Severin Kacianka,Alexander Pretschner

DOI: https://doi.org/10.1145/3442188.3445905

2021-01-20

Abstract:Accountability is an often called for property of technical systems. It is a requirement for algorithmic decision systems, autonomous cyber-physical systems, and for software systems in general. As a concept, accountability goes back to the early history of Liberalism and is suggested as a tool to limit the use of power. This long history has also given us many, often slightly differing, definitions of accountability. The problem that software developers now face is to understand what accountability means for their systems and how to reflect it in a system's design. To enable the rigorous study of accountability in a system, we need models that are suitable for capturing such a varied concept. In this paper, we present a method to express and compare different definitions of accountability using Structural Causal Models. We show how these models can be used to evaluate a system's design and present a small use case based on an autonomous car.

Software Engineering

Denis J. S. de Albuquerque,Vanessa Tavares Nunes,Claudia Cappelli,Celia Ghedini Ralha

DOI: https://doi.org/10.48550/arXiv.2006.10232

2020-06-18

Multiagent Systems

Abstract:Transparency is an important factor in democratic societies composed of characteristics such as accessibility, usability, informativeness, understandability and auditability. In this research we focus on auditability since it plays an important role for citizens that need to understand and audit public information. Although auditability has been a subject of discussion when designing systems, there is a lack of systematization in its specification. We propose an approach to systematically add auditability requirements specification during the goal-oriented agent-based Tropos methodology. We used the Transparency Softgoal Interdependency Graph that captures the different facets of transparency while considering their operationalization. An empirical evaluation was conducted through the design and implementation of LawDisTrA system that distributes lawsuits among judges in an appellate court. Experiments included the distribution of over 300,000 lawsuits at the Brazilian Superior Labor Court. We theorize that the presented approach for auditability provides adequate techniques to address the cross-organizational nature of transparency.

Peng Liu,Jian-bin Hu,Zhong Chen

DOI: https://doi.org/10.1109/WI.2005.2

2005-01-01

Abstract:Although several access control policies have been proposed for securing access to resources, they focused on security of distributed environments that were rather static. Nowadays distributed environment becomes open and dynamic. In this paper, we propose a formal language for access control policies in open and dynamic environment. The language is based on description logic program and generalized courteous logic program supporting classical negation, prioritized conflict handling and mutual exclusion constraints. The language allows the specification of positive and negative authorization, privilege delegation and revocation, prioritized conflict resolution and mutual authorization exclusions.

Robert Künnemann,Ilkan Esiyok,Michael Backes,Robert Kunnemann

DOI: https://doi.org/10.1109/csf.2019.00034

2019-06-01

Abstract:Accountability is a recent paradigm in security protocol design which aims to eliminate traditional trust assumptions on parties and hold them accountable for their misbehavior. It is meant to establish trust in the first place and to recognize and react if this trust is violated. In this work, we discuss a protocol-agnostic definition of accountability: a protocol provides accountability (w.r.t. some security property) if it can identify all misbehaving parties, where misbehavior is defined as a deviation from the protocol that causes a security violation. We provide a mechanized method for the verification of accountability and demonstrate its use for verification and attack finding on various examples from the accountability and causality literature, including Certificate Transparency and Kroll's Accountable Algorithms protocol. We reach a high degree of automation by expressing accountability in terms of a set of trace properties and show their soundness and completeness.

Joshua A. Kroll

DOI: https://doi.org/10.1145/3442188.3445937

2021-01-23

Abstract:Accountability is widely understood as a goal for well governed computer systems, and is a sought-after value in many governance contexts. But how can it be achieved? Recent work on standards for governable artificial intelligence systems offers a related principle: traceability. Traceability requires establishing not only how a system worked but how it was created and for what purpose, in a way that explains why a system has particular dynamics or behaviors. It connects records of how the system was constructed and what the system did mechanically to the broader goals of governance, in a way that highlights human understanding of that mechanical operation and the decision processes underlying it. We examine the various ways in which the principle of traceability has been articulated in AI principles and other policy documents from around the world, distill from these a set of requirements on software systems driven by the principle, and systematize the technologies available to meet those requirements. From our map of requirements to supporting tools, techniques, and procedures, we identify gaps and needs separating what traceability requires from the toolbox available for practitioners. This map reframes existing discussions around accountability and transparency, using the principle of traceability to show how, when, and why transparency can be deployed to serve accountability goals and thereby improve the normative fidelity of systems and their development processes.

Computers and Society,Artificial Intelligence,Human-Computer Interaction

Jeremiah Blocki,Nicolas Christin,Anupam Datta,Ariel D. Procaccia,Arunesh Sinha

DOI: https://doi.org/10.48550/arXiv.1303.0356

2013-03-06

Abstract:Effective enforcement of laws and policies requires expending resources to prevent and detect offenders, as well as appropriate punishment schemes to deter violators. In particular, enforcement of privacy laws and policies in modern organizations that hold large volumes of personal information (e.g., hospitals, banks, and Web services providers) relies heavily on internal audit mechanisms. We study economic considerations in the design of these mechanisms, focusing in particular on effective resource allocation and appropriate punishment schemes. We present an audit game model that is a natural generalization of a standard security game model for resource allocation with an additional punishment parameter. Computing the Stackelberg equilibrium for this game is challenging because it involves solving an optimization problem with non-convex quadratic constraints. We present an additive FPTAS that efficiently computes a solution that is arbitrarily close to the optimal solution.

Computer Science and Game Theory,Cryptography and Security

Ziyi Su,Frederique Biennier

DOI: https://doi.org/10.48550/arXiv.1305.1727

2013-05-08

Cryptography and Security

Abstract:In an open information systems paradigm, real-time context-awareness is vital for the success of cooperation, therefore dynamic security attributes of partners should considered in coalition for avoiding security conflicts. Furthermore, the cross-boundary asset sharing activities and risks associated to loss of governance call for a continuous regulation of partners' behavior, paying attention to the resource sharing and consuming activities. This paper describes an attribute-based usage control policy shceme compline to this needs. A concise syntax with EBNF is used to summarize the base policy model. The semantics of negotiation process is disambiguated with abductive constraint logic programming (ACLP) and Event Calculus (EC). Then we propose a policy ratification method based on a policy aggregation algebra that elaborate the request space and policy rule relation. This method ensures that, when policies are aggregated due to resource sharing and merging activities, the resulting policy correctly interprets the original security goals of the providers' policies.

Colin Shea-Blymyer,Houssam Abbas

2024-08-01

Abstract:When designing agents for operation in uncertain environments, designers need tools to automatically reason about what agents ought to do, how that conflicts with what is actually happening, and how a policy might be modified to remove the conflict. These obligations include ethical and social obligations, permissions and prohibitions, which constrain how the agent achieves its mission and executes its policy. We propose a new deontic logic, Expected Act Utilitarian deontic logic, for enabling this reasoning at design time: for specifying and verifying the agent's strategic obligations, then modifying its policy from a reference policy to meet those obligations. Unlike approaches that work at the reward level, working at the logical level increases the transparency of the trade-offs. We introduce two algorithms: one for model-checking whether an RL agent has the right strategic obligations, and one for modifying a reference decision policy to make it meet obligations expressed in our logic. We illustrate our algorithms on DAC-MDPs which accurately abstract neural decision policies, and on toy gridworld environments.

Artificial Intelligence,Logic in Computer Science

James A. Hoagland,Raju Pandey,Karl N. Levitt

DOI: https://doi.org/10.48550/arXiv.cs/9809124

1998-10-01

Abstract:A security policy states the acceptable actions of an information system, as the actions bear on security. There is a pressing need for organizations to declare their security policies, even informal statements would be better than the current practice. But, formal policy statements are preferable to support (1) reasoning about policies, e.g., for consistency and completeness, (2) automated enforcement of the policy, e.g., using wrappers around legacy systems or after the fact with an intrusion detection system, and (3) other formal manipulation of policies, e.g., the composition of policies. We present LaSCO, the Language for Security Constraints on Objects, in which a policy consists of two parts: the domain (assumptions about the system) and the requirement (what is allowed assuming the domain is satisfied). Thus policies defined in LaSCO have the appearance of conditional access control statements. LaSCO policies are specified as expressions in logic and as directed graphs, giving a visual view of policy. LaSCO has a simple semantics in first order logic (which we provide), thus permitting policies we write, even for complex policies, to be very perspicuous. LaSCO has syntax to express many of the situations we have found to be useful on policies or, more interesting, the composition of policies. LaSCO has an object-oriented structure, permitting it to be useful to describe policies on the objects and methods of an application written in an object-oriented language, in addition to the traditional policies on operating system objects. A LaSCO specification can be automatically translated into executable code that checks an invocation of a program with respect to a policy. The implementation of LaSCO is in Java, and generates wrappers to check Java programs with respect to a policy.

Cryptography and Security

Daniela Inclezan

2023-05-23

Abstract:This paper introduces a framework for assisting policy authors in refining and improving their policies. In particular, we focus on authorization and obligation policies that can be encoded in Gelfond and Lobo's AOPL language for policy specification. We propose a framework that detects the statements that make a policy inconsistent, underspecified, or ambiguous with respect to an action being executed in a given state. We also give attention to issues that arise at the intersection of authorization and obligation policies, for instance when the policy requires an unauthorized action to be executed. The framework is encoded in Answer Set Programming. Under consideration for acceptance in TPLP.

Logic in Computer Science,Artificial Intelligence

Karam Kharraz,Shaun Azzopardi,Gerardo Schneider,Martin Leucker

2023-09-26

Abstract:A question we can ask of multi-agent systems is whether the agents' collective interaction satisfies particular goals or specifications, which can be either individual or collective. When a collaborative goal is not reached, or a specification is violated, a pertinent question is whether any agent is to blame. This paper considers a two-agent synchronous setting and a formal language to specify when agents' collaboration is required. We take a deontic approach and use obligations, permissions, and prohibitions to capture notions of non-interference between agents. We also handle reparations, allowing violations to be corrected or compensated. We give trace semantics to our logic, and use it to define blame assignment for violations. We give an automaton construction for the logic, which we use as the base for model checking and blame analysis. We also further provide quantitative semantics that is able to compare different interactions in terms of the required reparations.

Logic in Computer Science

Severin Kacianka,Amjad Ibrahim,Alexander Pretschner

DOI: https://doi.org/10.48550/arXiv.2005.03294

2020-05-07

Software Engineering

Abstract:While the exact definition and implementation of accountability depend on the specific context, at its core accountability describes a mechanism that will make decisions transparent and often provides means to sanction "bad" decisions. As such, accountability is specifically relevant for Cyber-Physical Systems, such as robots or drones, that embed themselves into a human society, take decisions and might cause lasting harm. Without a notion of accountability, such systems could behave with impunity and would not fit into society. Despite its relevance, there is currently no agreement on its meaning and, more importantly, no way to express accountability properties for these systems. As a solution we propose to express the accountability properties of systems using Structural Causal Models. They can be represented as human-readable graphical models while also offering mathematical tools to analyze and reason over them. Our central contribution is to show how Structural Causal Models can be used to express and analyze the accountability properties of systems and that this approach allows us to identify accountability patterns. These accountability patterns can be catalogued and used to improve systems and their architectures.

Andrea Margheri,Massimiliano Masi,Rosario Pugliese,Francesco Tiezzi

DOI: https://doi.org/10.48550/arXiv.1612.09339

2016-12-30

Abstract:Access control systems are widely used means for the protection of computing systems. They are defined in terms of access control policies regulating the accesses to system resources. In this paper, we introduce a formally-defined, fully-implemented framework for specification, analysis and enforcement of attribute-based access control policies. The framework rests on FACPL, a language with a compact, yet expressive, syntax for specification of real-world access control policies and with a rigorously defined denotational semantics. The framework enables the automatic verification of properties regarding both the authorisations enforced by single policies and the relationships among multiple policies. Effectiveness and performance of the analysis rely on a semantic-preserving representation of FACPL policies in terms of SMT formulae and on the use of efficient SMT solvers. Our analysis approach explicitly addresses some crucial aspects of policy evaluation, as e.g. missing attributes, erroneous values and obligations, which are instead overlooked in other proposals. The framework is supported by Java-based tools, among which an Eclipse- based IDE offering a tailored development and analysis environment for FACPL policies and a Java library for policy enforcement. We illustrate the framework and its formal ingredients by means of an e-Health case study, while its effectiveness is assessed by means of performance stress tests and experiments on a well-established benchmark.

Software Engineering

Jakob Mökander,Jonas Schuett,Hannah Rose Kirk,Luciano Floridi

DOI: https://doi.org/10.1007/s43681-023-00289-2

2023-05-30

AI and Ethics

Abstract:Abstract Large language models (LLMs) represent a major advance in artificial intelligence (AI) research. However, the widespread use of LLMs is also coupled with significant ethical and social challenges. Previous research has pointed towards auditing as a promising governance mechanism to help ensure that AI systems are designed and deployed in ways that are ethical, legal, and technically robust. However, existing auditing procedures fail to address the governance challenges posed by LLMs, which display emergent capabilities and are adaptable to a wide range of downstream tasks. In this article, we address that gap by outlining a novel blueprint for how to audit LLMs. Specifically, we propose a three-layered approach, whereby governance audits (of technology providers that design and disseminate LLMs), model audits (of LLMs after pre-training but prior to their release), and application audits (of applications based on LLMs) complement and inform each other. We show how audits, when conducted in a structured and coordinated manner on all three levels, can be a feasible and effective mechanism for identifying and managing some of the ethical and social risks posed by LLMs. However, it is important to remain realistic about what auditing can reasonably be expected to achieve. Therefore, we discuss the limitations not only of our three-layered approach but also of the prospect of auditing LLMs at all. Ultimately, this article seeks to expand the methodological toolkit available to technology providers and policymakers who wish to analyse and evaluate LLMs from technical, ethical, and legal perspectives.

Blai Bonet,Dominik Drexler,Hector Geffner

2024-03-25

Abstract:Recently, a simple but powerful language for expressing and learning general policies and problem decompositions (sketches) has been introduced in terms of rules defined over a set of Boolean and numerical features. In this work, we consider three extensions of this language aimed at making policies and sketches more flexible and reusable: internal memory states, as in finite state controllers; indexical features, whose values are a function of the state and a number of internal registers that can be loaded with objects; and modules that wrap up policies and sketches and allow them to call each other by passing parameters. In addition, unlike general policies that select state transitions rather than ground actions, the new language allows for the selection of such actions. The expressive power of the resulting language for policies and sketches is illustrated through a number of examples.

Computer Science

Micah Altman,Stephen Chong,Alexandra Wood

DOI: https://doi.org/10.48550/arXiv.1910.10096

2019-10-23

Abstract:In this paper, we summarize work-in-progress on expert system support to automate some data deposit and release decisions within a data repository, and to generate custom license agreements for those data transfers. Our approach formalizes via a logic programming language the privacy-relevant aspects of laws, regulations, and best practices, supported by legal analysis documented in legal memoranda. This formalization enables automated reasoning about the conditions under which a repository can transfer data, through interrogation of users, and the application of formal rules to the facts obtained from users. The proposed system takes the specific conditions for a given data release and produces a custom data use agreement that accurately captures the relevant restrictions on data use. This enables appropriate decisions and accurate licenses, while removing the bottleneck of lawyer effort per data transfer. The operation of the system aims to be transparent, in the sense that administrators, lawyers, institutional review boards, and other interested parties can evaluate the legal reasoning and interpretation embodied in the formalization, and the specific rationale for a decision to accept or release a particular dataset.

Cryptography and Security

Aaron D. Jaggard,Paul Syverson,Catherine Meadows

2024-05-03

Abstract:We introduce a logic for reasoning about contextual trust for web addresses, provide a Kripke semantics for it, and prove its soundness under reasonable assumptions about principals' policies.

Cryptography and Security,Logic in Computer Science

Joseph W. Cutler,Craig Disselkoen,Aaron Eline,Shaobo He,Kyle Headley,Michael Hicks,Kesha Hietala,Eleftherios Ioannidis,John Kastner,Anwar Mamat,Darin McAdams,Matt McCutchen,Neha Rungta,Emina Torlak,Andrew Wells

DOI: https://doi.org/10.48550/arXiv.2403.04651

2024-03-08

Abstract:Cedar is a new authorization policy language designed to be ergonomic, fast, safe, and analyzable. Rather than embed authorization logic in an application's code, developers can write that logic as Cedar policies and delegate access decisions to Cedar's evaluation engine. Cedar's simple and intuitive syntax supports common authorization use-cases with readable policies, naturally leveraging concepts from role-based, attribute-based, and relation-based access control models. Cedar's policy structure enables access requests to be decided quickly. Cedar's policy validator leverages optional typing to help policy writers avoid mistakes, but not get in their way. Cedar's design has been finely balanced to allow for a sound and complete logical encoding, which enables precise policy analysis, e.g., to ensure that when refactoring a set of policies, the authorized permissions do not change. We have modeled Cedar in the Lean programming language, and used Lean's proof assistant to prove important properties of Cedar's design. We have implemented Cedar in Rust, and released it open-source. Comparing Cedar to two open-source languages, OpenFGA and Rego, we find (subjectively) that Cedar has equally or more readable policies, but (objectively) performs far better.

Programming Languages

Hidde Lycklama,Alexander Viand,Nicolas Küchler,Christian Knabenhans,Anwar Hithnawi

2024-09-23

Abstract:Recent advancements in privacy-preserving machine learning are paving the way to extend the benefits of ML to highly sensitive data that, until now, have been hard to utilize due to privacy concerns and regulatory constraints. Simultaneously, there is a growing emphasis on enhancing the transparency and accountability of machine learning, including the ability to audit ML deployments. While ML auditing and PPML have both been the subjects of intensive research, they have predominately been examined in isolation. However, their combination is becoming increasingly important. In this work, we introduce Arc, an MPC framework for auditing privacy-preserving machine learning. At the core of our framework is a new protocol for efficiently verifying MPC inputs against succinct commitments at scale. We evaluate the performance of our framework when instantiated with our consistency protocol and compare it to hashing-based and homomorphic-commitment-based approaches, demonstrating that it is up to 10^4x faster and up to 10^6x more concise.

Cryptography and Security