will release it”. usei is a proposition, and releasei an event (or an atomic action in dynamic logic). In a state/event logic, we express it naturally: usei ⇒ F releasei But in a dynamic temporal logic, we cannot put actions and propositions at the same level. We have to use specific operators to introduce actions: usei ⇒ U Σ∗;releasei where Σ represents any atomic action. Moreover, in many cases the composition of events, can be expressed without using the combinators of dynamic logic. For instance, the formula e1 ∧ Xe2 expresses that the event e1 happens, followed by e2 , which corresponds to the action e1 ; e2 in a dynamic logic. The formula e1 U e2 means that there is an arbitrary number of executions of e1 , followed by an execution of e2 , and corresponds to the execution of the composed action e1 ∗ ; e2 . Besides, the semantics of events is much simpler, and there exists efficient tools for state/event logics [36, 35]. In the remainder of the thesis, we will use a state/event based formalism called Labeled Kripke Structures [36] (LKS) to model a system. 6.1. SPECIFICATION OF THE SYSTEM 6.1.2 101 Labeled Kripke Structures Original LKSs correspond to usual finite automata with labels on both states and transitions. They are used as models of the state/event extension of LT L. It allows us to reason on both propositions and events. Such an automaton over the sets (P, E) of propositions and events is defined as a tuple (S, S0 , Δ, V ) where • S is the set of states, • S0 ⊆ S is the set of initial states, • Δ ⊆ S × (2E \ {∅}) × S is a transition relation, where (s, E, s ) ∈ Δ if there is a transition from s to s labelled by E, which means that all the events in E occur simultaneously during this transition, • V : S → 2P is the valuation function which associates each state with a set of atomic propositions. Notice that this definition of transitions slightly differs from [36], where two given states cannot be related by several distinct transitions. A state s may have several successors by E because several distinct outgoing transitions may be labeled by E. {e1, e2} s1 s2 {p} {q} {e2} {e3} Figure 6.1: Labeled Kripke Structure Figure 6.1 shows an illustration of an LKS where the atomic propositions are p and q, the events are e1 , e2 , and e3 , and the initial state is s1 . Definition 55 (Syntax of State/Event Linear Temporal Logic (SE-LT L)). Given a set P of atomic propositions, and a set E of events, the language LSEL−T L of SE-LT L is defined as follows ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ where p ∈ P is an atomic proposition, and e ∈ E is an event. Given an LKS A = (S, S0 , Δ, V ), an SE-LT L formula is interpreted on a state/event trace σ = (s0 , E0 , s1 , E1 , . . .), which is an alternating sequence 102 CHAPTER 6. COMPUTER SECURITY APPLICATION of states and event sets such that s0 ∈ S0 , and ∀i ∈ N (si , Ei , si+1 ) ∈ Δ. We note σi (resp. σ i ) the ith state (resp. event set) of σ. A trace is either infinite, or ends with a state which has no successor by Δ. We say that such a state/event sequence σ is a trace of A, or is a accepted by A. Definition 56 (State/Event semantics). Given an LKS A = (S, S0 , Δ, V ) over the sets (P, E) of propositions and events, and a state/event trace σ, we define the satisfaction relation |= for propositions and events as follows: σ, i |=SE−LT L p σ, i |=SE−LT L e iff iff p ∈ V (σi ) e ∈ σi where p ∈ P where e ∈ E The satisfaction relation for constant ⊥, operators ⇒, X, and U , are defined as in LT L. A trace σ satisfies ϕ iff its first state satisfies it : σ |=SE−LT L ϕ iff σ, 0 |=SE−LT L ϕ An LKS satisfies ϕ iff all its traces satisfy it. For instance, considering the LKS illustrated by Figure 6.1, the following holds: (s1 , {e1 , e2 }, s2 , {e3 }, s2 , {e2 }, . . .) |=SE−LT L p ∧ e1 ∧ e2 ∧ Xe3 Actually, SE-LT L does not increase the expressive power of LT L. Indeed, an SE-LT L formula can be considered as an LT L formula with P ∪ E as the set of atomic propositions, i.e., events are considered as propositions. Given a state/event trace σ, with a state valuation V : S → 2P , we can easily define an LT L valuation σ ∗ : N → 2P ∪E such that σ, i |=SE−LT L ϕ iff σ ∗ , i |=LT L ϕ: def ∀i ∈ N σ ∗ (i) = V (σi ) ∪ σ i Moreover, there is a translation T which associates each LKS A with a usual Kripke structure T (A) that satisfies the same formulas: A |=SE−LT L ϕ iff T (A) |=LT L ϕ However, in [36], an experimental study shows that the state/event formalism makes the specification of a system more concise, and thus easier. It is also shown that state/event formulation yields significant gains in time (and memory) during verification. 6.2 Deontic extension and compatibility In this section, we present how to adapt the semantics of the temporal and deontic combinations studied in chapter 4 to the state/event case so that we can formally define the compatibility of a system with respect to a security policy. The internal consistency of a policy is defined as the satisfiability of the corresponding formula. 6.2. DEONTIC EXTENSION AND COMPATIBILITY 6.2.1 103 Deontic extension We do not resume the discussion about the different possible semantics. We leave the deontic relation R as generic as possible, so that it can represent either an ideality relation or a preference relation, depending on the choice we make for the semantics of obligation. The resulting logic is a conservative extension of both SDL and SE-LT L, called State/Event Deontic Linear Temporal Logic (SED-LT L). Definition 57 (Syntax of LSED−LT L ). Given a set P of atomic propositions and a set E of events, the state/event temporal deontic language is defined by the following syntax: ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ | O ϕ where p ∈ P is an atomic proposition, and e ∈ E is an event. Definition 58 (Temporal and deontic model). Given a set P of atomic propositions and a set E of events, a state/event temporal and deontic model is a tuple M = (W, R, V ), where • W is a set of state/event sequences. • R ⊆ (N × W ) × (N × W ) is an accessibility relation from which the semantics of obligation is defined. It can represent either an ideality relation or a preference relation. • V is a valuation function which associates each state in a state/event sequence with a set of atomic propositions. Given a model (W, R, V ), a state/event trace σ ∈ W , and a nonnegative integer i ∈ N, the satisfaction relation M, σ, i |=SED−LT L ϕ is defined by structural induction on ϕ. For atomic propositions, events, constant ⊥, operators ⇒, X, and U , the satisfaction relation is defined as for SE-LT L. For operator O, different definitions (based on relation R) are possible. From such a state/event temporal deontic model, we can easily construct a temporal deontic model ((N, <) (W , R ), V ) as defined in chapter 4, where P ∪ E is considered as the set of atomic propositions. 6.2.2 Compatibility In this section we define the notion of compatibility of a system with respect to a policy. Roughly speaking, a system is said to be compatible with a policy if there is no contradiction when the system ’takes into account’ the norms specified by the policy. For instance, suppose that a policy specifies that when condition c1 is met, then it is obligatory to satisfy p, and when condition c2 is true, p is prohibited. Such a policy can be expressed by the 104 CHAPTER 6. COMPUTER SECURITY APPLICATION following formula G(c1 ⇒ O(p) ∧ c2 ⇒ O(¬p)). Consider a system which satisfies c1 ∧ c2 in some state. According to the policy, p is both obligatory and forbidden, which is not coherent. Let us consider another example where a contradiction arises from the ’combination’ of a system and its policy. Let us suppose that the policy specifies that when condition c is true, it is obligatory to satisfy p, and if an obligation to satisfy p is violated, then q will happen next: G c ⇒ O(p) ∧ (O(p) ∧ ¬p) ⇒ Xq q can be considered as a strong sanction: any system which is compatible with this policy satisfies q after having violated an obligation to satisfy p. A system which satisfies c ∧ ¬p in a state, and ¬q in one of its successors, is not compatible with this policy. Definition 59 (Compatibility). Let σ be a state/event sequence and ϕpol a formula in LSED−LT L which specifies the security policy. σ is compatible with ϕpol if there is a ’deontic extension’ of σ which satisfies ϕpol : σ |=compat ϕpol iff there exists M = (W, R, V ) such that M, σ, 0 |=SED−LT L ϕpol and σ∈W An LKS A is compatible with ϕpol iff all its state/event traces are compatible with ϕpol : A |=compat ϕpol iff for every trace σ of A σ |=compat ϕpol It can be interesting to reason about the ’combination’ of the system and the policy in order to express, for instance, that in the current state of the system’s execution, it is obligatory to satisfy p, according to a given policy. Definition 60 (Combination of a system and its policy). Let σ be a state/event trace, ϕpol a formula in LSED−LT L which specifies the security policy, and ϕ a formula in LSED−LT L. ϕ is explicitly obligatory (resp. permitted) in σ, i considering policy ϕpol , if every ’deontic extension’ of σ which satisfies ϕpol , also satisfies O(ϕ) (resp. P(ϕ)) at i. We use the notation σ, i |=pol Oexp (ϕ) (resp. σ, i |=pol Pexp (ϕ)). σ, i |=pol Oexp (ϕ) iff σ, i |=pol Pexp (ϕ) iff for every M = (W, R, V ) if σ ∈ W and M, σ, 0 |=SED−LT L ϕpol then M, σ, i |=SED−LT L O(ϕ) for every M = (W, R, V ) if σ ∈ W and M, σ, 0 |=SED−LT L ϕpol then M, σ, i |=SED−LT L P(ϕ) Notice that P exp (ϕ) is not equivalent to ¬O exp (¬ϕ). Indeed, ¬P exp (ϕ) ∧ ¬O exp (¬ϕ) is satisfiable: it can be the case that a formula ϕ is neither (explicitly) permitted nor (explicitly) forbidden. 6.2. DEONTIC EXTENSION AND COMPATIBILITY 6.2.3 105 Illustration Let us illustrate these notions with the following example. We consider a bank policy concerning customer behaviours. The sets P and E of atomic propositions and events are P = {positive} and E = {credit, debit, pay_charges, go_to_jail} positive is true when the balance is positive. credit (resp. debit) labels any transition that credits (resp. debits) the account. pay_charges models the payment of charges by the customer, and go_to_jail is an event by which the customer has no longer an access to his/her account. We consider the conjunction of the following rules as the policy ϕpol : • If the balance is negative, then it is obligatory to credit the account. G ¬positive ⇒ O(credit) (1) • If an obligation to credit the account is violated, then tomorrow it will be obligatory to pay charges before two days. (2) G O(credit) ∧ ¬credit ⇒ XO(F2 pay_charges) • If an obligation to pay the charges is violated, the customer is going to jail tomorrow. G O(pay_charges) ∧ ¬pay_charges ⇒ X go_to_jail (3) Notice that rules (2) and (3) specify a sanction in case an obligation is violated. Rule (2) specifies a new obligation, and rule (3) expresses that event go_to_jail is going to occur. The former sanction can be considered as a weak sanction because it may be violated, while the latter is a strong sanction: we cannot reason about the violation of this sanction, and a behaviour can be compatible with the policy only if it performs this sanction. These notions of weak and strong sanctions will be further discussed in the restricted context of section 6.4. The LKS illustrated by Figure 6.2 represents the behaviour of a bank customer. Consider the following trace σ of this bank customer behaviour. σ = (s1 , {debit}, s2 , {credit}, s2 , {debit}, s3 , {credit, pay_charges}, . . .). In the second state of σ, the balance is negative (σ, 1 |= ¬positive). So, every ’deontic extension’ of σ that satisfies ϕpol also satisfies O(credit) in the second state. Therefore, there is an explicit obligation to credit the account: σ, 1 |=pol O exp (credit). In the third state, the balance is still negative, so it is still explicitly obligatory to credit the account (σ, 2 |=pol O exp (credit)). Yet, no credit operation occurs (σ, 2 |= ¬credit). Thus, in the fourth state, there is an explicit obligation to pay some charges before two time units (σ, 4 |=pol O exp (F2 pay_charges)). CHAPTER 6. COMPUTER SECURITY APPLICATION 106 debit debit credit s1 credit { } credit, pay charges s2 credit debit {} credit, pay charges s3 {} Figure 6.2: Bank customer 6.3 Decidable fragment In this section, we consider the fragment SED-LT L− of our logic such that checking whether an LKS A is compatible with its policy ϕpol (formulated in this fragment) is decidable, and checking the internal consistency of a policy is decidable. Decision procedures are decomposed as follows. Firstly, we consider deontic subformulas of ϕpol as special atoms in order to apply usual translation of an LT L formula into an ’equivalent’ Büchi automaton Apol [60]. Secondly, in every transition of the obtained Büchi automaton, we suppress the transitions which contain deontic inconsistencies. We are then able • to check internal consistency of ϕpol , i.e., satisfiability in SED-LT L− , by an emptiness test on Apol • to check whether A is compatible with ϕpol by a language inclusion test between A and Apol . 6.3.1 Preliminaries In this section we define the fragment language, and recall the definition of Büchi automata. Fragment language In SED-LT L− , the scope of deontic operators is restricted to propositional formulas. The language LSED−LT L− is defined by the following syntax: ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ | O ϕprop 6.3. DECIDABLE FRAGMENT 107 where p ∈ P is an atomic proposition, e ∈ E is an event, and ϕprop is a propositional formula over P ∪ E: ϕprop ::= p | e | ⊥ | ϕprop ⇒ ϕprop Given a formula ϕpol in LSED−LT L− , let DSF (ϕpol ) be the set of the deontic subformulas of ϕpol , i.e., the subformulas of the form O(ϕprop ): def def DSF (ϕ1 ⇒ ϕ2 ) = DSF (ϕ1 ) ∪ DSF (ϕ2 ) DSF (Xϕ) = DSF (ϕ) def def DSF (ϕ1 U ϕ2 ) = DSF (ϕ1 ) ∪ DSF (ϕ2 ) DSF (O ϕprop ) = {O ϕprop } DSF (p) = ∅ DSF (e) = ∅ DSF (⊥) = ∅ When there is no ambiguity, we use the notation DSF instead of DSF (ϕpol ) for ease of reading. Büchi automata Büchi automata [19, 122] are finite state automata which accept infinite sequences. They have been proved to be equivalent to Monadic Second Order theory (M SO) over infinite sequences, also known as Second Order Theory with one Successor (S1S). The decidability of emptiness checking (i.e., whether there exists an infinite sequence accepted by a given automaton) thus provides the decidability of S1S, which contains LT L. Efficient translations of LT L formulas into Büchi automata have been investigated (see, e.g., [133, 61, 70, 60]) in order to provide a decision procedure for satisfiability and model checking problems. Let us recall the definition of Büchi automata. Definition 61 (Büchi automata). A Büchi automaton is a tuple A = (S, S0 , L, Δ, F ), where • S is a set of states • S0 ⊆ S is a set of initial states • L is a set of labels • Δ ⊆ S × L × S is a transition function • F is a set of final states A run ρ of A on a given input σ ∈ Lω is an infinite sequence in S ω such that ρ0 ∈ S0 and ∀i ∈ N (ρi , σi , ρi+1 ) ∈ Δ. An infinite sequence σ ∈ Lω is accepted by A if there is a run ρ of A on σ such that some final state s ∈ F occurs infinitely often in ρ. The set of the infinite sequences accepted by A is called the language of A, denoted by L(A). CHAPTER 6. COMPUTER SECURITY APPLICATION 108 In the case of the translation of a temporal formula ϕ into a Büchi automaton Aϕ , the set of labels is 2P (where P is the set of atomic propositions in ϕ). However, for the sake of conciseness, the following representation of transitions is often adopted. All the transitions between two given states s1 and s2 are represented by one ’condensed’ transition labeled by a propositional formula ϕprop . It means that for every proposition set li which satisfies ϕprop , there is a transition from s1 to s2 labeled by li . For instance, if the set of atomic propositions is {p, q}, a transition labeled by the propositional formula ¬p actually stands for two transitions in the original representation: one transition labeled by {q}, and another transition labeled by ∅ (empty set). 6.3.2 Checking internal consistency and compatibility In this section, we present the translation of the policy ϕpol (resp. the system A) into a Büchi automaton Apol (resp. and A). Checking internal consistency of the policy corresponds to checking emptiness of Apol . The verification of the compatibility of the system with respect to its policy corresponds to the ? following inclusion test: L(A) ⊆ L(Apol ). Translation of ϕpol into Apol Using a standard translation technique [133, 61, 60], from ϕpol we can com , S P ∪E∪DSF , Δ , F ), which pute the Büchi automaton Apol = (Spol pol 0 , 2 pol accepts exactly the infinite sequences which satisfy - according to LT L semantics - ϕpol , where deontic subformulas are considered as atoms. For every transition δ = (s1 , l, s2 ) ∈ Δpol , we apply SDL satisfiability decision procedure to the following deontic formula: φ ∧ ¬φ φ∈DSF ∩l φ∈DSF \l If the decision procedure returns unsatisfiable then we suppress δ. We then suppress deontic labels of the remaining transitions (the set of labels is now 2P ∪E ) and call Apol the resulting Büchi automaton. Let us illustrate this translation by the following simple example. Consider a policy ϕpol defined as the conjunction of the following rules. • G (c1 ⇒ O(p)) • G (c2 ⇒ O(¬p)) • G (O(p) ∧ ¬p) ⇒ Xq Figure 6.3 represents automaton Apol , where both states are accepting states. It is the translation of the ϕpol into a Büchi automaton obtained 6.3. DECIDABLE FRAGMENT 109 with the tool LTL 2 BA [60]. At this point, we consider c1 , c2 , p, O(p), and O(¬p), as atomic propositions. The condensed representation of transition explained in section 6.3.1 is used. Moreover, on each transition, the label is very long and will not be presented entirely. ¬c1 ∨ (¬p) ∨ ¬c2 ∧ (p) ∨ (p) ∧ (¬p) ººº ¬c1 ∧ ¬c2 ∧ p ∨ ¬c1 ∧ ¬ (p) ∧ ¬c2 ∨ ¬c1 ∧ (¬p) ∧ p ∨ ¬c1 ∧ ¬ (p) ∧ (¬p) ∨ (p) ∧ (¬p) ¬c1 ∧ ¬c2 ∧ q ∨ ¬c1 ∧ (¬p) ∧ q ∨ ¬c2 ∧ (p) ∧ q ººº ¬c1 ∧ ¬ (p) ∧ ¬c2 ∧ q ∨ (¬p) ∧ (¬p) ∧ q ∧ p ∨ (p) ∧ ¬c2 ∧ q ∧ p ººº ººº Figure 6.3: Illustration of Apol Figure 6.4 illustrates automaton Apol obtained from Apol after the suppression of ’deontic inconsistent’ transitions, and the suppression of the remaining deontic labels. ¬c1 ∨ ¬c2 (¬c1 ∧ ¬c2) ∨ (¬c1 ∧ p) ∨ (¬c2 ∧ p) q ∧ (¬c1 ∨ ¬c2) (¬c1 ∧ q) ∨ (¬c2 ∧ p ∧ q) Figure 6.4: Illustration of Apol The following property shows that Apol can be used to check whether a trace is compatible with the policy. Property 27. Let ϕpol be an SED-LT L− formula which specifies a security policy, and Apol the Büchi automaton obtained by the above-mentioned procedure. Let σ be a state/event sequence over the sets P and E of atomic CHAPTER 6. COMPUTER SECURITY APPLICATION 110 propositions and events. σ is compatible with ϕpol if and only if its state-based translation is accepted by Apol . σ |=compat ϕpol iff σ ∗ ∈ L(Apol ) where σ ∗ ∈ (2P ∪E )ω is the sequence obviously obtained from σ by considering events as propositions. Sketch of the proof. Let σ a state/event trace over P and E, and ϕpol a formula of SED-LT L− . ’⇐’: Suppose that its state-based translation σ ∗ is accepted by Apol . Clearly it is possible to enrich state labels (atomic proposition sets) in σ with satisfiable subsets of DSF (in the sense of SDL) such that the enriched sequence σ satisfies ϕpol in the sense of SE-LT L (σ |=SE−LT L ϕpol ) where deontic subformulas are considered as atoms. Since each subset of DSF which labels a state of σ is SDL-satisfiable, and ϕpol contains only propositional formulas in the scope of deontic operators, then we can easily build a temporal deontic model M = (W, R, V ) such that σ ∈ W and M, σ |= ϕpo . ’⇒’: Suppose that σ |=compat ϕpol . There exists a temporal deontic model M = (W, R, V ) such that σ ∈ W and M, σ |=SED−LT L ϕpol . Let σ the state/event sequence obtained by adding to the state labels of each state i the following set of deontic subformulas: {φ ∈ DSF / M, σ, i |=SED−LT L φ}, i.e., the deontic subformulas φ which are true in i. Since SED-LT L is a conservative extension of SE-LT L, then σ |=SE−LT L ϕpol , where deontic subformulas are considered as atomic propositions. Besides, since SED-LT L is a conservative extension of SDL, that every set of deontic subformulas which labels some state σ, i is satisfiable for SDL. Thus, σ ∗ is accepted by Apol . Translation of an LKS A into a Büchi automaton A As explained in section 6.1.2, we can translate an LKS A = (S, S0 , Δ, V ) over the sets P and E of atomic propositions and events, into an equivalent state-based Kripke structure. Actually, it can also be translated into a transition-based Büchi automaton A = (S , S0 , 2P ∪E , Δ , F ), such that an infinite state/event sequence σ is accepted by A if and only if its state-based translation σ ∗ is accepted by A, where • S = S, S0 = S0 • Δ = {(s1 , E ∪ V (s1 ), s2 ) ∈ S × 2P ∪E × S / (s1 , E, s2 ) ∈ Δ} • F = S (every state is an accepting state) The following property states that the compatibility of an LKS A with respect to a policy ϕpol is equivalent to the inclusion of A into Apol . 6.4. BEYOND COMPATIBILITY 111 Property 28. Let A be an LKS which models a system, and ϕpol an SEDLT L− formula which specifies its security policy. Let A and Apol be respectively their corresponding Büchi automata. A is compatible with ϕpol if and only if the language accepted by A is a subset of the language accepted by Apol : A |=compat ϕpol iff L(A) ⊆ L(Apol ) Proof. The proof is immediate from property 27. Checking inclusion L(A) ⊆ L(Apol ) is equivalent to checking emptiness of L(A) ∩ L(Apol ), where L(Apol ) is the complement of L(Apol ). Since the complement of a Büchi automaton is computable [19, 113, 132], it follows that checking the compatibility of an LKS with respect to its security policy expressed in SED-LT L− is decidable. 6.4 Beyond compatibility The notion of compatibility is too weak to be interpreted as compliance. In this section, we discuss some cases where a trace is compatible with a policy whereas it is intuitively not compliant with the policy. In order to formally define compliance, which relies on more complex notions, we adopt a restricted fragment of SED-LT L− , which nevertheless allows to model many practical cases. 6.4.1 Policy language This section deals with the syntax of the restricted policy language. A policy is defined as a set (or a conjunction) of rules. We distinguish between two kinds of rules: • obligation/permission positioning rules of the form C → ϕ, where C is a propositional condition under which the rule is ’triggered’. ϕ is a deontic formula, i.e. either an obligation (“it is obligatory that ...”) or a permission (“it is permitted that ...”). • sanctioning rules of the form V ϕ, which express that if the violation V occurs, then sanction ϕ will be enforced in the next state. The sanction is necessarily an obligation (it cannot be a permission). The condition V is the conjunction of a propositional formula and a violation formula of the form V iol(e), that expresses that there is a violation concerning event e. We distinguish between two kinds of obligations: strong obligations and weak obligations. The violation of a weak obligation may trigger a sanction, which can also be violated if it is a weak obligation. All these violations 112 CHAPTER 6. COMPUTER SECURITY APPLICATION may be performed by a system which is still considered as compliant with the policy, if the sanctions are eventually enforced. On the other hand, we cannot reason about the violation of a strong obligation: a system which violates such a strong obligation is not compliant with the policy. Two kinds of violations may occur: a (weakly) obligatory event that does not happen, or a non-permitted event that happens. So we have in fact two violation formulas V iolO (e), which means “e is (weakly) obligatory, but it does not occur in the next transition”, and V iolP (e), which means “e does occur in the next transition whereas it is not permitted”. We consider that every event which is not permitted by the policy is prohibited, i.e., we work with the closed policy principle. The right hand side ϕ of a rule is either of the form P (ϕev ) (ϕev is permitted), or O(ϕev ) (ϕev is weakly obligatory), or Ô (ϕev ) (ϕev is strongly obligatory) where ϕev is a positive event formula, i.e., a propositional formula (without any negation) whose atoms are events. We only consider in this section immediate obligations, but we plan to take into account obligations with deadline. Here are some examples of rules that could be specified in the security def def policy, with P = {p, q} and E = {e1 , e2 }: • p ∧ q → O(e1 ) If p and q are true in the current state then there is a weak obligation that e1 occurs next. • p → P(e1 ∧ e2 ) If p is true in the current state then it is permitted that e1 and e2 occur simultaneously next. • p ∧ V iolO (e1 ) O (e2 ∨ e3 ) If p is true and the obligation to perform e1 is violated, then in the next state, there is a weak obligation to perform e2 or e3 . • p ∧ V iolO (e2 ∨ e3 ) Ô(e4 ) If p is true and the obligation to perform e2 or e3 is violated, then event e4 must occur next (and this cannot be violated). Let us formally define the rule language. We first define the language LE of (positive) event formulas (in the remainder, ϕev will denote an event formula): ϕev ::= e | ϕev ∧ ϕev | ϕev ∨ ϕev where e ∈ E is an event. The limitation to positive events (without any negation) is due to the choice not to reason on explicit prohibitions. Indeed, with the negation in the language of events, we would be able to express the obligation not to perform an event, which is equivalent to the prohibition to perform 6.4. BEYOND COMPATIBILITY 113 this event. This limitation then avoids prohibition/permission and obligation/prohibition conflicts, and allows to focus on violation management. The condition of a rule (left hand side of a rule) can be a propositional formula, a violation formula, or a conjunction of a propositional and a violation formula. We define the language LP of the propositional formulas by the following syntax (in the remainder of this section, ϕp will denote a propositional formula): ϕp ::= p | ϕp ∧ ϕp | ϕp ∨ ϕp | ¬ϕp where p ∈ P is an atomic proposition. The language Lviol of the violation formulas is defined by the following syntax: ϕviol ::= V iolO (ϕev ) | V iolP (ϕev ) def where ϕev ∈ LE is a positive event formula, and V iol0 (ϕev ) = O (ϕev )∧¬ϕev , def V iolP (ϕev ) = ϕev ∧ ¬P(ϕev ). The left hand side of a rule is a condition, and the right hand side is a positive deontic formula (permission, weak obligation, or strong obligation). In our framework, the obligation of a given event can be both violable if it appears as a weak sanction in some rule, and non violable if it appears as a strong sanction in some other rule. For instance, if p → O(e2 ) and V iolO (e1 ) Ô(e2 ) are two rules of the policy, then in the context p there is an obligation to perform e2 , which can be violated, but if there is a violation of an obligation to perform e1 , then the obligation to perform e2 is not violable. We define the language Lrule of the rules by the following syntax: ϕ ::= → (O(ϕev ) | P (ϕev ) | Ô(ϕev )) ϕp | ϕp ∧ ϕviol (O(ϕev ) | Ô(ϕev )) where ϕp ∈ Lp is a propositional formula, ϕev ∈ LE is a positive event formula, and ϕviol ∈ Lviol is a violation formula. A policy is defined as a set of rules. 6.4.2 Compliance of a system with its security policy Given a model A = (S, S0 , Δ, V ) of a security system, and a policy, we focus on the meaning of the compliance of the system with the policy, in our context of violation management. We actually reason on a single trace of the system (the compliance of the whole system is then defined by the compliance of all its traces). We first give an intuition of the definition, and then formally specify these aspects. CHAPTER 6. COMPUTER SECURITY APPLICATION 114 Informal view Roughly speaking, we say that a system is compliant with a policy if • either there is no violation, • or each time some violation occurs, the associated sanction is enforced. To state more precisely the notion of enforcement, we introduce some vocabulary and a support example. s1 debit s2 debit s3 go_to_ jail s4 p Figure 6.5: State/Event trace Example Let us come back to the bank example introduced in section 6.2.3. Consider the state/event trace illustrated by Figure 6.5 together with the policy consisting of rules (1), (2), and (3). 1. ¬p → P (debit) 2. V iolP (debit) O(pay_charges) 3. V iolO (pay_charges) Ô(go_to_jail) The first event (debit) is performed without permission since P(debit) cannot be deduced from the rules in the context of state s1 (recall we only work with closed policies). Therefore, according to rule (2) there is an obligation in state s2 to perform event pay_charges as a sanction. During the second transition, event pay_charges is not performed, so the sanction is also violated. According to rule (3), there is then a strong obligation to perform go_to_jail as a second sanction, in state s3 . It is effectively performed by the behaviour of the bank customer. Thus, according to our approach, this system is compliant with its security policy, even if the sanctions triggered by security rules (1) and (2) are violated. Vocabulary We say that an obligation O(ϕev ) is fulfilled if ϕev holds in the current state, i.e., if the event formula ϕev is going to be performed during the next transition. In the example of Figure 6.5, the (strong) obligation to perform go_to_jail is fulfilled in state s3 . A violation may induce several obligations. In the example, V iolP (debit) holds in state s1 (because of the first transition). Then rule (2) triggers the 6.4. BEYOND COMPATIBILITY 115 obligation O(pay_charges). (Recall that an obligation which is triggered by a violation is also named sanction). Then, in s3 , because of the violation V iolO (pay_charges), rule (3) triggers the sanction Ô (go_to_jail). We say that the initial transition labeled by debit triggers the sequence of sanctions [O(pay_charges), Ô (go_to_jail)]. A transition is called managed if every sequence of sanctions which is triggered by this transition ends with a fulfilled obligation. In the example, the first transition is then managed. When a transition is not managed, i.e., when it triggers some sequence of sanctions which does not end with a fulfilled obligation, we can distinguish between three situations: • Some triggered sequence of sanctions ends with a strong obligation which is not fulfilled, then the transition is called ultimately strong • Some triggered sequence of sanctions ends with a weak obligation which is not fulfilled, and no sanction is specified by the policy in case this weak obligation is violated, then the transition is called ultimately unexpected • There is an infinite triggered sequence of sanctions, then the transition is called never caught. This last situation is illustrated by the system described in Figure 6.6, together with the following policy: e1 s1 p s2 e2 Figure 6.6: Infinite sequence of weak sanctions (1) p → O(e2 ) (2) V iolO (e2 ) O (e1 ) (3) V iolO (e1 ) O (e2 ) In state s1 , according to rule (1), it is obligatory to perform e2 since p is true. So, performing event e1 violates this obligation, and rule (2) triggers O (e1 ) in the destination state s2 . Then, doing event e2 violates this obligation. The system is then back to state s1 , where rule (3) triggers O(e2 ). 116 CHAPTER 6. COMPUTER SECURITY APPLICATION If we consider the infinite state/event trace generated by this automaton, then in every state of this trace, there is a violation which triggers some rule. Therefore, the initial transition triggers the infinite sequence of sanctions [O (e1 ), O(e2 ), O(e1 ), O(e2 ), . . .]. The specification of this situation is not straightforward. Indeed, a definition which first comes in mind is a transition is never caught if after this transition, all the successive states satisfy some violation. The following example shows that it does not correspond to a transition which is never caught. Let us consider the system described by Figure 6.7 and the following policy (1) (p ∨ q) → O(e1 ) (2) V iolO (e1 ) O(e2 ) In state s1 , p is true, so, according to rule (1), it is obligatory to perform e2 s2 q s1 p e2 Figure 6.7: Violation in every state e1 . The first transition violates this obligation. According to rule (2), it is then obligatory in s2 to perform e2 , and this obligation is fulfilled by the next transition. Similarly, in state s2 , q is true, so it is obligatory to perform e1 . This obligation is violated by the next transition, but the associated sanction will be fulfilled by the transition from s1 to s2 . So, considering the state/event trace of this system, there is a violation in every state, and yet each triggered sequence of sanctions is eventually fulfilled, i.e., each transition is managed. We now see the need to precise the notion of triggered sequence of sanctions before clearly defining our diagnostic cases. Triggered sequence of sanctions Each obligation of a triggered sequence can be related to the previous one in a complex way. Each obligation can actually be divided into two parts: the part which is inherited from the previous obligation of the sequence, and the part which is only due to the current state. For instance, let us consider the following policy: (1) p → O(e1 ) (2) V iolP (e2 ) O(e4 ) (3) V iolO (e1 ) O(e3 ) 6.4. BEYOND COMPATIBILITY 117 (4) q → O(e5 ) (5) V iolO (e4 ∧ e5 ) Ô(e6 ) (5’) V iolO (e5 ) Ô(e7 ) s1 p e2 s2 {e6, e7} s3 q Figure 6.8: State/Event sequence Let us analyse the first transition of the state/event sequence illustrated by Figure 6.8. This transition violates the obligation to perform e1 and the nonpermission to perform e2 . So, according to rules (3) and (2), this transition triggers the sanction O (e3 ) ∧ O(e4 ), i.e., O (e3 ∧ e4 ). This obligation holds in the second state s2 , and is violated by the next transition. Now, do we consider that rules (5) and (5’) are triggered? In order to answer, let us notice that in the current state (s2 ), q holds, so it is obligatory to perform e5 according to rule (4). This obligation, which is also violated, does not play the same role in the sequence of sanctions as obligation O (e3 ∧ e4 ), which is inherited from previous violations. Inherited obligations are important to determine whether the current violation is unexpected (and the triggered sequence of sanctions ends), or there is an ’enabled’ rule (and the triggered sequence is continued). In order to distinguish between these two cases, we consider separately the rules which can be triggered depending on the set of obligations we assume to hold in the current state: (a) current obligations are supposed to be only inherited sanctions (b) current obligations are supposed to be both inherited and ’new’ sanctions (c) current obligations are supposed to be only ’new’ sanctions If there exists an enabled rule in case (a), then the triggered sequence of sanctions is continued. If there exists an enabled rule in case (b) which is not enabled rule in case (c), then the triggered sequence of sanctions is also continued. Otherwise, we consider that the current violation is unexpected, and the sequence of triggered obligations ends In the example, if we consider rule (5’) instead of rule (5), then the violation of obligation O (e3 ∧e4 ) is unexpected, and the sequence of sanctions triggered by the first transition ends (it has only one element). Indeed, if we only suppose that e3 ∧ e4 is obligatory (case (a)), then no rule is enabled. In the case (b) ((e3 ∧ e4 ) ∧ e5 is obligatory), rule (5’) is enabled, and in the case 118 CHAPTER 6. COMPUTER SECURITY APPLICATION (c) it is also enabled, so our criterion is not satisfied. On the other hand, if we consider rule (5), then our criterion is satisfied: rule (5) is enabled in the case (b) but not in the case (c). The sequence of sanctions is then continued. To sum up, given a state/event sequence, and a current transition, there are five different diagnostic cases to consider: 1. no violation occurs 2. the transition is managed 3. the transition is ultimately strong 4. the transition is ultimately unexpected 5. the transition is never caught It is clear that cases 1 and 2 correspond to a transition which is compliant with its security policy and that the cases 3 and 5 correspond to a transition which is not. Case 4 is less clear: one can consider that there is a lack in the policy specification, and the transition is still compliant with the (specified part of the) policy. On the other hand, we cannot consider that the sanction is enforced (because no sanction is specified), so it is also reasonable to conclude that the transition is not compliant with the security policy. We will adopt the latter point of view. Definition 62 (Compliance). A state/event trace is said to be compliant with a policy iff for every transition 1. either there is no violation 2. or the transition is managed A system is compliant iff all its traces are compliant. Formal definitions In this section, we formally define the notion of triggered sequence of obligations, which allows to define the five diagnostic cases, and thus the compliance. The definition of these concepts is out of the scope of the language of deontic and temporal logics. Indeed, we will reason about individual rules, and about sequences of sanctions in which a causal relation between their elements is involved. We then propose ad-hoc definitions based on a syntactical point of view. 6.4. BEYOND COMPATIBILITY 119 Auxiliary definitions Given a state/event sequence σ and a policy pol, we need the following auxiliary definitions. (σ is implicit in the following definitions for ease of reading.) In the remainder, if A is a set of formulas, φ. then A denotes the formula φ∈A W Obl(i) (resp. SObl(i)) is the set of the formulas which are weakly (resp. strongly) obligatory in the ith state of σ, and which are not sanctions (they are not triggered by any sanctioning rule). def W Obl(i) = {φ / ∃(ϕp → O(φ)) ∈ pol such that σ, i |= ϕp } def SObl(i) = {φ / ∃(ϕp → Ô(φ)) ∈ pol such that σ, i |= ϕp } P erm(i) is the set of all the event sets which are permitted in state i. Notice that it may be the case that {e1 } and {e2 } are permitted whereas {e1 , e2 }, i.e., the simultaneous occurrence of e1 and e2 , is not. Therefore, P erm(i) is necessarily a set of event sets and not simply a set of events. We denote P erm(i) the event formula which characterizes permitted events. def P erm(i) = {E ⊆ E / ∃(ϕp P (ϕev )) ∈ pol such that ϕev ⇒ ( E ) and σ, i |= ϕp } def ( E) P erm(i) = E∈P erm(i) W SancP (i) (resp. SSancP (i)) is the set of the formulas which are weakly (resp. strongly) obligatory in state i + 1 because of the occurrence of nonpermitted events in the current transition. W SancP (i) = def {φ / ∃(ϕp ∧ V iolP (ϕev ) O(φ)) ∈ pol such that σ, i |= ϕp ∧ ϕev and P erm(i) ϕev } def {φ / ∃(ϕp ∧ V iolP (ϕev ) Ô(φ)) ∈ pol such that σ, i |= ϕp ∧ ϕev and P erm(i) ϕev } SSancP (i) = The set W SancO (i, ϕ) represents the formulas which are weakly obligatory in state i+1 of a state/event trace σ because of the violation V iolO (ϕev ) (where ϕev is implied by ϕ), i.e., because obligation O(ϕev ) is not fulfilled by the current transition. W SancO (i, ϕ) def = {φ / ∃(ϕp ∧ V iolO (ϕev ) O(φ)) ∈ pol such that ϕ ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev } Similarly, we define SSanc(i, ϕ) as the set of the formulas which are strongly obligatory in state i because of the violation V iolO (ϕev ), (whereϕev CHAPTER 6. COMPUTER SECURITY APPLICATION 120 is implied by ϕ) : SSancO (i, ϕ) def = {φ / ∃(ϕp ∧ V iolO (ϕev ) Ô(φ)) ∈ pol such that ϕ ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev } During the informal discussion, we saw that the criterion which allows to determine whether the violation of a given sanction is unexpected is quite complex. We explained the need to distinguish between an inherited part new O(ϕinh ev ) and a ’new’ part O (ϕev ) in the sanction. def new ExistsSanc(i, O (ϕinh ev ), O (ϕev )) = ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that ϕinh ev ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev or ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that new ⇒ ϕ new ϕinh ev and ϕev ϕev and σ, i |= ϕp ∧ ¬ϕev ev ∧ ϕev Triggered sequence of sanctions We consider finite and infinite sequences, indexed by I. In the former case, I has the form 0..N for some non-negative integer N ∈ N. In the latter case, I = N. A sequence of new inh sanctions is denoted by (O (ϕinh k ), O (ϕk ))k∈I , where O(ϕk ) denotes the new inherited part of the sanction, and O(ϕk ) denotes the ’new’ part of the new sanction. It can also be denoted by (O inh k , O k )k∈I . The last pair of obligations (in case the sequence is finite) can be either a pair of weak obligations or a pair of strong obligations, and all the other obligations of the sequence are weak. new Definition 63 (Triggered sequence of sanctions). A sequence (O(ϕinh k ), O(ϕk ))k∈I th of sanctions is said to be triggered in the i state of a state/event trace σ if • the first sanction is due to the violations which occur in σ i O(ϕinh 0 ) ≡ W SancO (i, φ) ∧ W SancP (i) SSancO (i, φ) ∧ SSancP (i) (and there is only one or O(ϕinh 0 )≡ pair in the sequence) def where φ = W Obl(i) • The inherited part of a sanction in the sequence is due to the violation of the previous sanction new ≡ W SancO (i + k, ϕinh ∀k ∈ I \ {0} ϕinh k k−1 ∧ ϕk−1 ) new ≡ SSancO (i + k, ϕinh or ϕinh k k−1 ∧ ϕk−1 )(and k is the last index) • The new part of each sanction is due to the current state and the nonpermitted events in the previous transition. ≡ W Obl(i + k + 1) ∧ W SancP (i + k) ∀k ∈ I ϕnew k 6.4. BEYOND COMPATIBILITY 121 • each sanction in the sequence (except the last sanction if the sequence is finite) is violated, and this violation is not unexpected (there exists a new sanction according to the policy) ∀k ∈ I such that k is not the last index of the sequence of sanctions σ, i + k + 1 |= ¬ϕinh k and new ExistsSanc(i + 1, O(ϕinh k ), O(ϕk )) • if the sequence is finite (I = 0..N ) and the last pair of sanctions is weak, then, either the last sanction is fulfilled or the policy specifies no sanction new inh new if (Oinh N , ON ) is of the form (O(ϕN ), O(ϕN ) then inh new or ¬ ExistsSanc(i + N + 1, O(ϕinh σ, i + N + 1 |= ϕN N ), O(ϕN )) Let us come back to the example of page 117. We consider all the rules (1)-(5) and (5’). Then, the first transition triggered the sequence of sanctions [(O(e3 ∧ e4 ), O (e5 )), (Ô(e6 ∧ e7 ), )], according to this definition.(Notice that there is no ’new’ part in the last sanction.) Diagnostic cases We can now define the semantics of the different kinds of transitions in which a violation occurs: managed transition, ultimately strong transition, ultimately unexpected transition, and never caught transition, through the predicates managed, strong, unexpected, and never_caught. Definition 64 (Managed transition). Given a state/event sequence σ and a nonnegative integer i, the ith transition of σ is managed if every sequence of triggered sanctions is finite and ends with a fulfilled sanction. managed(σ, i) iff every sequence of sanctions triggered by σ i (there exists some) is finite new inh and for every triggered sequence of sanctions (Oinh k , Ok )k∈0..N , σ, i + N + 1 |= ϕN inh inh inh where Oinh N = O(ϕN ) or ON = Ô(ϕN ). Definition 65 (Ultimately strong transition). A transition is ultimately strong if there is a sequence of triggered sanctions which ends with an unfulfilled strong violation. strong(σ, i) new i iff ∃(Oinh k , Ok )k∈0..N sequence of sanctions triggered by σ inh such that Oinh N = Ô(ϕN ) and σ, i + N + 1 |= ¬ϕN Definition 66 (Ultimately unexpected transition). A transition is ultimately unexpected if the policy specifies no sanction for the violations which occur CHAPTER 6. COMPUTER SECURITY APPLICATION 122 during this transition, or for the violation of the last sanction of some triggered sequence of sanctions. unexpected(σ, i) iff viol(σ, i) and N oInitialSanc(i) new i or ∃(O(ϕinh k ), O(ϕk ))k∈0..N finite sequence of sanctions triggered by σ such that new σ, i + N + 1 |= ¬ϕinh and ¬ExistsSanc(i + N + 1, O(ϕinh N N ), O(ϕN ) where viol(σ, i) def = σ, i W Obl(i) or P erm(i) e e∈σi and def N oInitialSanc(i) = W SancP (i)= SSancP (i) = ∅ and W Sanc0 (i, W Obl(i)) = SSanc0 (i, W Obl(i)) = ∅ Definition 67 (Never caught transition). A transition is never caught if it triggers an infinite sequence of sanctions. never_caught(σ, i) iff there is an infinite sequence of sanctions triggered by σ i Property 29. A transition in which some violation occurs and which is not managed is either ultimately strong, or ultimately unexpected, or never caught. Given a policy pol, a state/event trace σ, a natural i, then the following property holds viol(σ, i) ∧ ¬managed(σ, i)) ⇔ (strong(σ, i) ∨ unexpected(σ, i) ∨ never_caught(σ, i)) Proof. Let σ a state/event sequence and i ∈ N a nonnegative integer. ’⇐’: If strong(σ, i) then there exists a triggered sequence of sanctions which ends with an unfulfilled (strong) obligation. It directly follows that ¬managed(σ, i). Suppose that unexpected(σ, i). Then, either there is a violation and no triggered sequence, or there is a triggered sequence which ends with an unfulfilled (weak) obligation. It follows that ¬managed(σ, i). Now, suppose that never_caught(σ, i). Then, there exists an infinite sequence of sanctions triggered by σ i . We deduce that ¬managed(σ, i). In the three previous cases, the existence of a triggered sequence of sanctions implies viol(σ, i). ’⇒’: We suppose that viol(σ, i) ∧ ¬managed(σ, i). Then, considering the definition of managed, we have that • either there is an infinite sequence of triggered sanctions (then never_caught(σ, i) holds) • or there is no triggered sequence of sanctions (then unexpected(σ, i) holds) 6.4. BEYOND COMPATIBILITY 123 • or there is a triggered sequence of sanctions which ends with an unfulfilled obligation. If this obligation is strong, then strong(σ, i) holds. new Otherwise, if there exists a sanction (ExistsSanc(σ, i+N +1, O inh N , O N )) then the sequence of sanction does not end at N . So, there does not exist any sanction, and unexpected(σ, i) holds. Definition 68 (Compliance). A trace σ is compliant iff for every transition in σ, either there is no violation, or the transition is managed. compliant(σ) iff ∀i ∈ N viol(σ, i) ⇒ managed(σ, i) From property 29, we deduce that a trace σ is not compliant iff ∃i ∈ N (strong(σ, i) ∨ unexpected(σ, i) ∨ never_caught(σ, i)). Compatibility vs compliance In order to compare both notions of compatibility and compliance, we first have to consider the policy as an SEDLT L-formula: • → is interpreted as usual implication: ⇒., • is interpreted as ’implies next’: ⇒ X • Ô(ϕev ) is interpreted as ϕev , • other operators already belong to SED-LT L, • a policy is interpreted as G ϕ, where ϕ is the conjunction of its rules. Property 30 (Compatibility vs compliance). Let σ be a state/event sequence, pol a policy (set of Lrule -formulas) and ϕpol its SED-LT L translation. σ is compatible with the ϕpol iff every transition in σ is not ultimately strong with respect to pol. Sketch of the proof. Let pol a policy (set of Lrule -formulas) and ϕpol its SED-LT L translation. ’⇒’: Let σ be a state/event sequence and i ∈ N a non negative integer such that strong(σ, i). There is a triggered sequence of sanctions new inh inh (O inh k , O k )k∈0..N such that O N = Ô(ϕN ) and σ, i+N +1 |= ¬ϕN . It inh new can be shown that (σ, i+k +1), ϕk ∧ϕk is obligatory in the ’combination’ of the system and the policy (cf definition 60, section 6.2.2) for every k < N . ∧ ϕnew In other words, every ’deontic extension’ of σ satisfies O(ϕinh k k ) in inh new state i + k + 1, i.e., σ, i + k + 1 |=pol O exp (ϕk ∧ ϕk ). Similarly, since Ô(ϕ) is interpreted as ϕ, every ’deontic extension’ of σ which satisfies ϕpol , satisfies ϕinh N in sate i+k+N +1. So, there cannot be any ’deontic extension’ of σ which satisfies ϕpol . So, σ is not compatible with ϕpol . 124 CHAPTER 6. COMPUTER SECURITY APPLICATION ’⇐’: Let σ be a state/event sequence which is not compatible with the policy. There is no ’deontic extension’ of σ which satisfies ϕpol . So, a conflict prevents from satisfying ϕpol with a temporal deontic model ’based’ on σ. Since there is no negative event formulas in the policy, there cannot be any obligation/prohibition conflict which would be in contradiction with axiom D, and there cannot be any contradiction with axiom K either. Since there is no negation of obligation and no negation of permission, there cannot be any permission/prohibition conflict. The only kind of rules which may cause a conflict is the rules where the consequent if a strong obligation of the form Ô(ϕev ), interpreted as ϕev in SED-LT L. This is exactly the conflict which arises if an ultimately strong transition occurs. In the next section, we provide an algorithm which checks the compliance of a transition of a given a system with a policy. It also allows to provide a diagnostic. 6.4.3 Diagnostic algorithm We present an algorithm that analyses the system and the policy, to check whether the five following properties hold, given the current transition t: 1. There is no violation in t 2. For every trace which starts from t, t is managed 3. There is some trace which starts from t, such that t is ultimately strong 4. There is some trace which starts from t, such that t is ultimately unexpected 5. There is some trace which starts from t, such that t is never caught Preliminary definitions We refer to propositional logic, and suppose we have access to a decision procedure for the validity of any propositional formula. Given an LKS A = (S, S0 , Δ, V ) over the sets P and E of propositions and events, we call s the propositional formula that characterizes the atomic propositions that are true in s ∈ S, succ(s, E) the set of the possible successors of s after a transition labelled by E, and Out(s) the set of all the event sets that label an outgoing transition from s: def s = p∈V (s) def p∧ ¬p p∈V / (s) succ(s, E) = {s ∈ S / (s, E, s ) ∈ Δ} 6.4. BEYOND COMPATIBILITY 125 def Out(s) = {E ∈ 2E / ∃s ∈ S such that (s, E, s ) ∈ Δ} Since we analyse a whole system A, we have to adapt auxiliary definitions given in section 6.4.2 to the branching time case. These definitions will make algorithms more readable. W Obl(i), SObl(i), P erm(i) only concern the current state, so they can easily be re-defined as W Obl(s), SObl(s), P erm(s), respectively. W SancP (i) and SSancP (i) concern the current transition, so they have to be re-defined as W SancP (s, E) and SSancP (s, E). W Sanc0 (i, ϕ) and SSancO (i, ϕ) depend on the current transition and a given event formula (supposed to be obligatory), so they can be re-defined as W SancO (s, E, ϕev ) and SSancO (s, E, ϕev ) new respectively. ExistsSanc(i, O(ϕinh ev ), O (ϕev )) depends on the current transition, and on two given formulas (supposed to be the inherited part, and the ’new’ part of the current obligation). These re-definitions are given in figure 6.9. We use so me variables to “diagnose” the situation. no_viol is true until some violation occurs, strong_violation is false until some strong sanction is not fulfilled, unexpected_violation is false until some violation occurs for which no sanction is specified, and never_caught is false until some never caught violation is detected. The detection uses a variable po which records the triples (current state, current transition, parsed obligation). In order to have more precise information, we could provide the trace of the different rules that are triggered, but we do not consider such trace here for the sake of brevity. Algorithms Given a state s and an outgoing transition labeled by E, CheckT ransition(s, E) (algorithm 1) provides the above-mentioned diagnostic. It first initialises the four diagnostic variables. Then, if a violation occurs during the transition, it sets no_viol to false, computes the weak and strong sanctions, and call CheckSanction (algorithm 2) on the next possible transitions in order to recursively check that the sanctions are fulfilled. CheckT ransition then returns the four variables that provide a diagnostic. CheckSanction(s, E, inh, new, so) (algorithm 2) aims at checking that the current transition complies with the sanctions which are triggered by the initial transition (on which CheckT ransition was called). inh is the set of the weakly obligatory formulas which are inherited from previous violations. It corresponds to the inherited part of the sanction in the triggered sequence of sanctions. new is the set of the formulas which are weakly obligatory because of the current state, and because of the non-permitted events which occurred during the previous transition. It corresponds to the ’new’ part of the sanction in the triggered sequence of sanctions. so is the set of the strong obligations which are inherited from previous sanctions. Since a CHAPTER 6. COMPUTER SECURITY APPLICATION 126 def W Obl(s) = {φ / ∃(ϕp O(φ)) ∈ pol such that s ⇒ ϕp } def SObl(s) = {φ / ∃(ϕp Ô(φ)) ∈ pol such that s ⇒ ϕp } def P erm(s) = {E ⊆ E / ∃(ϕp P(ϕ ev )) ∈ pol s.t. |= ϕev ⇒ ( E ) and |= s ⇒ ϕp } def ( E) P erm(s) = E∈P erm(s) W SancP (s, E) such that SSancP (s, E) such that def = def {φ {φ = def W SancO (s, E, ϕev ) = such that def SSancO (s, E, ϕev ) = such that {φ {φ / ∃(ϕp ∧ V iolP (ϕev ) O(φ)) ∈ pol s ⇒ ϕp and ( E) ⇒ ϕev and P erm(s) ϕev } / ∃(ϕp ∧ V iolP (ϕev ) Ô(φ)) ∈ pol s ⇒ ϕp and ( E) ⇒ ϕev and (P erm(s)) ϕev } / ∃(ϕp ∧ V iolO (ϕev ) O (φ)) ∈ pol ϕev ⇒ ϕev and ( E) ϕev and s ⇒ ϕp } / ∃(ϕp ∧ V iolO (ϕev ) Ô (φ)) ∈ pol ϕev ⇒ ϕev and ( E) ⇒ ϕev and s ⇒ ϕp } def new ExistsSanc(s, O(ϕinh ev ), O (ϕev )) = ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that ϕinh ev ⇒ ϕev and s ⇒ ϕp and ( E) ϕev or ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that new ⇒ ϕ new ϕinh ev and ϕev ϕev and s ⇒ ϕp and ( E) ϕev ev ∧ ϕev Figure 6.9: Auxiliary definitions in the branching-time case 6.4. BEYOND COMPATIBILITY 127 Algorithm 1: CheckTransition (s, E, wo, so) /* initialization of diagnostic variables no_viol := true; strong_violation := f alse; po := ∅; unexpected_violation := f alse; never_caught := f alse; if ( E) W Obl(s) or P erm(s) ( E) then no_viol := f alse; wo := W SancO (s, W Obl(s)) ∪ W SancP (s, E); so := SSancO (s, W Obl(s)) ∪ SSancP (s, E); if wo = ∅ and so = emptyset then unexpected := true; else foreach s ∈ succ(s, E) and E ∈ Out(s ) do CheckSanction(s , E , wo, ∅, so); */ return (no_viol, strong, unexpected, never_caught) strong obligation can only appear at the last position in a triggered sequence of sanctions, there is no need to consider ’new’ strong obligations which may hold in the current state. Such a ’new’ strong obligation which may appear during a transition (s , E ) is dealt with by the call CheckT ransition(s , E ). If the current transition does not perform strongly obligatory events, then the variable strong is set to true. If the current transition performs the inherited part of the current obligation, then the algorithm terminates. If the set of inherited weak obligations inh is already parsed in the current state/transition pair, then the variable never_caught is set to true and the algorithm terminates. If inh is not already parsed, then the set po of the parsed obligations is increased with the triple (s, E, wo). If no sanction is specified, according to our criterion which depends on inh and new, then the variable unexpected is set to true, else, the algorithm checks whether the new sanctions are enforced in the next states calling itself recursively on every possible successor. Property 31 (Termination). CheckT ransition terminates. Sketch of the proof. There is no loop, and the only recursive call is in CheckSanction. The termination of CheckSanction is straightforward, because the set of triples (state, transition, obligation) is finite (finiteness of the set of rules implies finiteness of the set of possible obligations), and the set of triples for which the obligation is not parsed (the complementary of the set po) is strictly decreasing at each recursive call, which guarantees the termination. 128 CHAPTER 6. COMPUTER SECURITY APPLICATION Algorithm 2: CheckSanction (s, E, inh, new, so) if ( E) so then strong :=true; if ( E) ( inh) then if (s, E, inh) ∈ po then never_caught := true; else po := po ∪ {(s, E, inh)}; new := wo ∪ W Obl(s); if ¬ExistsSanc(s, inh, new) then unexpected := true; else inh := W SancO (s, inh ∪ new); new := SSancP (s, E); so := SSanc(s, inh ∪ new); foreach s ∈ succ(s) and E ∈ Out(s ) do CheckSanction(s , E , inh, new, so); We now establish the soundness of CheckT ransition with respect to the definition of the diagnostic cases provided in section 6.4.2. Property 32 (Soundness). Given a system A = (S, S0 , Δ, V ), and a state s ∈ S, and an outing transition labeled by E ∈ Out(s) after the call of CheckT ransition(s, E), the following holds • no_viol = true iff for every state/event trace σ = (s, E, . . .) of A starting with s, E, no violation occurs during the first transition. • strong_violation, unexpected_violation, and never_caught all equal false iff for every state/event trace σ = (s, E . . .) of A starting with s, E, the first transition is managed: managed(σ, 0) • strong_violation = true iff there is some state/event trace σ = (s, E . . .) of A starting with s, E, such that strong(σ, 0) • unexpected_violation = true iff there is some state/event trace σ = (s, E, . . .) of A starting with s, E, such that unexpected(σ, 0) • never_caught = true iff there is some state/event trace σ = (s, E . . .) of A starting with s, E, such that never_caught(σ, 0) 6.4. BEYOND COMPATIBILITY 129 The proof is straightforward because the algorithm deals with concepts that are close to the semantics of the formal definitions. In particular, triggered sequences of sanctions are directly obtained from the successive values of inh, new, and so. 6.4.4 Concluding example In this section, we develop the aforementioned bank example and test the algorithm given in section 6.4.3. Figure 6.13 shows the output of this algorithm for some instances of a bank model. The bank system is modeled as an automaton that models the behaviour of a customer together with the state of his/her bank account. Let us remind that the sets P and E of atomic propositions and events are P = {positive} and E = {credit, debit, pay_charges, go_to_jail} debit debit credit s1 credit p s2 credit Figure 6.10: First example of a system debit debit credit s1 credit p s2 credit debit Figure 6.11: Second example of a system We consider the following policy: • credit, pay_charges, and go_to_jail operations are always permitted. → P (credit ∧ pay_charges ∧ go_to_jail) • When the balance is positive, it is permitted to perform a debit operation. positive → P (debit) • If the balance is negative, then it is obligatory to credit the account. ¬positive → O(credit) CHAPTER 6. COMPUTER SECURITY APPLICATION 130 debit debit credit credit s1 s2 p credit credit, pay _charges debit credit, pay _charges s4 debit s3 go_to_jail Figure 6.12: Third example of a system XX XXX variable XXX no_viol XXX system example2 example3 false false strong unexpected never_caught true false false false false false Figure 6.13: Output of CheckT ransition(s2 , {debit}) • If a debit operation is performed without permission, then it is obligatory to pay charges. V iolP (debit) O(pay_charges) • If an obligation to credit the account is violated, then it is obligatory to pay charges. V iolO (credit) O(pay_charges) • If an obligation to pay the charges is violated, the customer has a strong obligation to go to jail. V iolO (pay_charges) Ô(go_to_jail) The first system (Figure 6.10) is compliant with the policy, and never violates any obligation or prohibition (every trace σ satisfies ¬V iol(σ, i) for every i ∈ N). The second one (Figure 6.11) may clearly violate the obligation to credit the account in state s2 , if it performs event debit. Then, there is an obligation to pay charges, which can also be violated by performing again event debit. Then, there is a strong obligation to go to jail, which may be violated by performing debit, or also credit. So the second system is not compliant with the policy (a trace, for instance, which starts 6.4. BEYOND COMPATIBILITY 131 with σ = (s1 , {debit}, s2 , {debit}, s2 , {debit}, s2 , {debit}) satisfies the property strong(σ). The third one (Figure 6.12) is compliant but may violate some obligations: every trace satisfies viol(σ, i) ⇒ managed(σ, i) for every i ∈ N. For instance, a trace which starts with σ = (s1 , {debit}, s2 , {debit}) satisfies V iolO (credit) in its second state (σ, 1), but also satisfies managed(σ, 1). Figure 6.13 shows the value of diagnostic variables after the call of our algorithm on the transition starting from state s2 and labeled by {debit}. 132 CHAPTER 6. COMPUTER SECURITY APPLICATION 7 Conclusion 7.1 Summary The goal of this thesis was to propose a logical framework to deal with security properties. We have focused on the combination of deontic and temporal logics. The key interaction we have studied is the propagation of unfulfilled obligations. We have studied this interaction in the case of deadline obligations and for a more general form of obligations. We have then presented how such a logical framework can be useful for specifying and verifying security properties. Here are the main contributions of this work. • We have proposed semantic definitions for an operator dedicated to obligations with deadline in a combination (product) of temporal and deontic logics. This study showed that the semantic issues are more complex than expected. The last definition we came up with was satisfying, but the corresponding operator was out of the scope of the product language, and had a rather complex semantics. • We have then expressed a generalisation of the propagation of deadline obligations, which concerns a special temporal disjunction. To the best of our knowledge, this is the first time this general property has been studied. We have proposed a (semantically defined) logic which is a conservative extension of LT L and SDL, such that the propagation property is satisfied in every state where no ’immediate obligation’ is true. • We have exhibited a necessary and sufficient condition on an arbitrary temporal deontic model (based on an accessibility relation for each modality) to satisfy the propagation property. This condition showed that any such temporal deontic model which validates both axiom D and the propagation property has undesirable properties. 133 CHAPTER 7. CONCLUSION 134 • We have developed a tableaux-like decision procedure and an axiomatization for a fragment of our logic. They are based on a decomposition of the deontic operator into more primitive operators. • Using our logic as a security policy specification language, and a Labeled Kripke Structure to model a system, we have defined the notion of compatibility of a system with respect to a policy. We have proposed a decision procedure for the compatibility problem where the policy is specified in a fragment of our logic. A careful analysis showed that there are more subtle notions involved in the intuition of compliance, which is a strong version of compatibility. We have then restricted again the policy language and provided a definition of compliance. This definition has been refined into five diagnostic cases. We have then provided an algorithm to establish this diagnostic and thus check the compliance. 7.2 Future investigations Many future investigations are envisaged. In section 4.1, we did not consider decidability issues for the product LT L SDL enriched with deadline operators. Since decidability of the genuine product is complex to show, we have reasons to think that this open question is non trivial, and needs further studies. Several results are valid only for some restrictions of the temporal deontic language. A natural path for further investigations is to extend these results to a more powerful fragment, or even to the whole language. In chapter 5 we developed a decision procedure and an axiomatization for the until-free fragment of our logic. We plan to further investigate a tableaux method and an axiomatization for the whole logic. Concerning the security issues, we have also considered in section 6.3 a fragment of the logic in order to decide the compatibility of a system with respect to a policy. We only allowed propositional formulas in the scope of deontic operators. This restriction made it possible to use traditional techniques of temporal model checking, enriched with a standard deontic decision procedure. We need to investigate how far this approach could be extended if we allow nesting temporal operators inside deontic ones. Another possibility would be to use a temporal deontic decision procedure in order to check the compatibility. Indeed, let us remind that checking the compliance of a system with respect to a policy consists in checking for each trace, the existence of a ’deontic extension’ which satisfies the policy. Thus, checking compliance is somewhere between the satisfiability problem (we need to build a temporal deontic model which satisfies the policy) and the model checking problem (we need to check whether a given model ’satisfies’ a given formula, where ’satisfies’ means ’complies with’ in our case). 7.2. FUTURE INVESTIGATIONS 135 In section 6.4, we have restricted again the language in order to define the notion of compliance, and to check whether a given system complies with a policy. We have actually refined this concept into five diagnostic cases. Their definition involved complex notions and was out of the scope of our temporal deontic semantics. However, the comparison between compliance and compatibility, studied in section 6.4.2 established a connection with the semantic point of view adopted in sections 6.2 and 6.3. A natural extension would be to consider deadline obligations. Actually, we could easily extend our definitions and algorithms so that deadline obligations are propagated while they are not fulfilled. But then, the connection with the semantic point of view would not be possible. Indeed, let us remind that in our semantics, the propagation property is only true in the states which do not violate any immediate obligation. Moreover, section 4.2.3 showed that when immediate violations occur, problems are inevitable in a model which interpret temporal and deontic modalities with an accessibility relation. We then come to the following question: is it possible to consider a temporal deontic logic, with a non-classical deontic operator, such that the propagation property does not conflict with situations of ’immediate violations’ ? In this thesis, we have considered neither entities who give obligations, nor those who are concerned by obligations. In some works [128], deontic operators are indexed with the concerned agent: O a (ϕ) then means that agent a is obliged to satisfy ϕ. Another lead is to follow the idea of temporal logics of agency [123], such as AT L [10, 11] and ST IT logics [20, 71]. These logics can handle some interactions between agents. In particular, it is possible to express that a given group of agents can ensure a property. Horty developed in [71] a deontic logic in a STIT framework. It would be interesting to integrate these aspects in our context of propagation of obligations. 136 CHAPTER 7. CONCLUSION Conclusion Bilan Le but de cette thèse était de proposer un cadre logique pour spécifier des politiques de sécurité. Nous nous sommes intéressés à la combinaison des logiques déontique et temporelle. L’interaction clé que nous avons étudiée est la propagation des obligations non remplies. Nous avons étudié cette interaction dans le cas des obligations avec délai, ainsi que pour une forme plus générale d’obligations. Nous avons ensuite présenté comment un tel cadre logique pouvait être utile à la spécification et la vérification de propriétés de sécurité. Voici les principales contributions de ce travail. – Nous avons proposé plusieurs définitions sémantiques pour un opérateur dédié à l’obligation avec délai dans le contexte d’un produit de logiques temporelle et déontique. Cette étude nous a montré que pour avoir des propriétés satisfaisantes, la sémantique d’un tel opérateur doit être complexe. Notre définition la plus satisfaisante sors même du cadre de la logique produit. – Nous avons ensuite exprimé une généralisation de la propriété de propagation, qui concerne une disjonction temporelle particulière. A notre connaissance, c’est la première fois que cette propriété générale est étudiée. Nous avons proposé une logique, définie de manière sémantique, qui est une extension conservative de LT L et SDL, telle que la propriété de propagation est satisfaite dans tous les états dans lesquels aucune obligation immédiate n’est vraie. – Nous avons exhibé une condition nécessaire et suffisante sur un modèle temporel et déontique quelconque pour satisfaire la propriété de propagation. Cette condition montre que tout modèle temporel et déontique qui satisfait à la fois l’axiome D et la propriété de propagation a des conséquences indésirables. 137 CHAPTER 7. CONCLUSION 138 – Nous avons développé une procédure de décision basée sur une méthode des tableaux et une axiomatisation pour un fragment de notre logique. Elles sont basées sur la décomposition de l’opérateur déontique en opérateurs plus primitifs. – En utilisant notre logique pour spécifier une politique de sécurité, et une structure de Kripke avec labels pour modéliser un système, nous avons défini la notion de compatibilité d’un système vis à vis d’une politique. Nous avons proposé une procédure de décision pour le problème de compatibilité, si la politique est spécifiée dans un fragment de notre logique. Une analyse minutieuse a montré que des notions subtiles sont en jeu dans la notion intuitive de conformité, qui est une version plus forte de la compatibilité. Nous avons ensuite restreint à nouveau le langage de spécification d’une politique et proposé une définition de la conformité. Cette définition a été raffinée en cinq cas de diagnostic. Nous avons ensuite fourni un algorithme pour établir ce diagnostic et donc vérifier la conformité. Perspectives De nombreuses pistes de recherche sont envisagées. Dans la section 4.1, nous n’avons pas étudié la décidabilité du produit LT L SDL enrichi par l’opérateur d’obligation avec délai. Étant donné que la décidabilité du produit est difficile à montrer (la complexité est non élémentaire), nous avons des raisons de penser que cette question ouverte est non triviale, et nécessite une étude approfondie. Plusieurs résultats que nous avons établis ne sont valables que pour des restrictions du langage temporel déontique. Une voix de recherche naturelle est donc d’étendre ces résultats à un fragment plus riche, ou éventuellement à tout le langage. Dans le chapitre 5, nous avons par exemple développé une procédure de décision et une axiomatisation pour le fragment sans until de notre logique. Nous prévoyons d’étudier à la fois les tableaux et une axiomatisation pour la logique entière. En ce qui concerne les questions de décidabilité, nous avons considéré dans la section 6.3 un fragment de la logique de manière à pouvoir décider la compatibilité d’un système vis à vis d’une politique. Nous avons seulement autorisé les formules propositionnelles dans le champ des opérateurs déontiques. Cette restriction a rendu possible l’utilisation de techniques traditionnelles de model checking. Nous devons étudier à quel point cette approche pourrait être étendue si nous autorisons des formules temporelles dans le champ des opérateurs déontiques. Une autre possibilité serait d’utiliser une procédure de décision temporelle déontique pour vérifier la compatibilité. En effet, rappelons-nous que la vérification de la compatibilité d’un système vis à vis d’une politique consiste à vérifier que pour chaque trace, il existe un 7.2. FUTURE INVESTIGATIONS 139 «extension déontique» qui satisfait la politique. Donc, la vérification de la conformité se situe entre le problème de satisfiabilité (il faut construire un modèle temporel déontique qui satisfait la politique) et le problème de model checking (il s’agit de vérifier qu’un modèle donné «satisfait» une certaine formule, où «satisfait» veut dire «est compatible avec» dans notre cas. Dans la section 6.4, nous avons restreint à nouveau le langage de manière à pouvoir définir la notion de conformité, et vérifier qu’un système est conforme à une politique. Nous avons en fait raffiné ce concept en cinq cas de diagnostic. Leur définition a mis en jeu des notions complexes qui sortent du cadre de notre sémantique temporelle déontique. Cependant, la comparaison entre compatibilité et conformité, étudiée dans la section 6.4.2 a établi des liens avec le point de vue sémantique adopté dans les sections 6.2 et 6.3. Une extension naturelle serait de considérer les obligations avec délai. En fait, nous pourrions facilement étendre nos définitions et algorithmes de manière à ce que les obligations avec délai soient propagées tant qu’elles ne sont pas remplies. Mais le lien avec le point de vue sémantique ne serait alors plus possible. En effet, rappelons-nous que dans notre sémantique, la propagation n’est valide que dans les états qui ne violent pas d’obligation immédiate. De plus, la section 4.2.3 a montré que lorsque qu’une violation immédiate a lieu, alors des conséquences indésirables sont inévitables dans un modèle qui interprète les modalités temporelles et déontiques avec des relations d’accessibilité. Nous arrivons alors à la question suivante : est-il possible de considérer une logique temporelle déontique, munie d’un opérateur déontique non classique, telle que la propriété de propagation ne soit pas en conflit avec les situations de «violations immédiates» ? Dans cette thèse, nous n’avons considéré ni les entités qui donnent les obligations, ni celles qui les subissent. Dans certains travaux [128], les opérateurs déontiques sont indexés par les agents concernés : O a (ϕ) signifie alors que l’agent a a l’obligation de satisfaire ϕ. Une autre piste consiste à suivre l’idée des logiques temporelles avec agents [123], comme AT L [10, 11] ou les logiques ST IT [20, 71]. Ces logiques permettent de prendre en compte certaines interactions entre les agents. En particulier, il est possible d’exprimer qu’un certain groupe d’agents peut garantir une propriété. Horty a développé dans [71] une logique déontique dans un cadre STIT. Il serait intéressant d’intégrer ces aspects dans notre contexte de propagation des obligations. 140 CHAPTER 7. CONCLUSION A Proofs of section 4.1.4 A.1 Proofs of property 11 Let us remind the definition of Ok . Definition 69 (Obligation with deadline). O(ϕ) if k = 0 def Ok (ϕ) = O(Fk ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ X Ok−1 (ϕ)) otherwise Property. The monotonicity property with respect to the obligatory formula holds: |= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 ) Proof. Let i ∈ N, w ∈ W . i, w |= O0 (ϕ1 ∧ ϕ2 ) ⇒ O0 (ϕ1 ). Recursion hypothesis on k: |= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 ). Let i ∈ N, w ∈ W . Suppose that i, w |= Ok+1 (ϕ1 ∧ ϕ2 ). Then, i, w |= O(Fk+1 ϕ1 ∧ ϕ2 ) ∧ (¬ϕ1 ∨ ¬ϕ2 ∨ O (¬ϕ1 ∨ ¬ϕ2 )) ⇒ XOk (ϕ1 ∧ ϕ2 ). Thus, i, w |= O(Fk+1 ϕ1 ). Moreover, suppose that i, w |= (¬ϕ1 ∨ O(¬ϕ1 )). We can deduce i, w |= ¬ϕ1 ∨ ¬ϕ2 ∨ O(¬ϕ1 ∨ ¬ϕ2 ), and thus i, w |= XOk (ϕ1 ∧ ϕ2 ). From the recursion hypothesis we have that i + 1, w |= Ok (ϕ1 ), i.e., i, w |= X Ok (ϕ1 ). So, i, w |= Ok+1 (ϕ1 ). Property. The ’perfect recall’ property holds: |= Ok (Xϕ) ⇒ XOk (ϕ) Proof. Let i ∈ N, w ∈ W . Since the ’perfect recall’ property for O holds, then i, w |= O0 (Xϕ) ⇒ XO0 (ϕ). Recursion hypothesis on k: |= Ok (Xϕ) ⇒ XOk (ϕ) Let i ∈ N, w ∈ W . Suppose that i, w |= Ok+1 (Xϕ). Since X commutes with O, Fk , and distributes on ∧ and ∨, then i, w |= X (O (Fk+1 ϕ) ∧ ((¬ϕ ∨ O (¬ϕ)) ⇒ Ok (Xϕ))). From the recursion 141 APPENDIX A. PROOFS OF SECTION 4.1.4 142 hypothesis, we deduce that i, w |= X (O (Fk+1 ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ XOk (ϕ))), i.e., i, w |= XOk+1 (ϕ). A.2 Proofs of property 12 Let us first remind the definition of Ok . (i, w) |= Ok (ϕ, k ) iff (i − k , w) |= OFk+k ϕ and (i − k , w) O Fk+k −1 ϕ and ∀j ∈ N if i − k j < i then (j,w) |= ¬ϕ ∨ O(¬ϕ) To prove the properties, we will use a recursive definition of the operator Ok . Definition 70 (Recursive definition). (i, w) |= Okr (ϕ) iff (i, w) |= OFk ϕ ∧ ¬OFk−1 ϕ r ϕ ∧ (O¬ϕ ∨ ¬ϕ) or (i − 1, w) |= Ok+1 Property. Both definitions Ok et Okr are equivalents. Proof Let w ∈ W . Let k ∈ N, and ϕ a formula, then (0, w) |= Ok ϕ iff (0, w) |= Okr ϕ since both are equivalents to (0, w) |= O(Fk ϕ) ∧ ¬O(Fk−1 ϕ). Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |= Ok ϕ iff (i, w) |= Okr ϕ. Suppose that the recursion hypothesis is true for i. Let k ∈ N. Suppose that (i + 1, w) |= Ok ϕ. Then ∃k0 ∈ N such that (1) (i + 1 − k0 , w) |= OFk+k0 ϕ (2) (i + 1 − k0 , w) OFk+k0 −1 ϕ (3) ∀ i + 1 − k0 j < i + 1(j, w) |= O (¬ϕ) ∨ ¬ϕ If k0 = 0 then (i + 1, w) |= OFk ϕ ∧ ¬OFk−1 ϕ. r ϕ ∧ (O (¬ϕ) ∨ ¬ϕ). Indeed, (i, w) |= If k0 = 0, then (i, w) |= Ok+1 O(¬ϕ) ∨ ¬ϕ from (3). And (i, w) |= Ok ϕ, since if k0 > 0, the definition of Ok+1 ϕ holds at point (i, w) with k0 − 1 in the role of k . From the recursion r ϕ. hypothesis, we have (i, w) |= Ok+1 r Thus, (i + 1, w) |= Ok ϕ. Suppose now that (i + 1, w) |= Okr ϕ. Then (1) either (i + 1, w) |= O Fk ϕ ∧ ¬OFk−1 ϕ r ϕ ∧ (O(¬ϕ) ∨ ¬ϕ) (2) either (i, w) |= Ok+1 A.2. PROOFS OF PROPERTY 12 143 If (1) then (i + 1, w) |= Ok ϕ, since the definition of Ok ϕ stands at with 0 in the role of k . r ϕ. From the recursion hypothesis, we If (2) then we have (i, w) |= Ok+1 deduce (i, w) |= Ok+1 ϕ. (2) also implies (i, w) |= (O(¬ϕ) ∨ ¬ϕ. So we have (i, w) |= Ok+1 ϕ ∧ (O (¬ϕ) ∨ ¬ϕ). From the properties of Ok , we deduce (i + 1, w) |= Ok ϕ. Property. |= Ok (Xϕ) ⇒ XOk (ϕ) Proof Let w ∈ W . ∀k ∈ N, (0, w) |= Ok (Xϕ) ⇒ XOk (ϕ). Indeed (0, w) |= Ok (Xϕ) iff (0, w) |= OFk Xϕ ∧ ¬OFk−1 Xϕ. X commutes with O, with Fk , and with ¬, we have (1, w) |= O Fk ϕ ∧ ¬OFk−1 ϕ. It follows (0, w) |= XOk (ϕ). Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |= Ok (Xϕ) ⇒ XOk (ϕ). Let k ∈ N. Suppose (i + 1, w) |= Ok (Xϕ). Then (1) either (i + 1, w) |= OFk Xϕ ∧ ¬OFk−1 Xϕ (2) or (i, w) |= Ok+1 Xϕ ∧ (O (¬Xϕ) ∨ ¬Xϕ) If (1) then (i + 1, w) |= XOk (ϕ) in the same way as for the case i = 0. If (2), then the recursive hypothesis allows to deduce (i, w) |= XOk+1 (ϕ). Moreover (i, w) |= O (¬Xϕ) ∨ ¬Xϕ, then (i + 1, w) |= O(¬ϕ) ∨ ϕ. So, (i + 1, w) |= Ok+1 (ϕ) ∧ (O(¬ϕ) ∨ ϕ). From the definition of Ok , we have (i + 2, w) |= Ok (ϕ), i.e. (i, w) |= XOk (ϕ). Property. XOk (ϕ) ⇒ Ok (Xϕ) Figure A.1 shows a counter-example that invalidates the property (the first state satisfies XO1 (p) ∧ ¬O1 (Xp)). Property (Propagation property). |= Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1 (ϕ) Proof : Let w ∈ W , and k ∈ N. If (0, w) |= Ok ∧ (O (¬ϕ) ∨ ¬ϕ), then the definition of Ok−1 (ϕ) stands at state (1, w). Therefore, (0, w) |= Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1 (ϕ). Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |= (Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ)) ⇒ XOk−1 (ϕ). Let k ∈ N. Suppose that (i + 1) |= Ok (ϕ) ∧ (O (¬ϕ) ∨ ¬ϕ). The definition of Ok−1 (ϕ) stands at point (i + 2, w). So (i + 1) |= XOk−1 (ϕ). APPENDIX A. PROOFS OF SECTION 4.1.4 144 p p ¬p O2(p) ¬O1(Xp) O1(p) Figure A.1: Counter-example for the ’no learning’ property Bibliography [1] M. Abadi and L. Lamport. The existence of refinement mappings. Theoretical Computer Science, 82(2):253–284, 1991. [2] A. Abou El Kalam, R. E. Baida, P. Balbiani, S. Benferhat, F. Cuppens, Y. Deswarte, A. Miège, C. Saurel, and G. Trouessin. Organization based access control. In IEEE 4th International Workshop on Policies for Distributed Systems and Networks (Policy 2003), Lake Come, Italy, June 2003. [3] B. Alpern and F. B. Schneider. Recognizing safety and liveness. Distributed Computing, 2(3):117–126, 1987. [4] R. Alur. Techniques for automatic verification of real-time systems. PhD thesis, Stanford University, 1991. [5] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time systems. In Proceedings of the 5th Symposium on Logic in Computer Science (LICS’90), pages 414–425. IEEE Computer Society Press, 1990. [6] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126(2):183–235, 1994. [7] R. Alur, T. Feder, and T. Henzinger. The benefits of relaxing punctuality. Journal of the ACM, 43(1):116–146, 1996. [8] R. Alur and T. Henzinger. Real-time logics: complexity and expressiveness. In Proceedings of the 5th Symposium on Logic in Computer Science (LICS’90), pages 390–401. IEEE Computer Society Press, 1990. 145 146 BIBLIOGRAPHY [9] R. Alur and T. A. Henzinger. A really temporal logic. Journal of the ACM, 41:181–204, 1994. [10] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. In Proceedings of the 38th Annual Symposium on Foundations of Computer Science, pages 100–109. IEEE Computer Society Press, 1997. [11] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. Journal of the ACM, 49:672–713, 2002. [12] L. Aqvist. Some results on dyadic deontic logic and the logic of preference. Synthese, 66:95–110, 1986. [13] L. Aqvist. Combinations of tense and deontic logic. Journal of Applied Logic, 3:421–460, 2005. [14] A. Arnold. Finite transition systems. Prentice-Hall, 1994. [15] P. Bailhache. The deontic branching time: two related conceptions. Logique et Analyse, 141-142:159–175, 1993. [16] P. Bailhache. Canonical models for temporal deontic logic. Logique et Analyse, pages 3–21, 1995. [17] P. Balbiani, J. Broersen, and J. Brunel. Decision procedures for a deontic logic modeling temporal inheritance of obligations. In Proc. of 5th workshop Methods for Modalities (M4M5), Electronic Notes in Theoretical Computer Science. Elsevier, November 2007. [18] P. Balbiani and D. Vakarelov. Iteration-free pdl with intersection: a complete axiomatization. Fundamenta Informaticae, 45(3):173–194, 2001. [19] J. Büchi. On a decision method in restricted second-order arithmetic. In Proc. 1960 of Int. Congr. for Logic, Methodology, and Philosophy of Science, pages 1–11. Standford University Press, 1962. [20] N. Belnap and M. Perloff. Seeing to it that: a canonical form for agentives. Theoria, 54:175–199, 1988. [21] E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A Logical Framework for Reasoning about Access Control Models. ACM Transactions on Information and System Security, 6(1), February 2003. [22] C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Obligation Monitoring in Policy Management. In International Workshop, Policies for Distributed Systems and Neworks (Policy 2002), Monterey CA, June 5–7 2002. BIBLIOGRAPHY 147 [23] P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge University Press, 2001. [24] P. Bouyer, F. Chevalier, and N. Markey. On the expressiveness of tptl and mtl. In R. Ramanujam and S. Sen, editors, 25th Conference on Fundations of Software Technology and Theoretical Computer Science (FSTTCS’05), volume 3821 of Lecture Notes in Computer Science, pages 432–443, 2005. [25] P. Bouyer and A. Petit. Decomposition and composition of timed automata. In J. Wiedermann, P. van Emde Boas, and M. Nielsen, editors, Proceedings of the 26th International Colloquium on Automata, Languages and Programming (ICALP’99), volume 1644 of Lecture Notes in Computer Science, pages 210–219, Prague, Czech Republic, July 1999. Springer. [26] M. Bratman. Intention, plans, and practical reason. Harvard University Press, Cambridge Massachussetts, 1987. [27] J. Broersen. Strategic deontic temporal logic as a reduction to ATL, with an application to Chisholm’s scenario. In L. Goble and J.-J. C. Meyer, editors, Proc. of 8th International Workshop on Deontic Logic in Computer Science (DEON’06), volume 4048 of Lecture Notes in Computer Science, pages 53–68. Springer, 2006. [28] J. Broersen and J. Brunel. Preservation of obligations in a temporal and deontic framework. In E. H. Durfee and M. Yokoo, editors, Proc. of 6th International Joint Conference on Autonomous Agents & Multi Agent Systems (AAMAS-07), Honolulu, Hawaii, USA, pages 1108– 1110, http://www.acm.org/, 2007. ACM Press. short paper. [29] J. Broersen and J. Brunel. ‘What I fail to do today, I have to do tomorrow’: a logical study of the propagation of obligations. In F. Sadri and K. Satoh, editors, Proceedings of the 8th Workshop on Computational Logic in Multi-Agent Systems (CLIMA-VIII), Porto, Portugal, September 2007. [30] J. Broersen, F. Dignum, V. Dignum, and J.-J. C. Meyer. Designing a deontic logic of deadlines. In 7th International Workshop on Deontic Logic in Computer Science (DEON’04), Madeira, Portugal, 26-28 May 2004. [31] J. Brunel. Deontic logic for the specification of availability policies. In 6th school on Modeling and Verifying Parallel Processes (MOVEP’04), pages 40–45, 2004. students’ paper. 148 BIBLIOGRAPHY [32] J. Brunel, J.-P. Bodeveix, and M. Filali. A state/event temporal deontic logic. In L. Goble and J.-J. C. Meyer, editors, Proc. of 8th International Workshop on Deontic Logic in Computer Science (DEON’06), volume 4048 of Lecture Notes in Computer Science, pages 85–100. Springer, 2006. [33] J. Brunel, F. Cuppens, N. Cuppens-Boulahia, T. Sans, and J.-P. Bodeveix. Security Policy Compliance with Violation Management. In Proc. of the 5th ACM Workshop on Formal Methods in Security Engineering: From Specifications to Code, Washingthon, USA, pages 31–40. ACM Press, novembre 2007. [34] A. Chagrov and M. Zakharyaschev. Modal Logic, volume 35 of Oxford Logic Guides. Clarendon Press, 1997. [35] S. Chaki, E. Clarke, O. Grumberg, J. Ouaknine, N. Sharygina, T. Touili, and H. Veith. State/event software verification for branchingtime specifications. In Fifth International Conference on Integrated Formal Methods (IFM 05), volume 3771 of Lecture Notes in Computer Science, pages 53–69, 2005. [36] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and N. Sinha. State/event-based software model checking. In E. A. Boiten, J. Derrick, and G. Smith, editors, Proceedings of the 4th International Conference on Integrated Formal Methods (IFM ’04), volume 2999 of Lecture Notes in Computer Science, pages 128–147. Springer-Verlag, April 2004. [37] R. M. Chisholm. Contrary-to-duty imperatives and deontic logic. Analysis, 24(2):33–36, December 1963. [38] E. Clarke and E. Emerson. Design and synthesis of synchronization skeletons using branching-time temporal logic. In Proceedings of the 3rd Workshop of Logic of Programs (LOP’81), volume 131 of Lecture Notes in Computer Science, pages 52–71, 1981. [39] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press, 1999. [40] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification of finite-state concurrent systems using temporal logic specifications. ACM Transactions on Programming Languages and Systems, 8(2):244– 263, 1986. [41] F. Cuppens, N. Cuppens-Boulahia, and T. Sans. Nomad: a security model with non atomic actions and deadlines. In Proceedings of the 18th IEEE Computer Security Foundations Workshop, pages 186–196, June 2005. BIBLIOGRAPHY 149 [42] F. Cuppens and A. Miège. Modelling Contexts in the Or-BAC Model. In 19th Annual Computer Security Applications Conference (ACSAC ’03), 2003. [43] R. Demolombe, P. Bretier, and V. Louis. Formalisation de l’obligation de faire avec délais. In Proc. Journées Francophones sur la modélisation Formelle de l’Interaction (MFI’05), Caen, 2005. [44] S. Demri. Linear-time temporal logics with Presburger constraints: An overview. Journal of Applied Non-Classical Logics, 16(3-4):311– 347, 2006. [45] S. Demri, R. Lazić, and D. Nowak. On the freeze quantifier in constraint LTL: Decidability and complexity. Information and Computation, 205(1):2–24, 2007. [46] F. Dignum and R. Kuiper. Obligations and dense time for specifying deadlines. In Thirty-First Annual Hawaii International Conference on System Sciences (HICSS)-Volume 5, pages 186–195, 1998. [47] C. Dixon, M.-C. F. Gago, M. Fisher, and W. v. d. Hoek. Temporal logics of knowledge and their applications in security. Electronic Notes in Theoretical Computer Science, 186:27–42, 2007. [48] J. A. V. Eck. A System of Temporally Relative Modal and Deontic Predicate Logic and its Philosophical Applications. PhD thesis, Department of Philosophy, University Groningen, 1981. [49] J. A. V. Eck. A system of temporally relative modal and deontic predicate logic and its philosophical applications. Logique et Analyse, 99 and 100:249–290 and 339–381, 1982. [50] E. Emerson and J. Halpern. "sometimes" and "not never" revisited: On branching versus linear time temporal logic. Journal of the ACM, 33(1):151–178, january 1986. [51] E. A. Emerson and J. Y. Halpern. Decision procedure and expressiveness in the temporal logic of branching time. Journal of Computer and System Sciences, 30(1):1–24, 1985. [52] E. A. Emerson and A. Sistla. Deciding full branching time logic. Informationand Control, 61:175–201, 1984. [53] R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about Knowledge. The MIT Press, 1995. [54] L. Fariñas del Cerro and O. Gasquet. Tableaux based decision procedures for modal logics of confluence and density. Fundamenta Informaticae, 4:317–333, 1999. 150 BIBLIOGRAPHY [55] M. Fitting. Proof Methods for Modal and Intuitionistic Logics, volume 169 of Synthese library. D. Reidel Publishing Company, 1983. [56] D. Gabbay. Theoretical foundations for non-monotonic reasoning in expert systems. In K. Apt, editor, Logics and models of concurrent systems, volume 13, pages 439–457. Springer-Verlag, 1989. [57] D. Gabbay, A. Kurucz, F. Wolter, and M. Zakharyachev. ManyDimensional Modal Logics: Theory and Applications, volume 148 of Studies in Logic and the foundations of mathematics. Elsevier, 2003. [58] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis of fairness. In Conference record of the 7th ACM Symposium on Principles of Programming Languages (POPL’80), pages 163–173. ACM Press, 1980. [59] D. M. Gabbay, I. Hodkinson, and M. Reynolds. Temporal logic (vol. 1): mathematical foundations and computational aspects. Oxford University Press, Inc., New York, NY, USA, 1994. [60] P. Gastin and D. Oddoux. Fast LTL to Büchi automata translation. In G. Berry, H. Comon, and A. Finkel, editors, Proceedings of the 13th Conference on Computer Aided Verification (CAV’01), number 2102 in Lecture Notes in Computer Science, pages 53–65. Springer Verlag, 2001. [61] R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Protocol Specification Testing and Verification, pages 3–18, Warsaw, Poland, 1995. Chapman & Hall. [62] B. Hansson. An analysis of some deontic logics. Deontic Logic: Introductory and Systematic Readings, pages 121–147, 1971. [63] D. Harel, D. Kozen, and J. Tiuryn. Dynamic logic. In D. Gabbay and F. Guenther, editors, Handbook of Philosophical Logic Volume II — Extensions of Classical Logic, pages 497–604. D. Reidel Publishing Company: Dordrecht, The Netherlands, 1984. [64] M. A. Harrison, W. L. Ruzzo, and J. D. Ullma. Protection in operating systems. In Communication of the ACM, volume 19, pages 461–471, 1976. [65] J. G. Henriksen and P. S. Thiagarajan. Dynamic linear time temporal logic. Annals of Pure and Applied Logic, 96(1-3):187–207, 1999. [66] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are digital clocks? In 9th International Colloquium on Automata, Languages and BIBLIOGRAPHY 151 Programming (ICALP’92), volume 623 of Lecture Notes in Computer Science, pages 545–558, 1992. [67] G. Het, G. Khan, and C. Paulin-Mohring. The coq proof assistant, a tutorial. Technical report, INRIA Rocquencourt and CNRS-ENS Lyon, 1999. [68] R. Hilpinen, editor. New Studies in Deontic Logic, volume 152 of Synthese Library. D. Reidel publishing company, 1981. [69] J. Hintikka. The modes of modality. Acta Philosophica Fennica, 16:65– 82, 1963. [70] G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295, 1997. [71] J. Horty. Agency and Deontic Logic. Oxford University Press, 2001. [72] J. Horty. Nonmonotonic logic. In L. Goble, editor, The Blackwell Guide to Philosophical Logic. Blackwell Publishing, 2001. [73] S. Jajodia, S. Samarati, and V. S. Subrahmanian. A logical Language for Expressing Authorizations. In IEEE Symposium on Security and Privacy, Oakland, CA, May 1997. [74] H. W. Kamp. Tense Logic and the Theory of Linear Order. PhD thesis, UCLA, Los Angeles, California, USA, 1968. [75] R. Koymans. Specifying real-time properties with metric temporal logic. Real-Time Systmes, 2(4):255–199, 1990. [76] M. Kracht and F. Wolter. Properties of independently axiomatizable bimodal logics. Journal of Symbolic Logic, 56:1469–1485, 1991. [77] S. Kripke. Semantical analysis of modal logic I: Normal modal propositional calculi. Zeitschrift für Mathematische Logik und Grundlagen der Mathematik, 9:67–96, 1963. [78] S. Kripke. Semantical considerations on modal logic. Acta Philosophica Fennica, 16:83–9, 1963. [79] O. Kupferman and A. Pnueli. Once and for all. In Procedures of the 10th Symposium on Logic in Computer Science (LICS’95), pages 25–35, San Diego, June 1995. [80] A. Kurucz. Combining modal logics. In J. van Benthem, P. Blackburn, and F. Wolter, editors, Handbook of Modal Logic, volume 3 of Studies in Logic and Practical Reasoning, pages 869–924. Elsevier, 2006. 152 BIBLIOGRAPHY [81] R. E. Ladner. The computational complexity of provability in systems of modal propositional logic. SIAM Journal on Computing, 6(3):467– 480, 1977. [82] L. Lamport. Proving the correctness of multiprocess programs. IEEE Transactions on Software Engineering, SE-3(2):125–143, 1977. [83] F. Laroussinie, N. Markey, and P. Schnoebelen. Temporal logic with forgettable past. In Proceedings of the 17th Symposium on Logic in Computer Science (LICS’02), pages 383–392. IEEE Comp. Soc. Press, 2002. [84] F. Laroussinie and P. Schnoebelen. Specification in ctl + past for verification in ctl. Information and Computation, 156(1-2):236–263, 2000. [85] O. Lichtenstein and A. Pnueli. Propositional temporal logics: decidability and completeness. Logic Journal of the IGPL, 8(1):55–85, 2000. [86] O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In G. Goos and J. Hartmanis, editors, Lecture Notes in Computer Science, volume 193, pages 196–218. Springer-Verlag, 1985. conf. Logics of Programs. [87] J. Ligatti, L. Bauer, and D. Walker. Edit automata: enforcement mechanisms for run-time security policies. International Journal of Information Security, 4(1):2–16, 2004. [88] A. Lomuscio and M. Sergot. Deontic interpreted systems. Sudia Logica, 75(1):63–92, 2003. [89] A. Lomuscio and M. Sergot. A formalisation of violation, error recovery, and enforcement in the bit transmission problem. Journal of Applied Logic, 2(93):93–116, 2004. [90] E. Mally. Grundgesetze des sollens: Elemente der logik des willens. Graz: Leuschner und Lubensky, Universitäts-Buchhandlung, 1926. [91] Z. Manna and A. Pnueli. The anchored version of the temporal framework. In J. de Bakker, W. de Roever, and G. Rosenberg, editors, Logics and Models for Concurrency, volume 354 of Lecture Notes in Computer Science, pages 201–284. Springer-Verlag, 1989. [92] F. Massacci. Single step tableaux for modal logics. Journal of Automated Reasoning, 24:319–364, 2000. [93] L. McCarthy. Defeasible deontic reasoning. Fundamenta Infromaticas, 21:125–148, 1994. BIBLIOGRAPHY 153 [94] P. McDaniel. On Context in Authorization Policy. In Proceedings of the 8th ACM Symposium On Access Control Models and Technologies (SACMAT 2003), Como, Italy, June 2003. [95] J.-J. C. Meyer, R. Wieringa, and F. Dignum. The role of deontic logic in the specification of information systems. In Logics for Databases and Information Systems, pages 71–115, 1998. [96] J.-F. Monin. Comprendre les Méthodes formelles, panorama et outils logiques. CTST. Masson, 1996. Préface de G. Huet. [97] J.-F. Monin. Introduction aux méthodes formelles. CTST. Hermès, 2000. Edition revue et augmentée de [96]. [98] J.-F. Monin. Understanding Formal Methods. Springer Verlag, 2002. Translation of [97], updated. Translation editor M. Hinchey. [99] J. Park and R. Sandhu. The UCON-ABC Usage Control Model. ACM Transactions on Information and System Security, 7(1):128–174, 2004. [100] C. Paulin-Mohring. Extraction de programmes dansle calcul des constructions. PhD thesis, Université de Paris VII, 1989. [101] A. Pnueli. The temporal semantics of concurrent programs. Theoretical Computer Science, 13:45–60, 1981. [102] A. Pnueli and Y. Kesten. A deductive proof system for ctl*. In CONCUR 2002, volume 2421 of Lecture Notes in Computer Science, pages 24–40, 2002. [103] H. Prakken and M. Sergot. Contrary-to-Duty Imperatives, Defeasibility and Violability. In A. J. I. Jones and M. Sergot, editors, Second International Workshop on Deontic Logic in Computer Science (DEON’94), Oslo, Norway, 1994. [104] H. Prakken and M. Sergot. Dyadic deontic logic and contrary-to-duty obligations. In D. Nute, editor, Defeasible Deontic Logic, pages 223– 262. Kluwer, 1997. [105] H. Prakken and G. Vreeswijk. Logics for defeasible argumentation. In D. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic, pages 218–319. Kluwer Academic Publishers, 2002. [106] A. N. Prior. Time and Modality. Clarendon Press, 1957. [107] A. N. Prior. Past, Present, and Future. Clarendon Press, 1967. 154 BIBLIOGRAPHY [108] J.-P. Queille and J. Sifakis. Specification and verification of concurrent systems in cesar. In Proceedings of the 5thInternational Symposium on Programming (SOP’82), volume 137 of Lecture Notes in Computer Science, pages 337–351, 1982. [109] M. Reynolds. An axiomatization of full computation tree logic. Journal of Symbolic Logic, 66(3):1011–1057, 2001. [110] M. Reynolds. An axiomatization of PCTL*. Information and Computation, 201(1):72–119, 2005. [111] A. Ross. Imperatives and logic. Theoria, 7:53–71, 1941. [112] Y. Ryu and R. Lee. Deafisibe deontic reasoning: a logic programming model. In Proc. of the First International Workshop on Deontic Logic in Computer Science, pages 347–363, 1991. [113] S. Safra. On the complexity of ω-automata. In Proc. of 29th IEEE Symposium on Foundations of Computer Science, pages 319–327, 1988. [114] H. Sahlqvist. Completeness and correspondence in the first and second order semantics for modal logic. In S. Kanger, editor, Proc. Third Scand. Logic Symp, pages 110–143. North-Holland publishing company, 1975. [115] R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. Youma. Role-based access control models. In IEEE Computer, volume 29, pages 38–47, 1996. [116] F. B. Schneider. Enforceable security policies. Information and System Security, 3(1):30–50, 2000. [117] K. Segerberg. Two-dimensional modal logics. Journal of Philosophical Logic, 2:77–96, 1973. [118] A. P. Sistla and E. Clarke. The complexity of propositional linear temporal logics. Journal of the Association for Computing Machinery, pages 733–749, 1985. [119] A. P. Sitla. Safety, liveness, and fairness in temporal logic. Formal Aspects in Computing, 6:495–511, 1994. [120] C. Stirling. Comparing linear and branching time temporal logics. In B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal Logic in Specification, Altrincham, UK, April 8-10, 1987, Proceedings, volume 398 of Lecture Notes in Computer Science, pages 1–20. Springer, 1989. BIBLIOGRAPHY 155 [121] M. Strembeck and G. Neumann. An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environements. ACM Transactions on Information and System Security, 7(3):392–427, 2004. [122] W. Thomas. Languages, automata, and logic. In G. Rozenberg and A. Salomaa, editors, Handbook of Formal Languages, volume 3, pages 389–455. Springer, 1997. [123] N. Troquard. Independent agents in branching time. PhD thesis, Université de Toulouse, Università degli studi di Trento„ 2007. [124] D. Vakarelov. Modal rules for intersection. In Abstract of the 10th international congress of Logic, Methodology, and Philosophy of Science, Florence, Italy, 1995. [125] J. van Benthem. Correspondence theory. In D. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic, vol. II. reidel, 1984. [126] J. van Benthem and P. Blackburn. Modal logic: A semantic perspective. In J. van Benthem, P. Blackburn, and F. Wolter, editors, Handbook of Modal Logic, volume 3 of Studies in Logic and Practical Reasoning. Elsevier, 2007. [127] L. van der Torre. Contextual deontic logic: Normative agents, violations and independence. Annals of Mathematics and Artificial Intelligence, Special issue on Computational Logic in Multi-Agent Systems, 37:33–63, 2003. [128] L. van der Torre, J. Hulstijn, M. Dastani, and J. Broersen. Specifying multiagent organizations. In Seventh International Workshop on Deontic Logic in Computer Science (DEON’04), volume 3065 of Lecture Notes in Computer Science, pages 243–257, 2004. [129] L. van der Torre and Y. Tan. The temporal analysis of chisholm’s paradox. In Proceedings of 15th National Conference on Artificial Intelligence (AAAI’98), pages 650–655, 1998. [130] L. van der Torre and Y. Tan. Contrary-to-duty reasoning with preference-based dyadic obligations. Annals of Mathematics and Artificial Intelligence, 27:49–78, 1999. [131] H. van Ditmarsch, W. van der Hoek, and B. Kooi. Dynamic Epistemic Logic, volume 337 of Synthese Library. Springer, 2007. [132] M. Y. Vardi. The büchi complementation saga. In 24th Annual Symposium on Theoretical Aspects of Computer Science, volume 4393 of Lecture Notes in Computer Science, pages 12–22, 2007. 156 BIBLIOGRAPHY [133] M. Y. Vardi and P. Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1–37, 1994. [134] F. Wolter. Fusions of modal logics revisited. In M. Kracht, M. de Rijke, H. Wansing, and M. Zakharyaschev, editors, Advances in Modal Logic, volume 1, pages 361–379. CSLI Publications, Stanford, CA, 1998. [135] F. Wolter and M. Zakharyaschev. Satisifiability problem in description logics with modal operators. In A. Cohn, L. Schubert, and S. Shapiro, editors, 6th Conference on Principles of Knowledge Representation and Reasoning (KR’98), pages 512–523, 1998. [136] G. H. V. Wright. Deontic logic. Mind, 1951. Combinaison des logiques temporelle et déontique pour la spécification de politiques de sécurité Thèse soutenue le 12 décembre 2007 par Julien Brunel MOTS-CLES : logique temporelle, logique déontique, politique de sécurité RESUME : Pour spécifier formellement une politique de sécurité, il est naturel de raisonner d'une part sur la notion de temps, et d'autre part sur les notions d'obligation, de permission, et d'interdiction. En effet, il s'agit d'exprimer par exemple le droit d'accès à une ressource pendant une certaine durée, l'obligation de la libérer avant un instant donné, ou encore l'obligation qu'une certaine tâche ne soit pas exécutée pendant un temps trop important. Les logiques temporelle et déontique apparaissent comme des outils adéquats pour spécifier de telles notions. Dans cette thèse, nous étudions comment combiner de telles logiques. Nous étudions dans un premier temps le produit de la logique temporelle linéaire avec la logique déontique standard, et définissons une obligation avec délai dans ce contexte. L'obligation avec délai doit notamment satisfaire une propriété que l'on nomme propagation: tant qu'elle n'est pas remplie et que le délai n'est pas atteint, elle se propage à l'instant suivant. Nous proposons ensuite une sémantique qui valide une propriété de propagation plus générale, puis définissons une axiomatique et une procédure de décision pour fragment du langage qui ne contient pas l'opérateur temporel 'until'. Nous nous intéressons enfin à la notion de conformité d'un système vis à vis d'une politique de sécurité spécifiée dans un tel langage. La première définition que nous proposons est une version faible de la conformité que l'on nomme compatibilité. Nous restreignons ensuite le langage afin définir une version plus forte de la conformité, et proposons un algorithme pour vérifier la conformité d'un système vis à vis d'une politique. ABSTRACT : In order to formally specify a security policy, it is natural to reason about time on the one hand, and obligations, permissions, and prohibitions on the other hand. Indeed, we have to express for instance the permission to access a resource for a certain period, the obligation to release a resource before a deadline, or the prohibition to execute a task for a too long period. Temporal and deontic logics seem well suited to specify such concepts. In this thesis, we study how to combine these logics. Firstly, we study the product of linear temporal logic and standard deontic logic, and define obligation with deadline in this context. It has to satisfy a property called propagation property: while it is not fulfilled, it is propagated to the next instant. We then propose a more general propagation property, and propose a semantics to validate it. For the until-free fragment of our logic, we define an axiomatics and a tableaux-like decision procedure. Lastly, we investigate the notion of compliance of a system with respect to a policy specified in such a language. The first definition we come up with is a weak version of compliance called compatibility. For a new fragment of our logic, we adapt the Büchi approach of Vardi and Wolper to decide whether a system is compliant with a policy. We then restrict again the language so that we can define a stronger version of compliance. Actually, a careful analysis shows the necessity to refine the notion of compliance into 5 different diagnostic cases which give 'levels of compliance'. We provide an algorithm to establish this diagnostic.