Incremental update of constraint-compliant policy rules Electronic Communications of the EASST Volume 39 (2011) Graph Computation Models Selected Revised Papers from the Third International Workshop on Graph Computation Models (GCM 2010) Incremental update of constraint-compliant policy rules Paolo Bottoni, Andrew Fish, Francesco Parisi Presicce 18 pages Guest Editors: Rachid Echahed, Annegret Habel, Mohamed Mosbah Managing Editors: Tiziana Margaria, Julia Padberg, Gabriele Taentzer ECEASST Home Page: http://www.easst.org/eceasst/ ISSN 1863-2122 http://www.easst.org/eceasst/ ECEASST Incremental update of constraint-compliant policy rules Paolo Bottoni1, Andrew Fish2, Francesco Parisi Presicce1 Department of Computer Science, Sapienza University of Rome, Italy1, School of Computing, Engineering and Mathematics, University of Brighton, UK2 Abstract: Organizations typically define policies to describe (positive or negative) requirements about strategic objectives. Examples are policies relative to the secu- rity of information systems in general or to the control of access to an organization’s resources. Often, the form used to specify policies is in terms of general constraints (what and why) to be enforced via the use of rules (how and when). The consistency of the rule system (transforming valid states into valid states) can be compromised and rules can violate some constraints when constraints are updated due to changing requirements. Here, we explore a number of issues related to constraint update, in particular proposing a systematic way to update rules as a consequence of modifica- tions of constraints, by identifying which components of the rule have to be updated. Moreover, we show the construction of sets of rules, directly derived from a positive constraint, to guarantee constraint preservation and constraint enforcement. Keywords: Constraints, incremental construction of rules, rule update. 1 Introduction Graph constraints and graph transformations provide a formal model for defining and manag- ing strategic policies adopted by organisations with respect to security or access control issues. Policies can be specified with constraints, while rules of a graph transformation system are used for consistent management of these policies. In both cases, the specifications are given within the framework of typed attributed graphs, with special attributes defining the relevant properties, while rules exploit application conditions to enforce consistency. By consistency, we mean that rules can only cause transformations from valid states to valid states. As a consequence, the class of graphs generated, starting from a valid graph, by using the rule is a subset of the class of graphs satisfying the constraints. Usually, policies and rules are not fixed, but can evolve independently, following the introduc- tion, revision or deletion of constraints and rules. In any case, at each moment the current set of constraints must be satisfied by the current collection of rules. Two cases can be considered in which the consistency of the system can be compromised: introduction of new rules – which must be adapted to the current constraints – and definition of new constraints, again requiring rule adaptation. The identification of the modifications needed to adapt rules to constraints has been the subject of several studies [KMP05, HP09]. However, these usually require the complete analysis of each rule after each modification, without the possibility to adopt an incremental ap- proach, taking into account the relations between the previous sets of constraints and rules. In this paper, we explore this problem offering two major contributions. First, we define a pro- cedure which constructs a new collection of rules from the specification of a positive constraint, 1 / 18 Volume 39 (2011) Update of policy rules where each rule is guaranteed to preserve the constraint. Second, we show how these rules can be incrementally updated when the constraint from which they were created is modified. The paper is complemented by two further contributions. First, we produce a set of rules to check and repair a model with respect to the introduction of a new constraint. Second, we present a technique for checking if a rule, not generated by the procedure, has to be updated when a constraint is modified, and for computing the relevant updates. Paper organisation. After presenting related work in Section 2, we provide background notions on graph constraints and graph transformations in Section 3. Section 4 introduces the running ex- ample for the paper, while Section 5 recalls the notion of security policy and presents a procedure for the construction of a collection of rules realising a policy. Section 6 discusses modifications to rules derived from the procedure and Section 7 draws conclusions and points to future work. 2 Related work In [KMP05], a security policy framework is defined by giving a type graph, a set of (named) graph transformation rules, and two sets of simple positive and negative constraints, expressed as morphisms from a premise to a conclusion. A framework was considered to be (positive/negative) coherent if all the graphs derivable from the rules and consistent with the type graph satisfied all the (positive/negative) constraints. A number of constructions were given for repairing possible violations, by modifying rules with application conditions, in situations where different policy frameworks were merged. Based on this approach, [KP06] defines a UML language to specify access control policies and exploits graph transformations to give a semantics and a verification method for such specifications. This line of research has also led to defining basic rules for con- trolling access in workflows [WWP08]. Rules allow the addition/removal of tasks and roles, plus the execution of tasks, and application conditions are defined based on existing constraints. In [BFP10], we considered the construction of transformation units ensuring coherence with a simple form of nested constraints, admitting a single alternation of universal and existential quantifiers. The units were defined starting with the simple addition of an element, and producing repair rules to restore violated constraints. The procedures presented in this paper can also be exploited in transformation units, but each rule is guaranteed not to violate any constraint. Habel and Pennemann have extensively treated the problem of making rules compatible with nested constraints by adding positive and negative application conditions. In [HP09] they unify theories about application conditions [EEHP06] and nested graph conditions [Ren04], lifting them to high-level transformations. An existing rule is transformed to make it constraint pre- serving or constraint guaranteeing, but no direct construction of rules from constraints is given. Orejas is investigating a new approach, called Symbolic Attributed Graphs, relating attributed graph constraints with attribute evaluation (for a summary see [OL10]). For our restricted form of attributed evaluation, the presented techniques should be applicable with the same results. Some works have studied the problem of constructing instances of metamodels, specialised by additional constraints. In [JKW08] constraints are given in a logical language, while [EKTW06] uses OCL and tests constraints after rule derivation from the metamodel. Using the terminology of [JKW08], ours is a soundness-preserving, rather than completeness-preserving, construction. While [KMP05] studied the modifications required by introducing new constraints, or merging GCM 2010 2 / 18 ECEASST constraint systems, the consequences of modifying (weakening or strengthening) existing con- straints were not analysed, nor does this problem seem to have been treated by other authors. 3 Background We adopt the framework of attributed typed graphs. A graph G = (V,E,s,t) consists of a set of nodes V = V (G), a set of edges E = E(G), and source and target functions, s,t : E →V . For a set S, its cardinality is denoted by ∣ S ∣ and we use the notations ∣ G ∣V =∣V (G) ∣ and ∣ G ∣E=∣ E(G) ∣. In a type graph T G = (VT ,ET ,sT ,t T ), VT and ET are sets of node and edge types, while the functions sT : ET →VT and t T : ET →VT define source and target node types for each edge type. For G a typed graph on T G, there is a graph morphism type : G → T G, with typeV : V →VT and typeE : E → ET s.t. typeV (s(e)) = sT (typeE(e)) and typeV (t(e)) = t T (typeE(e)). To introduce attributes, we follow [EEHP06], but we consider attributes only on nodes. Intu- itively, we partition V into VG and VD (D for domain), the sets of graph and value nodes, respec- tively, while E is partitioned into EG and EA (A for attribute). Graph edges EG are equivalent to those for non-attributed graphs, while an attribute edge in the set EA defines the assignment of a value to an attribute of a node. Moreover, we have s = sV ∪sA, with sV : EG → VG and sA : EA →VG; and t = tV ∪tA, with tV : EG →VG and tA : EA →VD. In a similar way, T G has dis- tinct sets V GT and V D T of graph and value node types respectively, as well as distinct sets E G T and E AT for graph and attribute edge types. Given t ∈V G T , all nodes of type t are associated with the same subset A(t)⊂ E AT of edge types, corresponding to the set of attribute names for t. Formally: ∀t ∈ V GT [∃!A(t) ⊂ E A T [∀n ∈ VG[typeV (n) = t =⇒ {typeE(e) ∣ e ∈ EA ∧sA(e) = n} = A(t)]]] 1. Values in VD are taken over the disjoint union of the set of sorts in a data signature DSIG. In what follows, we call the structural part of G, its projection to elements typed on V GT and E G T . We use graph transformations according to the Double PushOut (DPO) approach [EEPT06]. A DPO rule has the form p : L l← K r→ R where L, K and R are called left-hand side, interface and right-hand side graphs, respectively, K contains the elements preserved by the rule application, and the morphisms l : K → L and r : K → R model the embedding of K in L and R. The left of Figure 1 shows a DPO direct derivation diagram, modeling the application of a rule2 p : L l← K r→ R to a host graph G to produce a target graph H. First, the pushout complement D is evaluated. This is the unique graph for which morphisms K → D → G exist s.t. square (1) is a pushout (i.e. G is the union of L and D through their common elements in K). In particular, D contains the elements of G which are not in the image of the elements in L∖K. The pushout (2) is then computed, adding to D new elements to form H, viz. the elements in R∖K. We denote the application of the rule p on a match m : L → G by G ⇒mp H and write G ⇒p H to denote that H can be derived from G by applying p with respect to some match m for L in G. DPO rules for typed graphs are lifted to attributed typed graphs by considering algebras on some signature including the sorts for VD. Since morphisms can only identify values in VD present in L and R, the modification of the value of an attribute a for a given node n from v1 to v2 is represented by removing an edge e1 of type a from n to v1 (i.e. e appears in L but not in K), and creating an edge e2 of the same type a from n to v2 (i.e. e2 appears in R but not in K). 1 In the graphs of this paper, some attributes may not be present for some node, indicating “don’t care” situations. 2 Where no ambiguity arises, we will omit explicit mention of morphisms l and r. 3 / 18 Volume 39 (2011) Update of policy rules L m �� (1) K (2) loo r // k �� R m∗ �� Yi j oi j // = Xi ni ,, = yi j oo L m �� (1) xioo K (2) loo r // k �� R m∗ �� G Dl∗oo r∗ // H G Dl∗oo r∗ // H Figure 1: DPO Direct Derivation Diagram for simple rules (left) and with AC (right). In this paper we consider only rules which are only increasing (L = K) or only decreasing (K = R) in their structural parts. However, from Proposition 1, rules of this form can be combined to express any DPO rule. To this end, the construction of an E-concurrent production (see Figure 2), denoted by ∗E , is required, for an appropriate choice of the E-dependency relation [EEPT06]. Proposition 1 Any rule p : L lp← K rp→ R is equivalent to the E-concurrent production of two rules, one increasing and one decreasing. Proof. With reference to Figure 2, and with all unnamed morphisms identities, we have: 1. if p1 : L lp← K iK→ K and p2 : K iK← K rp→ R, then p1 is only decreasing, p2 is only increasing, and p = p1 ∗K p2. (In this case the role of E is performed by K.) 2. if L rq1→ Q lq2← R is the pushout of L lp← K rp→ R and K is also its pullback (as in our case since L lp← K is injective), then q1 : L iL← L rq1→ Q is only increasing, q2 : Q lq2← R iR→ R is only decreasing, and p = q1 ∗Q q2. (In this case the role of E is performed by Q.) Case 1 proves the ⇒ direction and case 2 proves the ⇐ direction. K ||yyy y ""E EEE Q ||yyy y ""E EEE L �� K �� lpoo // K ""E EEE K ||yyy y Koo rp // �� R �� L �� L �� oo rq1 // Q ""E EEE Q ||yyy y R lq2oo // �� R �� L K lpoo // K Koo rp // R L Loo rq1 // Q R lq2oo // R K iiSSSSSSSSS 55lllllllll Klp iiRRRRRRRRR rp 55lllllllll Figure 2: Decomposing (left) and constructing (right) a rule with increasing and decreasing parts. An atomic constraint is a morphism3 of typed attributed graphs c : X →Y . A graph G satisfies c, noted G ⊨ c, if for each match morphism m : X → G there exists a morphism y : Y → G s.t. y∘c = m. If c : X →Y is an atomic constraint, ¬c is an atomic constraint, and G ⊨ ¬c iff G ⊭ c. An atomic constraint of the form ¬iX : X → X , where iX is the identity, is called a negative atomic constraint, and is represented by simply showing X . We call M(c) = {G ∣ G ⊨ c} the set of models for c, and assume that a constraint system C is consistent, i.e. ∩ ci∈C M(ci) ∕= /0. The right of Figure 1 shows that an atomic constraint can be associated with a rule in the form of an application condition AC, of the form {xi : L → Xi,{yi j : Xi → Yi j} j∈Ji}i∈I , for a match 3 Except typing morphisms, all graph morphisms in the paper are inclusions. GCM 2010 4 / 18 ECEASST m : L → G of the LHS of a rule, where I and Ji are index sets for each i ∈ I. An AC is satisfied by m if, for each ni : Xi → G s.t. ni ∘xi = m, there exists some oi j : Yi j → G s.t. oi j ∘yi j = ni. A negative application condition (NAC) derives from a negative application constraint: for the rule to be applicable, Xi must not be present. 4 A scenario for policy update We consider policies on type graphs which are instances of the metamodel MM in Figure 3 (left). Here, Document, Personnel and Resource are meta-types for graph node types, defining the structural elements involved in a policy, while State and Level are metatypes for attribute types. In this case, the structural nodes are those whose type is an instance of Document, Personnel or Resource. Figure 3 (right) presents the specific type graph for the paper, where type Doc is an instance of Document, Mgr, representing managers, is an instance of Personnel, and the Printer type is an instance of Resource. The attribute types denote a document authorisation state and different types of access levels associated with structural elements. A concrete representa- tion is adopted, where rectangular boxes represent instances of structural nodes in VG and ovals represent attribute values. Attribute edges are distinguished from graph edges by the arrow end. Figure 3: Metamodel for security policies (left) and type graph for the scenario (right). A simple scenario illustrates the type of problems considered, introducing the notation ex- ploited in the paper, Consider an organisation in which the policy for document authentication requires that, for a document D to be authenticated, it must have been signed off by two man- agers, one of level Lv1 and one of level Lv2, Lv2 being higher than Lv1 in the organisation hierarchy. Moreover, a general policy requires that documents signed off by Lv2 managers must have also been signed off by an Lv1 manager. Figure 4 illustrates the two resulting constraints. 1:Doc Auth 1:Doc Auth :Mgr :Mgr Lv1 Lv2 1:Doc :Mgr 2:Mgr Lv2 Lv11:Doc 2:Mgr Lv2 1 X 1 c 2c 1 Y 2Y2X Figure 4: The two original constraints for document authentication. The organisation adopts a collection of rules for authentication which is presented in Figure 5. 5 / 18 Volume 39 (2011) Update of policy rules First an Lv1 manager will provide a reference for the document, and then an Lv2 manager will authorise it. The rules are equipped with NACs to avoid that the same manager reviews the same document twice. Note that a rule which requires a simultaneous authorisation by both managers would also be consistent with the constraints in Figure 4. 1:Doc 2:Mgr Lv1 1:Doc 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 Auth 1:Doc 3:Mgr Lv2 2:Mgr Lv11:Doc 2:Mgr Lv1 2,1 N 1,1 N 1 L 2L1R 2R 1 r 2 r Figure 5: The two original rules for document authentication. Realising that the current implementation of the policy does not prevent work on the same document from being duplicated, the organisation decides to forbid a document from being au- thorised twice, or referenced by two or more managers of the same level. Such conditions could be added as NACs to the rules, but a decision is made for these to be defined as negative con- straints – shown in Figure 6 as forbidden graphs – ¬i : X3 → X3, ¬i : X4 → X4, and ¬i : X5 → X5, respectively, becoming part of the general policy for document management. X3 :Doc :Mgr :Mgr Lv1 X4 :Doc :Mgr :Mgr Lv2 :Doc Auth X5 Figure 6: Negative atomic constraints for the authentication policy. Rules r1 and r2 of Figure 5 are no longer consistent with the current configuration of con- straints and must be amended by adding NACs to them. In particular, rule r1 must be upgraded with the NAC N1,2 requiring that no other manager of level Lv1 has already pre-approved the document, while rule r2 is upgraded using N2,2 to check that no authorisation already exists, be- sides requiring that no other Lv2 manager has approved the document. Figure 7 shows the new versions of the two rules. In a second moment, a general revision of the authorisation policies is issued, now requiring that two Lv1 managers must approve a document, while maintaining the request for Lv2 authentication, represented by the constraint c6 : X6 →Y6 in Figure 8, which sub- sumes c1 : X1 →Y1. Moreover, the constraint defined by the forbidden graph X4 must be dropped to ensure the overall satisfiability of the system of constraints. This modification has impact on both rules r1 and r2 in Figure 7. Indeed, condition N1,2 for GCM 2010 6 / 18 ECEASST 1:Doc 2:Mgr Lv1 1:Doc 2:Mgr Lv1 :Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 Auth 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 2:Mgr Lv1 1:Doc 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 Auth 1,1 N 1,2 N 2,2 N 2,1 N 1 L 2 L 1 R 2 R 1 r 2 r Figure 7: The modified rules with NACs. 1:Doc Auth X6 Y6 1:Doc Auth :Mgr :Mgr Lv2 c6 :Mgr Lv1 Figure 8: Revising authorisation constraints. r1, which was derived from the forbidden graph X4, now dropped, would prevent the satisfaction of constraint c6 : X6 →Y6. Moreover, the right-hand side of rule r2 would not be consistent with c6, as it might lead to approval of documents without the signature of two Lv1 managers. While the solution to the first problem is simple (remove N1,2), the second problem can be addressed in different modes: by requiring concurrent approval by the additional Lv1 manager and the Lv2 one, by sequentialising the approvals of the manager according to the level (i.e. simultaneous approval of both Lv1 managers and subsequent Lv2 approval) or by considering a sequential process, where the second Lv1 and the Lv2 approval can occur in any order. Note that since c2 : X2 → Y2 still holds, it remains impossible to have a collection of rules which leads to Lv2 approval without prior or concurrent Lv1 approval. 5 Constraint-compliant policy rules We define the construction of sets of rules for enforcing consistency with policies, where rules are only increasing or decreasing in the structural part and may use only equality or inequality 7 / 18 Volume 39 (2011) Update of policy rules as operations on attributes. We first propose a procedure for deriving a collection of increasing (in the structural part) rules consistent with a positive constraint, based on the initial pushout construction in the category of Attributed Typed Graphs [EEPT06]. Given the square in Figure 9 (left), this is the initial pushout over c : X → Y , iff for every other pushout formed with X ← Z → T → Y , there exist morphisms X′ → Z and Q → T such that all the squares in Figure 9 (right) commute. In the adopted framework, the boundary object X′ is computed as the discrete graph formed by the structural nodes in X which are attached to edges in E(Y )∖E(c(X)), and the context of c is the attributed typed graph Q which is the pushout complement along X′ for X′ x→ X c→Y . X′ x // q′ �� X c �� X′ // q′ �� x ++Z // �� X c �� Q y // Y Q // y 33T // Y Figure 9: (left) Boundary and context for a constraint. (right) Initiality of pushout. We work on a restricted form of positive constraints c : X →Y , for which we can derive a set of constraint-preserving rules. In particular, we define policy constraints on single secured nodes, describing the conditions under which such a node can be in certain states, as in the examples from Section 4. In particular, structural edges are in E(Y )∖E(X) only if both their source and target are in VG(Y )∖c(VG(X)), or if one of them is the secured node. 5.1 The procedure for incremental satisfaction Given a policy constraint c : X → Y , ConstructRules(c) generates a collection P(c) of increasing rules preserving c. Each rule constructs a subgraph of Y , in such a way that until an occurrence of Y is built no occurrence of X is produced in the host graph. To this end, it first constructs the rules for producing graphs intermediate between the boundary object X′ and the context Q in the construction of the initial pushout over c, and then produces rules allowing the construction of intermediate graphs between Q and Y . After this, NACs are added to prevent the premature formation of Y and to force the application of the most specialised rule in case of conflicts. Finally, the rules are completed to include attribute assignment. function ConstructRules(c:Constraint):SetOfRules = [Q,H ] := FromBoundaryToContext(c); PQ(c) := FromMorphismsToRules(Q,H ); P′(c) := CompleteToConclusion(PQ(c),Y ); P′′(c) := CompleteWithNacs(P′(c)) P(c) := UpdateAttributes(P′′(c)) FromBoundaryToContext(c:Constraint):GraphSet×MorphSet constructs the uniquely determined (up to isomorphism) sets Q = {Q0, ..., Qk} and H = {h j i : Qi → Q j} of all and only the graphs and associated morphisms s.t. the following are jointly satisfied: GCM 2010 8 / 18 ECEASST ∙ Q0 = X′ and Qk = Q; ∙ for each i = 1,...,k, there exist inclusions4; hiX′ : X ′ → Qi and h Q i : Qi → Q; ∙ for each i = 1,...,k, for j > i s.t. h ji : Qi → Q j exists, h j X′ = h j i ∘h i X′ and h Q i = h Q j ∘h j i ; ∙ Q is the colimit of the diagram obtained from graphs in Q and morphisms in H ; ∙ given h ji : Qi → Q j we have that: ea ∈ EA(Q j)∖EA(Qi) =⇒ sA(ea)∈VG(Q j)∖VG(Qi) 5. FromMorphismsToRules(Q:GraphSet,H :MorphSet):SetOfRules produces the in- termediate rule set PQ(c) ={p(h j i ) : Qi l ← Qi r → Q j∣r = h j i : Qi →Q j ∈H }, under the conditions: 1. given Qi,Q j,Ql ∈ Q and h j i ,h l i,h l j ∈ H , we have h l i = h l j ∘h j i =⇒ p(h l i) ∕∈ PQ(c); 2. either Q j = Qk or EG(Q j) ∕= EG(Q), i.e. the structural part of the right hand-side is equal to the structural part of the context Q only in rules which add some structural edge. CompleteToConclusion(int:SetOfRules,conc:Graph):SetOfRules builds the set P′(c) by generating the set IQY of all the graphs Z s.t. inclusions k1 : Q → Z and k2 : Z → Y exist, but no inclusion k3 : X → Z exists. The set HIQY of morphisms hZQ : Q → Z, hYZ : Z →Y , s.t. Y is the colimit of the diagram formed with nodes in IQY ∪{Q} and morphisms in HIQY ∪{y : Q→Y}, is concurrently built as before. In particular, as for each e∈E(Y )∖E(c(X)) we have e ∈ E(Q), graphs in IQY ∖{Y} can only differ from Q by: (i) structural nodes in V (X) not connected with the secured node in Y ; (ii) structural edges attached to such nodes; and (iii) attribute edges already present in X (hence neither in X′ nor in Q). The structural parts of rules in a new set PY (c) is built through the same construction as in FromMorphismsToRules for cases (i) and (ii). For case (iii), for any attribute edge ea ∈ EA(W ) s.t. W ∈ IQY ∧∄e′a ∈ Q, with hWQ (e ′ a) = ea, we produce a primed version Q ′ i for each graph Qi ∈ Q s.t. ∃v ∈ V (Qi), with hWQ (h Q i (v)) = s(ea) ∈ V (W ), i.e. we have e ′ a ∈ E(Q′i) with s(e′a) = v and t(e ′ a) = t(ea). As a consequence, Q ′ is still the colimit of the diagram for the primed versions of the graphs in Q. We then correspondingly update the rules with the attribute parts for all the rules derived from morphisms involving Qi. The function then returns the union of the modified versions of PY (c) and PQ(c), forming the set P′(c). The rules in P′(c) are underspecified. Given morphisms h ji and h i l , both rules derived from them in P′(c) are applicable on any match for h ji . CompleteWithNacs(rls:SetOfRules): SetOfRules constructs a NAC forcing the application of the more specific rule. Given pi : Ql l← Ql r→ Qi ∈ P′(c), we add a NAC Qi ni← Ql for each hil . Moreover, NACs are added to pre- vent the formation of the premise X in rules with p : L l← L r→ R ∕= Y . In particular, we define the graph W s.t. Y ,,X′oo // L //W is a pushout and add the NAC W n← L to p. Finally, UpdateAttributes(rls:SetOfRules):SetOfRules takes care of attribute update for the secured node, producing the final set P(c). This is needed for the case where the 4 In order to emphasize X′ = Q0 and Q = Qk we abuse notation, writing h Q i for h k i : Qi → Q and h i X′ for h i 0 : X ′ → Qi. 5 As value nodes are assumed to always exist, we leave them implicit when not associated with structural elements. 9 / 18 Volume 39 (2011) Update of policy rules constraint concerns the assignment of a value d for an attribute of the secured node v, i.e. ∃ea ∈ EA(X) with s(ea) = v and t(ea) = d. Any rule p : Z =← Z r→Y is such that ea ∈ EA(Y )∖EA(r(Z)), but v ∈ VG(Z). However, for a host graph G and a match m : Z → G, there can be an edge e′a ∈ E(G) with s(e′a) = m(v) and t(ea) = d, for some d ∈ V Da, d ∕= d, where V Da is the set of values of sort a in the domain D. The application of p would then produce two values for the same attribute. To avoid this problem, we transform any such rule into a version with attribute update Zd l← Z r→Y , for each d ∈V Da. In particular, Zd contains an edge ea with s(ea) = v and t(ea) = d, so that the overall effect of the rule is to produce an occurrence of Y while updating the previous attribute assignment for v. We call rules with R = Y final. Following Theorem 1, given a constraint c the resulting set P(c) is consistent with c. Theorem 1 Given a constraint c : X →Y , a graph G with G ∣= c, and a rule p : L = K → R ∈ P(c), for any graph H s.t. G ⇒p H we have H ∣= c. Proof. If G ∣= c, then one of two cases occur. 1. ∃m : X → G,g : Y → G, with m = g∘c. As all rules are increasing and c is positive, each application of p preserves m and g. We are left to prove that no further match m′ : X →G is created for which a match g′ : Y → G with m′ = g′∘c does not exist. We first observe that an additional match would require the addition of an edge (either structural or attribute) e to G, with s(e) = v, v = m′(v). But, due to the construction in CompleteToConclusion and the NACs added in CompleteWithNacs, this only happens in a final rule, which would also generate the required part to complete the match g′. 2. ∄m : X → G. By the same argument as before, we observe that any non final rule would not create such a match, while a final rule would also create the required match g : Y → G. No other case can occur and this concludes the proof. To maintain consistency over the whole policy, a rule p : L =← L r→ R ∈ P(c) should be checked against any constraint c′ : X′ →Y ′, with c′ ∕= c, for situations where applying p would cause the formation of X′ without ensuring the formation of Y ′. Figure 10 shows the possible solutions (for reasons of space we omit the morphisms L =← L). The first (left) generates a NAC where W ′ is a graph s.t. the span R w′← W ′ w→ X′ exists and R rz→ Z′ ← X′ is the cospan s.t. the resulting square is a pushout. Then the NAC n : L → N is generated, with N the pushout complement of L r→ R rz→ Z′. This construction can be applied both for negative and positive constraints. Alternatively, in Figure 10 (center), one extends L and R by adding to both of them the “miss- ing part” of Y ′. The morphisms L r→ R and W ′ w ′ → R are jointly surjective on R, the triangle com- mutes, and all squares are pushouts. L′ is constructed as the pushout complement for L r→R rw→R′. These constructions (adapted from those in [KP06]) can be applied if the required pushout complements exist. Otherwise, Figure 10 (right) presents an alternative construction generating a more restrictive NAC, with n = rz ∘r. A negative constraint can only generate a NAC. A word on complexity is in order. The upper bound for ∣ Q ∣ is ∣ Q ∣E ×2(∣Q∣V−∣X ′∣V ) (reached when all node types are different). However, given the form of the constraints we are consider- GCM 2010 10 / 18 ECEASST L n �� r // R rz �� W ′ w′oo w �� L r // �� R rw �� W ′ w′oo w �� // X′ c′���� �� �� � L r // n ��; ;; ;; ;; R rz �� W ′ w �� oo N // Z′ X′oo c′ // Y ′ L′ r′ // R′ Y ′oo Z′ X′oo c′ // Y ′ Figure 10: Permissive NAC (left), rule extension (centre) and restrictive NAC (right) for c′. ing, that security policies are usually not exceedingly large in their structural size, and that the procedure has to be computed once, the approach remains feasible in many practical situations. Example Figure 11 shows the construction of the boundary and context graphs for c1 : X1 →Y1 from Figure 4, while Figure 12 presents the construction of the sets Q and H for this case. We have indicated only direct morphisms, and omitted those which can be derived by transitivity. 1:Doc Auth 1:Doc Auth :Mgr :Mgr Lv1 Lv2 1:Doc 1:Doc :Mgr :Mgr Lv1 Lv2 'Q 1 'X 1 X 1Y 1 c complement.pdf Figure 11: The construction of the context for c1 : X1 →Y1 in Figure 4. The top of Figure 13 shows how the last rule derived from morphism hQ6 would be modified. As the whole context for c : X →Y is present, we can complete the right-hand side to be the full Y , i.e. presenting also an instance of X . Underneath this rule, we show one of its possible final versions, assuming that preAuth ∈ AuthState. Such a rule would be generated only if such a state is compatible with the presence of the association of the document with a manager of Level 1, i.e. if the preAuth state is not associated with some constraint forbidding the presence of the association with such a manager. In the policy in our original scenario, the constraint c2 : X2 →Y2 from Figure 4 will have to be used to modify the rules p(h42) and p(h Q 5 ). 5.2 Repairing inconsistencies The above procedure ensures that secured elements are treated consistently with respect to con- straints, while the constructions described in the next Section can be used to modify rules in a way consistent with policy updates. However, it is also possible that after the adoption of a new policy, some occurrence of the secured element v is in an inconsistent state for a new constraint c : X →Y , i.e. with G a graph describing the current situation of the organisation, we would have 11 / 18 Volume 39 (2011) Update of policy rules 1:Doc 1:Doc 2:Mgr Lv1 1:Doc 2:Mgr Lv1 1:Doc 3:Mgr Lv2 1:Doc :2Mgr :3Mgr Lv1 Lv2 1:Doc 3:Mgr Lv2 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 3:Mgr 2:Mgr Lv1 Lv2 4 2 h 7 2 h 7 1 h 3 1 h 6 3 h5 4 h 5 7 h 6 7 h 5 Q h 6 Q h Q 1 'X 2 Q 4 Q 5 Q 3 Q 6 Q 1 Q 1 2 'X h 1 1 'X h 7 Q Figure 12: The sets Q and H in ConstructRules(c1). a match x : X → G, but no match y : Y → G s.t. x = y∘c. Considering Figure 4 (left), a document which was authorised after being reviewed only by a manager of level 1 would be inconsistent with the new policy. There are two possible ways to repair this inconsistency. The first is to complete the configuration, so that the missing review is provided. This is achievable by forcing the application of a sequence of rules, constructed in a similar manner to that of the procedure above, to produce an instance of the conclusion for the existing instance of the premise. An alternative method destroys all the occurrences of the premise, so that a securing process can now be applied according to the new policy. Given a positive constraint c : X → Y , and depending on the form of the premise X , two possible types of modification can be identified. 1. If v is associated in X with some attribute, the rule X l← X′ r→ X′ (with X′ boundary object for the initial pushout over c) removes all the associations of this element with its attributes. 2. If the secured element has a set S of structural edges incident with it in X , generate the collection of edge-removing rules RS = {X l← X′ r→ X′ ∣ E(X′) ⊈ E(X)}. Each rule constructed in either way can be associated with a NAC of the form n : X →Y and applied to G. If the NAC fails, then c is satisfied, as the occurrence of X is associated with an occurrence of Y and no modification is required. Otherwise, the rule is applied on a match for X , but its application invalidates this match. With reference to the construction of P(c), we can observe that a match for some Qi ∈ Q has now been generated, so that a consistent model can be restored by applying some rule in P(c) with L = Qi. GCM 2010 12 / 18 ECEASST 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc :2Mgr :3Mgr Lv1 Lv2Auth lastRule.pdf 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc :2Mgr :3Mgr Lv1 Lv2AuthPreAuth 1:Doc :2Mgr :3Mgr Lv1 Lv2 lastRuleModified.pdf Figure 13: Ensuring constraint c1 (top) and one version updating the state (bottom). 5.3 Rule-Constraint conflict In this subsection, we complete our study by considering possible conflicts between decreasing rules and arbitrary atomic constraints (i.e. positive or negative). While a deleting rule never violates a negative constraint, since it does not add forbidden graph elements, it may violate a positive constraint if the rule deletes conditionally required graph elements (parts of the conclusion) but preserves the premise of the constraint. One way to resolve conflicts between rules p and constraints c : X →Y is by adding NACs to the rules p. We present next the construction of these NACs in a general case (generalising that in Figure 10) and then show how it is used to resolve conflicts. Definition 1 (Conversion) Given a rule p : L lp← K rp→ R and a constraint c : X → Y , let S be a nonempty overlap between R and the conclusion Y (preserving X ) as in the diagram of Figure 14 (left). Let D = R +S Y be the pushout object of s1 : S → R and c∘s2 : S → Y , and let D p−1,h ⇒ N be the derivation with the inverse rule p−1 : R rp← K lp→ L with match h. Define AC(p,c) = {n : L → N∣ D (p−1,h) ⇒ N, D = R +S Y for some overlap S}. The rule pc consists of the original rule p : L lp← K rp→ R together with the set AC(p,c) of NACs, and is called the conversion of p by c. L n �� K lpoo rp // �� R h �� S s1oo s2 // X c �� L m �� R = K lpoo �� N M r∗p //oo C Yoo G H l∗poo Xkoo c �� Y q′ bbDDDDDDDDDq dd Figure 14: Construction for conflicts. NACs (left) and satisfaction by conversion (right). The construction considers arbitrary rules and constraints, i.e., it is not restricted to deleting 13 / 18 Volume 39 (2011) Update of policy rules or expanding rules, and it reduces to the one in [HW95] if c : X →Y is the identity morphism. This construction may generate redundant application conditions, in the case, for example, where the overlap S → R can be decomposed into S → K → R. The graph N generated from such an overlap can be eliminated by requiring only overlaps S for which s1(S)∩(R∖rp(K)) ∕= /0. Another form of redundancy stems from the fact that if S1 and S2 are overlaps with S1 ⊆ S2 and compatible morphisms si1 and s i 2 with i = 1,2, then D2 = R +S2 Y ⊆ D1 = R +S1 Y and thus N2 ⊆ N1. Hence, if a match L → G satisfies (L,N2), then it also satisfies (L,N1) and the application condition (L,N1) can be removed from AC(p,c). A negative constraint is a morphism !c : X → Y , and G ∣=!c iff no morphism m : X → G can be extended to a morphism m′ : Y → G s.t. m = m′∘!c. In the special case where !c is the identity we obtain what we called forbidden graphs. There can be no real conflict between a deleting rule p : L lp← K = R and a negative constraint !c : X →Y , since the deleting rule may remove parts of Y , in which case !c is trivially satisfied, or parts of X , in which case !c is vacuously satisfied. For the potential conflict between deleting rules and positive constraints we can add NACs to prevent the rule from destroying the conclusion Y , by preventing the applicability if X is present and part of the conclusion Y is intended to be deleted by the rule. Theorem 2 (Satisfaction by conversion) Let p : L lp← K = R be a deleting rule and let AC(idL, idY )) be the NACs constructed as in Definition 1 for the rule idL : L → L with respect to the constraint idY : Y →Y . Define pc = (p,A(idL,c)). If G ∣= c : X →Y and G pc ⇒ H is a derivation with pc, then H ∣= c. Proof. In Figure 14 (right), let G p ⇒ H via the matching morphism m : L → G and k : X → H a morphism. Since p is deleting, the derivation induces a morphism l∗p : H → G and therefore a morphism k′ = l∗p ∘k : X → H → G. By the assumption that G ∣= c, there exists a morphism q : Y → G s.t. q∘c = k′. To complete the proof we need to show that there is a q′ : Y → H s.t. k = q′∘c. Since l∗p is injective, it is sufficient to show that q(y)∈ l∗p(H) for every y ∈Y . Suppose this is not the case. Then, ∃y ∈ Y,l ∈ L∖ lp(R) s.t. q(y) = m(l) and therefore this y defines an overlap of L and Y , contradicting the assumption that m satisfies the NAC AC(idL,c) of pc. 6 Incremental update We analyse the problem of incrementally updating the rules in P(c) when the original positive constraint c : X → Y is replaced by a new one, cu : X u → Y u, according to one of the following modifications, with inequalities indicating inclusion from the smallest to the biggest graph. We study modifications preserving the image of the original premise in the original conclusion for the common parts of X and X u and of Y and Y u, and in particular preserving the secured node. 1. (conclusion expansion) X = X u, Y < Y u 2. (conclusion reduction) X = X u, Y > Y u 3. (premise expansion) X < X u, Y = Y u GCM 2010 14 / 18 ECEASST 4. (premise reduction) X > X u, Y = Y u 5. (semantic reduction) X > X u, Y < Y u 6. (semantic expansion) X < X u, Y > Y u 7. (common expansion) X < X u, Y < Y u 8. (common reduction) X > X u, Y > Y u We do not consider modifications which simultaneously add some elements and delete others from the premise or the conclusion of a constraint. Hence, if a premise is expanded, the conclu- sion is reduced only by removing parts neither in the original nor in the expanded premise. We consider the creation of new rules or updates of the existing L, R or NAC parts of the rules, while new NACs can be generated according to the constructions in the Section 5. From Figure 15 (left), modeling premise expansion, we observe that if a graph G satisfies c non trivially, i.e. G has a subgraph which is a match for Y , it will also satisfy cu under the same match. On the other hand, the only rules in P(c) which can produce an occurrence of X u are final rules (producing the corresponding original occurrence of X by placing an edge attached to the secured node), so no modification is required to them. For the case of conclusion reduction, centre of Figure 15, we observe that we can only remove elements which are not in X . Hence, we can simply modify a rule p : L l→ R ∈ P(c) by removing all elements in V (Y )∖V (Y u)∪E(Y )∖E(Y u) from both L and R. The combination of premise expansion and conclusion reduction defines what is called se- mantic expansion, as M(c) ⊂ M(cu). Indeed, considering the diagram on the right of Figure 15, we observe that for each graph G, G ∣= c =⇒ G ∣= cu. On the other hand, we can have a graph G with G ∕∣= c (i.e. a match m : X → G exists which cannot be extended to a match y : Y → G) and G ∣= cu, if no match mu : xu → G exists (i.e. G trivially satisfies cu). X u ��< << << << cu && Xoo c // �� Y ��� � � � X cu &&c // ��: :: :: :: Y �� � � � Y uoo ��� � � � X u m′ &&MM MM MM MM MM MM cu ** Xoo c // m ��: :: :: :: Y ��� � � � Y uoo xxr r r r r r G G G Figure 15: Premise expansion (left), conclusion reduction (centre), semantic expansion (right). Figure 16 (left) presents premise reduction, where one notices that the evaluation of the initial pushout for cu would give a smaller X u′ and a bigger Qu. Hence, one has to perform a con- struction similar to that of FromBoundaryToContext and FromMorphismsToRules to generate the rules creating the intermediate graphs between X u′ and X′. Furthermore, for a rule p : L l← L r→ R ∈ P(c) with X u included in L or R, a new rule p′ is created with each such occurrence of X u replaced by an occurrence of X u′. For conclusion expansion, Figure 16 (center), one notes that the construction of the initial pushout would now give a Qu greater than Q. Hence, we have to construct the rules for the morphisms for graphs intermediate between Q and Qu and between Qu and Y u, while removing 15 / 18 Volume 39 (2011) Update of policy rules those derived from graphs intermediate between Q and Y . These can be easily identified, as they present any of the elements in Y u and not in Y , but they do not present at least one element in X . Semantic reduction in Figure 16 (right) combines premise reduction and conclusion expan- sion. The relative modifications can be derived from the composition of the two processes. X u ��< << << << cu &&// X c // �� Y ��� � � � X cu &&c // ��: :: :: :: Y �� � � � // Y u ��� � � � X u &&MM MM MM MM MM MM cu **// X c // ��: :: :: :: Y ��� � � � // Y u xxr r r r r r G G G Figure 16: Premise reduction (left), conclusion expansion (centre), semantic reduction (right). In a similar way, common expansion and common reduction can be obtained by combining the above processes, in the following order: ∙ For common expansion, expand Y to Y u first, and then expand X to X u, in both cases expanding the morphism so as to preserve the image of X in Y . ∙ For common reduction, reduce X to X u first, and then reduce Y to Y u, in both cases reduc- ing the morphism so as to preserve the image of X in Y . One wonders whether a similar construction can be defined when simultaneously removing and including elements in both premise and conclusion (while preserving the secured node). Figure 17 illustrates the problem with this. In order to maintain incrementality, one needs to first identify the intersections X′ and Y ′ between the original and the updated versions, update under common reduction for X′→Y ′, and then use common expansion to generate P(cu) for cu : X u → Y u (left). Alternatively, one can first use common expansions and then common reduction, where the intersections are X′′ and Y ′′ (right). But in this case there is no guarantee that the nodes which receive the additional edges in Y and Y ′ are the same. Hence, depending on the order in which the transformations are applied, one can obtain different rule sets. X′ ���� �� �� � �� // Y ′ �� ��< << << << X′ Xoo c // Y // Y ′ X u cu 55X c // Y Y u X u OO cu 55X′′oo OO // Y ′′ OO // Y u OO Figure 17: Incorrect constructions for simultaneous removal and increment. Example Considering the scenario in Section 4, Figure 8 presents a case of conclusion expan- sion, making stricter requests on the authorisation process. Following the algorithm above, the construction of the new rules for this policy starts with the identification of the rules in L ∈ LY1 ; in this case rule r2 : L2 → R2 in Figure 7 (omitting the study of the modification of NACs). We then need to replace r2 with the set of rules constructing the intermediate graphs between L2 and GCM 2010 16 / 18 ECEASST the modified conclusion Y6, with the proviso that X can appear only in the right-hand side of the rule building the whole Y6. Figure 18 shows the process replacing rule r2 with rules r′2 and r 2 2 . 1:Doc 3:Mgr Lv2 2:Mgr Lv1 1:Doc 3:Mgr Lv2 2:Mgr Lv1 Auth 𝐿2 𝑅2 𝑟2 1:Doc 3:Mgr Lv2 2:Mgr Lv1 :Mgr 1:Doc 3:Mgr Lv2 2:Mgr Lv1 4:Mgr 1:Doc 3:Mgr Lv2 2:Mgr Lv1 4:Mgr Auth 𝑟2 2 𝑅2 2 𝐿2 2 𝑅2 ′ 𝑟2 ′ Figure 18: Revising rule r2 from the scenario. 7 Conclusions and future work We have presented an approach to the construction of incremental procedures ensuring the ap- plication of rules consistently with atomic constraints and to the modification of such procedures in an incremental way after the modification of the original constraints. The approach works under a number of assumptions, which are reasonably met in practical cases. First, conclusions in constraints are defined by graphs with a specific relation with the premise, viz. only one node can receive additional edges. Second, constraint updates preserve the images for the preserved elements in the premise (i.e. we do not deal with revocation [HJPW01]). Third, constraints and rules are typed according to a metamodel maintaining distinct finite domains for each attribute and allowing only equality comparison operations among values. The procedures are defined as sets of rules, which can be exploited in different contexts, or organised into transformation units, typically consistent with the partial order induced by injections on structural parts of graphs. The study of more general cases is a complex one. We prevent rules from creating matches for X if they are not final rules. However, if we relax the form of the constraints to consider secured configurations instead of secured nodes, situations may arise in which matches can be created other than just the one for which the extension to Y is provided. In this case more complex repair actions must be defined. Also, one needs to consider what happens when arbitrary graph morphisms are considered instead of only injective ones. This problem can be investigated in versions where arbitrary morphisms can be used for matches of constraints, of rules, or both. A final line of investigation concerns the possibility of lifting the constructions in the paper to high level structures. While we basically rely on pushouts (in particular the initial pushout) and colimits for the construction of the incremental procedure, we require a form for constraints which is related to their setting in the category of graphs. The study of a more general type of constraints could then give indications on how to generalise the approach. 17 / 18 Volume 39 (2011) Update of policy rules Acknowledgments. Partially funded by Progetto Sapienza 2007: ”Sistemi interattivi per la fruizione e la produzione di eventi culturali”. Bibliography [BFP10] P. Bottoni, A. Fish, F. Parisi-Presicce. Preserving constraints in horizontal model transformations. ECEASST 29, 2010. [EEHP06] H. Ehrig, K. Ehrig, A. Habel, K.-H. Pennemann. Theory of Constraints and Ap- plication Conditions: From Graphs to High-Level Structures. Fundam. Inform. 74(1):135–166, 2006. [EEPT06] H. Ehrig, K. Ehrig, U. Prange, G. Taentzer. Fundamentals of Algebraic Graph Transformation. Springer, 2006. [EKTW06] K. Ehrig, J. M. Küster, G. Taentzer, J. Winkelmann. Generating Instance Models from Meta Models. In Proc. FMOODS 2006. LNCS 4037, pp. 156–170. Springer, 2006. [HJPW01] Å. Hagström, S. Jajodia, F. Parisi-Presicce, D. Wijesekera. Revocations-A Classifi- cation. In CSFW. Pp. 44–58. 2001. [HP09] A. Habel, K.-H. Pennemann. Correctness of high-level transformation systems rela- tive to nested conditions. Mathematical Structures in Computer Science 19(2):245– 296, 2009. [HW95] R. Heckel, A. Wagner. Ensuring consistency of conditional graph rewriting - a con- structive approach. ENTCS 2:118–126, 1995. [JKW08] M. Janota, V. Kuzina, A. Wasowski. Model Construction with External Constraints: An Interactive Journey from Semantics to Syntax. In Proc. MoDELS 2008. Pp. 431– 445. 2008. [KMP05] M. Koch, L. V. Mancini, F. Parisi-Presicce. Graph-based specification of access control policies. J. Comput. Syst. Sci. 71(1):1–33, 2005. [KP06] M. Koch, F. Parisi-Presicce. UML specification of access control policies and their formal verification. Software and System Modeling 5(4):429–447, 2006. [OL10] F. Orejas, L. Lambers. Symbolic Attributed Graphs for Attributed Graph Transfor- mation. ECEASST 30, 2010. [Ren04] A. Rensink. Representing First-Order Logic Using Graphs. In Proc. ICGT. LNCS 3256, pp. 319–335. Springer, 2004. [WWP08] Y. Wei, C. Wang, W. Peng. Graph Transformations for the Specification of Access Control in Workflow. In Proc. WiCOM ’08. Pp. 1–5. 2008. GCM 2010 18 / 18 Introduction Related work Background A scenario for policy update Constraint-compliant policy rules The procedure for incremental satisfaction Repairing inconsistencies Rule-Constraint conflict Incremental update Conclusions and future work