Can't We All Just Get Along? - Agreement Technologies and the ...
Can’t We All Just Get Along? Agreement Technologies and the Science of Security
Munindar P. Singh [email protected] Department of Computer Science North Carolina State University
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
1 / 22
Simple Normative Framework Org
Principal
Norms
implement
implement
Internal Policy
Munindar P. Singh (NCSU)
Principal
Internal Policy
Can’t We All Just Get Along?
2 / 22
Traditional View: Systems as Artifacts
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
3 / 22
Proposed View: Systems as Societies Conversations with autonomous parties; control over resources
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
4 / 22
Sociotechnical Systems Combine IT with real-life societal considerations I
System characteristics I I I I
I
Member characteristics I I I I
I
Longevity and identity Autonomy Essentially a society Characterized via norms, not operationally Longevity and identity Autonomy Heterogeneity Ability to deal with norms, e.g., via goals realized in policies
Realization I
Top down: Members fit into existing system
I
Bottom up: Members design new system
I
I
Adopt suitable goals given system norms Negotiate suitable norms given individual goals
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
5 / 22
Regulation versus Regimentation Amish Rumspringa
I
Regimentation: preventing bad behavior I I I
I
Fits a closed system Reflects a pessimistic stance Presumes a regimenting infrastructure
Regulation: discouraging and correcting—though allowing—bad behavior I I I
Fits an open system Reflects an optimistic stance Presumes a regulating social system
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
6 / 22
Regulation versus Regimentation Amish Rumspringa: The Model Allows Bad Behavior
All paths
Acceptable paths
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
7 / 22
Conception of Norms, Orgs, and Policies I
Key concepts I I I I
I
Orgs host norms and members Norms as standards of correctness Internal policies of agents address norms Decision making and behavior of agents address policies
Societal structure relates to other important concepts I
Trust I I
I
Engendered by norms Assigned based on policies
Economic concepts I I
Incentives correspond to policies Mechanisms correspond to norms
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
8 / 22
Governance Overview
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
9 / 22
Types of Norms Unified logical form: Norm(subject, object, context, antecedent, consequent)
I I I I
Directed: capture accountability Declarative Composable Manipulable
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
10 / 22
Norms as Fa¸cades
Norm
Subject’s Fa¸cade Object’s Fa¸cade
Commitment Authorization Power Prohibition Sanction
Liability Privilege Privilege Liability Liability
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
Privilege Liability Liability Privilege Privilege
11 / 22
Norm Life Cycle: 1
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
12 / 22
Norm Life Cycle: 2 Substate of a terminated norm
If terminated in Then ant con Com Aut Pro San Pow false false true true
false true false true
Munindar P. Singh (NCSU)
null sat vio sat
null vio null sat
Can’t We All Just Get Along?
null null sat vio
null null null sat
null null vio sat
13 / 22
Architecture Differentiating from traditional software architecture
I
Autonomy is key I
Partly recognized in ULSSIS: Ultra-Large-Scale Software-Intensive Systems
I
Abstraction: norms describe what, not how
I
Opacity: internal policies are hidden Dynamism, both
I
I I
I
Membership Participation is not regimented
Fractal structure of Orgs I
Turtles all the way
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
14 / 22
Security Properties and Threats To use as demonstration cases
I
Properties I I I
I
Least privilege Separation of duties Two-person rule (e.g., for nuclear missile launch)
Threats I I I
Denial of service Information inference Insider attacks
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
15 / 22
Challenge: Specification I
Framework I
Operational model (aka “system spec”) I I I
I
Correctness (aka “property spec”) I I
I
Computable Mathematical and abstract Provides the underpinnings for correctness To be verified Expressed on top of the operational model
Specification modalities I I I I
Policies Incentives Sanctioning Normative relationships
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
16 / 22
Challenge: Architectural Patterns and Properties Parametric families of systems
I
Examples of architectural patterns I I I I
I
Make at least one party accountable for each requirement Make exactly one party accountable for each requirement Ensure each Org controls its infrastructure Ensure each Org provides identity for its members
Examples of properties I I
The information inference vulnerability is avoided Certain actions cannot be performed unless two agents agree
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
17 / 22
Challenge: Robustness Guarantees of system states reached
I
Under combinations of threats, e.g., I I I I
I
From the perspective of I I I
I
Faults Attacks Specific agent policies Collusion Specific agents or roles Org External party, where relevant (?)
In the context of I I
Particular infrastructure Orgs
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
18 / 22
Challenge: Toward a Type Theory Foundation for design of normative systems
I
Explore well-known concepts in the present setting I I I I I
I
Refinement of norms by norms Realization of norms by role specifications Conformance of roles to roles Alignment of agents Interoperability of roles
Example fundamental theorem I
Substituting a role by a conformant role preserves interoperability
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
19 / 22
Challenge: Requirements Engineering
I
Designing an Org I I
I
Capturing requirements Validating norms with requirements
Multiparty design I I I I
Argumentation Capturing design rationale Evolution Incorporating evidence
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
20 / 22
Highlights I
To understand security presumes I I
I
A system as a society I I
I
Regulation, not regimentation Orgs help delineate the social context
A normative architecture I I I
I
Autonomy and accountability Standards of acceptable behavior
Dynamism Support for incentives Doesn’t regiment interactions: members can violate norms
Raising the abstraction level opens up additional possibilities I I
Mapping personal norms (psychology) Organizational culture (social psychology)
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
21 / 22
Thanks! Amit Chopra and Science of Security Lablet colleagues (Nirav Ajmeri, Simon Parsons, Jos´e Meseguer, William Scherlis) http://www.csc.ncsu.edu/faculty/mpsingh/
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
22 / 22
Munindar P. Singh [email protected] Department of Computer Science North Carolina State University
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
1 / 22
Simple Normative Framework Org
Principal
Norms
implement
implement
Internal Policy
Munindar P. Singh (NCSU)
Principal
Internal Policy
Can’t We All Just Get Along?
2 / 22
Traditional View: Systems as Artifacts
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
3 / 22
Proposed View: Systems as Societies Conversations with autonomous parties; control over resources
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
4 / 22
Sociotechnical Systems Combine IT with real-life societal considerations I
System characteristics I I I I
I
Member characteristics I I I I
I
Longevity and identity Autonomy Essentially a society Characterized via norms, not operationally Longevity and identity Autonomy Heterogeneity Ability to deal with norms, e.g., via goals realized in policies
Realization I
Top down: Members fit into existing system
I
Bottom up: Members design new system
I
I
Adopt suitable goals given system norms Negotiate suitable norms given individual goals
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
5 / 22
Regulation versus Regimentation Amish Rumspringa
I
Regimentation: preventing bad behavior I I I
I
Fits a closed system Reflects a pessimistic stance Presumes a regimenting infrastructure
Regulation: discouraging and correcting—though allowing—bad behavior I I I
Fits an open system Reflects an optimistic stance Presumes a regulating social system
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
6 / 22
Regulation versus Regimentation Amish Rumspringa: The Model Allows Bad Behavior
All paths
Acceptable paths
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
7 / 22
Conception of Norms, Orgs, and Policies I
Key concepts I I I I
I
Orgs host norms and members Norms as standards of correctness Internal policies of agents address norms Decision making and behavior of agents address policies
Societal structure relates to other important concepts I
Trust I I
I
Engendered by norms Assigned based on policies
Economic concepts I I
Incentives correspond to policies Mechanisms correspond to norms
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
8 / 22
Governance Overview
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
9 / 22
Types of Norms Unified logical form: Norm(subject, object, context, antecedent, consequent)
I I I I
Directed: capture accountability Declarative Composable Manipulable
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
10 / 22
Norms as Fa¸cades
Norm
Subject’s Fa¸cade Object’s Fa¸cade
Commitment Authorization Power Prohibition Sanction
Liability Privilege Privilege Liability Liability
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
Privilege Liability Liability Privilege Privilege
11 / 22
Norm Life Cycle: 1
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
12 / 22
Norm Life Cycle: 2 Substate of a terminated norm
If terminated in Then ant con Com Aut Pro San Pow false false true true
false true false true
Munindar P. Singh (NCSU)
null sat vio sat
null vio null sat
Can’t We All Just Get Along?
null null sat vio
null null null sat
null null vio sat
13 / 22
Architecture Differentiating from traditional software architecture
I
Autonomy is key I
Partly recognized in ULSSIS: Ultra-Large-Scale Software-Intensive Systems
I
Abstraction: norms describe what, not how
I
Opacity: internal policies are hidden Dynamism, both
I
I I
I
Membership Participation is not regimented
Fractal structure of Orgs I
Turtles all the way
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
14 / 22
Security Properties and Threats To use as demonstration cases
I
Properties I I I
I
Least privilege Separation of duties Two-person rule (e.g., for nuclear missile launch)
Threats I I I
Denial of service Information inference Insider attacks
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
15 / 22
Challenge: Specification I
Framework I
Operational model (aka “system spec”) I I I
I
Correctness (aka “property spec”) I I
I
Computable Mathematical and abstract Provides the underpinnings for correctness To be verified Expressed on top of the operational model
Specification modalities I I I I
Policies Incentives Sanctioning Normative relationships
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
16 / 22
Challenge: Architectural Patterns and Properties Parametric families of systems
I
Examples of architectural patterns I I I I
I
Make at least one party accountable for each requirement Make exactly one party accountable for each requirement Ensure each Org controls its infrastructure Ensure each Org provides identity for its members
Examples of properties I I
The information inference vulnerability is avoided Certain actions cannot be performed unless two agents agree
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
17 / 22
Challenge: Robustness Guarantees of system states reached
I
Under combinations of threats, e.g., I I I I
I
From the perspective of I I I
I
Faults Attacks Specific agent policies Collusion Specific agents or roles Org External party, where relevant (?)
In the context of I I
Particular infrastructure Orgs
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
18 / 22
Challenge: Toward a Type Theory Foundation for design of normative systems
I
Explore well-known concepts in the present setting I I I I I
I
Refinement of norms by norms Realization of norms by role specifications Conformance of roles to roles Alignment of agents Interoperability of roles
Example fundamental theorem I
Substituting a role by a conformant role preserves interoperability
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
19 / 22
Challenge: Requirements Engineering
I
Designing an Org I I
I
Capturing requirements Validating norms with requirements
Multiparty design I I I I
Argumentation Capturing design rationale Evolution Incorporating evidence
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
20 / 22
Highlights I
To understand security presumes I I
I
A system as a society I I
I
Regulation, not regimentation Orgs help delineate the social context
A normative architecture I I I
I
Autonomy and accountability Standards of acceptable behavior
Dynamism Support for incentives Doesn’t regiment interactions: members can violate norms
Raising the abstraction level opens up additional possibilities I I
Mapping personal norms (psychology) Organizational culture (social psychology)
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
21 / 22
Thanks! Amit Chopra and Science of Security Lablet colleagues (Nirav Ajmeri, Simon Parsons, Jos´e Meseguer, William Scherlis) http://www.csc.ncsu.edu/faculty/mpsingh/
Munindar P. Singh (NCSU)
Can’t We All Just Get Along?
22 / 22
