Deontic STIT logic, from logical paradox to security policy

A deontic STIT logic is studied in this paper with the possible application of specifying security policies for intrude detection in the pervasive computing environment. Compared to the existing deontic STIT logics, an advantage of our logic is that it is capable of solving the miners paradox, a logical paradox which recently grabs attentions of logicians, philosophers, linguistists and computer scientists. A complete and sound axiomatization of our logic is developed.


Introduction
Our ultimate goal in this article is to develop a logic to formalize security policies, especially for intrude detection in pervasive computing environments. Security is a high priority requirement for lots of information systems, and it is considered in practice as a more and more significant issue.

Communicated by A. Di Nola.
This paper is a revision of Sun and Baniasadi (2014 In most systems, security requirements may already exist but usually remain informal, and starting from these requirements it is of growing interest to be able to define a rigorous security policy. In pervasive computing environments, resources like information and services are accessible anywhere and anytime via any devices (Barolli and Takizawa 2010;Marcelloni et al. 2014;Ogiela et al. 2014;Ramos et al. 2014;Choi et al. 2014). There are different sorts of users and services, and some of them may be unknown or not predefined (Kagal et al. 2001). The distribution of resources in these environments forces us to leverage decentralized security management. In this setting, the environment is divided into a number of domains based on different factors. For each domain, there is a security agent with an administrator (we call it authority) who is responsible for preserving the security of resources that are under their protection.
Several authors have used deontic logic to specify security policies (Glasgow et al. 1992;Jones and Sergot 1992;Demolombe and Jones 1996;Cuppens-Boulahia and Cuppens 2008;Cuppens et al. 2013). These authors outlined the main features of this formalism to analyze further various aspects of security, to formalize previously informal security requirements and to provide a flexible and expressive language for specifying security properties. Deontic logic is a formal study of norms and deontic modalities (such as permission, forbidden and obligation). In 1951, the publication of von Wright (1951) indicates the birth of deontic logic. With the work of Meyer (1988), deontic logic became a part of computer science. Deontic logic has been a valuable tool in the specification and reasoning of security policies because key notions in security such as permission, authorization, prohibition and obligation are exactly the subjects of deontic logic. To apply deontic logic in the specification of security policies in pervasive computing environments, we need a deontic logic in which different authorities are explicitly modeled. Deontic STIT logic offers one option for this purpose. Deontic STIT logic (Horty 2001;Kooi and Tamminga 2008;Sun 2011;Broersen 2011), grounded on STIT (see to it that) theory (Belnap et al. 2001), is a branch of deontic logic developed by philosophers, logicians and computer scientists in recent years. In Kooi and Tamminga (2008) and Sun (2011), the authors develop deontic logics which are capable of models commands from different authorities.
Another reason for choosing deontic STIT logic comes from the motivation of the specification of policies of intrusion detection. Cuppens-Boulahia and Cuppens (2008) investigate the specification of intrusion detection policies. They argue that it is appropriate to use the bring it about modality for specification. Since the difference between bring it about and see to it that is negligible, deontic STIT logic can be an appropriate tool to specify policies of intrusion detection.
From a logical perspective, one limitation of the existing deontic STIT logic is that they are suffered from some logical paradoxes. This paper develops a new multi-authority deontic STIT logic (MADL) to overcome this problem such that our logic is more suitable for the application to security than the existing deontic STIT logics.
In the rest of this paper, we recap the miners paradox in Sect. 2 as a trigger of our further study. We then present our deontic STIT logic in Sect. 3. In Sect. 4 we discuss some related work. Section 5 summarizes this article with future work.

The miners paradox
In recent years, many deontic logicians get interested in the miners paradox (Gabbay et al. 2014). The miners paradox presented in Kolodny and MacFarlane (2010) is described like this: There are 10 miners trapped in either shaft A or shaft B, but we don't know which one. Water threatens to flood the shafts. We have sandbags to block only one shaft. If one shaft is blocked, all water will flood into the other shaft, killing all miners inside. If we block neither shaft, both will be flooded partially, killing 1 miner.
Since we don't know the miners' location, it seems plausible that: (1) We should block neither shaft A nor shaft B.
However, the following also seems acceptable. (4) The miners are either in shaft A or in shaft B.
And (2), (3) together with (4) imply that (5) Either we should block shaft A or we should block shaft B.

Deontic STIT logic
In deontic STIT logic, the semantics of deontic operator is interpreted by best choices, which are defined via a preference relation over sets of possible worlds. Such a relation is characterized by a preference relation over possible worlds through lifting. In the literature, there are many methods of lifting preference, which are summarized by Lang and van der Torre (2008) as follows: strong lifting: Let U 1 and U 2 be two sets of worlds, U 1 is strongly at least as good as U 2 iff ∀w ∈ U 1 , ∀v ∈ U 2 , w is at least as good as v. -optimistic lifting: U 1 is optimistically at least as good as U 2 iff ∃w ∈ U 1 , ∀v ∈ U 2 , w is at least as good as v. -pessimistic lifting: U 1 pessimistically at least as good as U 2 iff ∀w ∈ U 1 , ∃v ∈ U 2 , w is at least as good as v.
In utilitarian deontic logic (UDL) of Horty (2001), Kooi and Tamminga (2008), Sun (2011), strong lifting is used. According to strong lifting, the best choices in the miners paradox are block_A, block_B and block_neither. Therefore, "we ought to block neither" is false. To have a more precise understanding of such reasoning, we now formally review the UDL introduced in Sun (2011).
The language of utilitarian deontic logic, L udl , is defined by the following BNF: Let Ψ = {p, q, r, . . .} be a set of propositional atoms and Agent = {1, . . . , n} be a set of agents, where p ∈ Ψ, G ⊆ Agent. Intuitively, [G]ψ says that "group G sees to it that ψ." G ψ says that "G ought to see to it that ψ." G (ψ/φ) says that "G ought to see to it that ψ under the condition φ." The semantics of UDL is defined via the notion of utilitarian models.
Definition 1 A utilitarian model (W, V, Choice, ) is a tuple where W is a set of possible worlds, V is a valuation function that maps every atom to a set of worlds, is a transitive and reflexive relation over W , Choice is a choice function. The function Choice : 2 Agent → 2 2 W is based on the individual choice function I ndChoice: Agent → 2 2 W . I ndChoice is required to satisfy the following conditions: (1) I ndChoice(i) forms a partition of W , for every i ∈ Agent; (2) given arbitrary x 1 ∈ I ndChoice(1), . . . , x n ∈ I nd Choice(n) and Agent = {1, . . . , n}, it holds that We use w v to represent that w is no better than v and w ≈ v as an abbreviation of w v and v w.
Definition 3 (Horty (2001) (2001)) Let H be a set of agents and Y a set of worlds.

Definition 7 (Semantics of UDL). Given a utilitarian model
The miners paradox is characterized by a model Miners Fig. 1). Group H can choose block_A, block_B or block_neither, while other agents can only choose W . All the three choices of group H are optimal by the strong lifting. Therefore, Miners, v 1 H (block_neither). Therefore, UDL cannot solve the miners paradox.

Utilitarian deontic logic via pessimistic lifting
With the motivation of solving the miners paradox, we introduce a new logic called pessimistic utilitarian deontic logic (PUDL), in which pessimistic lifting is used instead of strong lifting. We will show that PUDL not only solves the miners paradox but also solves Ross's paradox and the contrary to duty paradox. We then present an axiomatization for PUDL and generalize PUDL to MADL in the next subsection.
Informally, block_neither in the miners scenario is the only optimal choice according to the pessimistic lifting. Hence, "we ought to block neither" holds. Moreover, in PUDL both (2) and (3) are true, whereas the inference from (2)-(4) to (5) is invalid. Therefore, PUDL is capable of solving the miners paradox. Now, we present these arguments formally.
We use ψ ≺ p φ to denote ¬(φ p ψ) ∧ (ψ p φ). Obligation in L pudl is characterized as follows: That is to say, agent i ought to STIT ψ if and only if in the pessimistic sense STIT ψ is strictly better than ¬ψ and it is possible for i to STIT ψ.

Semantics
We now introduce the semantics of PUDL.
Definition 8 A tuple M = (W, , ≺, I ndChoice, V ) is a pessimistic utilitarian model if W and I ndChoice are the same as in the utilitarian model, is a relation over W that represents the social welfare of all agents, is reflexive, transitive and connected. 1 ≺ is a relation over W such that for every Let R i be a relation such that (v, v ) ∈ R i if and only if there exists a T ∈ I ndChoice(i) with {v, v } ⊆ T . The semantics of L pudl is defined as follows:

Solving the miners paradox
We formally describe the miners scenario by a pessimistic utilitarian model. Let We know that ¬block_neither is strictly worse than [i]block_neither according to the pessimistic semantics. Therefore, Miners p , v 1 i (block_neither). Moreover, we have "if the miners are in A, then i ought to block A" because ¬block_A is worse than [i]block_A, given the condition of miners being in A. Therefore, Miners p , v 1 i (block_A/in_A). Similarly Miners p , v 1 i (block_B/in_B). It remains to prove that even if "if the miners are in A, then we ought to block A" and "if the miners are in B, then we ought to block B" are both true, we do not infer that "we ought to block either A or B." The following proposition justifies such reasoning.

Bonus 1: solving the contrary to duty paradox
The contrary to duty paradox is one of the most serious paradoxes in deontic logic. The best known example of this paradox is give by Chisholm (1963): (1a) It ought to be that you go to the party; (2a) It ought to be that if you go, then you tell them you are going; (3a) If you don't go, you ought not to tell them you are going; (4a) You do not go.
Intuitively, these four statements are consistent and independent of each other. But either the consistency or the independency is lost after they are translated to standard Let p represent "go to the party." Let q represent "tell them you are going." Then, we can formalize the four statements using our logic in the following way: It's not hard to see that the above four formulas are independent of each other. For consistency, consult the following example. Fig. 2. In this model, we have all the four formulas (a) − (d) are all true in v 1 .

Bonus 2: solving Ross' paradox
Another well-known paradox in deontic logic is Ross' paradox Alfred (1941): Suppose John should send a letter. Since sending the letter implies sending it or burning it, John should send the letter or burn it.
In UDL, the formula H φ ⇒ H (φ ∨ ψ) is valid, which means UDL cannot solve Ross' paradox. On the other hand, PUDL solves Ross' paradox, as the following proposition shows.
The completeness (right-to-left) can be proved by using a canonical model technique together with Bulldozing (Segerberg 1971), and both are standard technique in modal logic. The proof of soundness (left-to-right) is trivial.

Multi-authority deontic STIT logic
Now we generalize PUDL to MADL. The main difference between them is that in MADL, deontic modality is interpreted via multiple authorities.

Language
The language of MADL is constructed from Agent, Ψ , a set of authorities Auth, a set of objects Obj and a set of atomic action Act. For i ∈ Agent, o ∈ Obj and a ∈ Act, do (i, a, o) is an atomic formula, which means agent i execute action a on object o. For atomic formulas p, q, i ∈ Agent and j ∈ Auth, the language L madl is generated by the following BNF: Intuitively, [ j ]ψ means that "ψ is weakly preferable according to the normative standard of authority j," while [≺ j ]ψ means "ψ is strictly preferable according to the normative standard of authority j." [ j ]ψ means "ψ is unpreferable according to the normative standard of authority j." We use ψ ≺ j φ as an abbreviation of (ψ j φ)∧¬(φ j ψ). Obligation is expressed in L madl as follows: Intuitively, this formula means that agent i ought to see to it that ψ according to the normative value of authority j iff ¬ψ is strictly worse than seeing to it that ψ according to the normative value of authority j and it is possible for i to see to it that ψ.
To specify security policies, we further introduce (conditional) prohibition and (conditional) permission in L madl : -F j i ψ::= j i ¬ψ. This means according to the normative value of authority j, agent i is forbidden to STIT ψ iff i is obliged to STIT ¬ψ.

Semantics
The semantics of MADL is based on multi-authority STIT model, which is a generalization of PUDL model.

Definition 10 (Multi-authority STIT model)
is a tuple where W and I ndChoice are the same as in PUDL model, and j is a relation on W indicating the normative standard of authority j. j is required to be reflexive, transitive and connected. ≺ j is a sub-relation of j such that for all The semantics of L mddl is defined similarly to that of PUDL; here, we only give the crucial cases: Theorem 2 (Soundness and completeness) Γ madl ψ iff Γ madl ψ.

Related work
Using logics to handle the problems of specifying and reasoning about the security of information systems started from 1988 by Glasgow and MacEwen (1988). Since then, various types of logic have been used to model inference abilities and specification of security policies. Van Hertum et al. (2016) have recently proposed a multi-agent variant of autoepistemic logic, called Distributed Autoepistemic Logic with Inductive Definitions (dAEL(ID)), to be used as a says-based access control logic. By applying the semantic principles of autoepistemic logic to characterize the says-modality, dAEL(ID) allows us to derive a statement of the form says ¬k ψ on the basis of the observation that k has not issued statements implying ψ. Supporting reasoning about such negated says-statements allows dAEL(ID) to straightforwardly model access denials, which can hardly be modeled by previous says-based access control logics.

Summary and future work
In this article, we have developed a deontic STIT logic with the possible application to the specification of security policy for intrude detection in the pervasive computing environment. Compared to the existing deontic STIT logics, an advantage of our logic is that it is capable of solving the miners paradox, a logical paradox which recently grabs attentions of logicians, philosophers, linguistists and computer scientists. A complete and sound axiomatization for our logic was developed. Concerning future works, we will study the computational complexity of our logic and perform some case study for the application of our logic to security policies.

Compliance with ethical standards
Conflict of interest Both authors declare that they have no conflict of interest.
Human and animals participants This article does not contain any studies with human participants or animals performed by any of the authors.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecomm ons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.