ebook img

DTIC ADA449059: On Generalized Authorization Problems PDF

0.24 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview DTIC ADA449059: On Generalized Authorization Problems

On Generalized Authorization Problems(cid:3) S.Schwoony S.Jhaz T.Repsz S.Stubblebinex Abstract itly, using an appropriate specification language, and re- lying on an algorithm to determine when a specific re- Thispaperdefinesaframeworkinwhichonecanformal- quest is allowable. A survey of trust management sys- izeavarietyofauthorizationandpolicyissuesthatarisein tems, along with a formal framework for understanding access control of shared computing resources. Instantia- them, is presented in [49]. Several trust management sys- tions of the framework address such issues as privacy, re- tems, such as Binder [18], Keynote [8], Referee [15], and cency,validity,andtrust.Thepaperpresentsanefficiental- SPKI/SDSI [19], have been proposed. Our work is pre- gorithmforsolvingallauthorizationproblemsintheframe- sentedin thecontextof SPKI/SDSI, but severalaspectsof work;thisapproachyieldsnewalgorithmsforanumberof the approach should carry over to other trust management specificauthorizationproblems. systemsandauthorizationframeworks. In SPKI/SDSI, principals are the public keys, i.e., the identityofaprincipalisestablishedbycheckingthevalid- ity of the corresponding public key. In SPKI/SDSI, name 1 Introduction certificates define the names available in an issuer’s local namespace;authorizationcertificatesgrantauthorizations, The main issues in access control of shared comput- or delegate the ability to grant authorizations. The fun- ingresourcesareauthentication,authorizationandenforce- damental problem in SPKI/SDSI (or any other trust man- ment. Identification of principals is handled by authen- agementsystem)istheauthorizationproblem(AP),which tication. Authorization addresses the following question: is defined as follows: given a security policy—which in should a request r by a specific principal K be allowed? SPKI/SDSIis represented bya setof name andauthoriza- Enforcement addresses the problem of implementing the tioncertificates—canaprincipalK accessresourceR? authorization during an execution. In a centralized sys- Certificate-chaindiscoveryreferstotheproblemoffind- tem,authorizationisbasedontheclosed-worldassumption, inga“proof”thatK canaccessresourceR. (Inthecaseof i.e., all authorized partiesare knownand trusted. In a dis- SPKI/SDSI,aproofisachainofcertificates.) Iffound,the tributed system where all the parties are not known a pri- proof can be presented by K to R. R checks the validity ori, the closed-world assumption is not applicable. Trust oftheproof, andifthe proofis valid,K isallowedaccess managementsystems[9]addresstheauthorizationproblem toR. Therefore, algorithms forcertificate-chaindiscovery in the context of distributed systems by requiring that au- canalsobeusedinframeworkssuchasproof-carryingau- thorization and access-control policies be defined explic- thorization[3]. Anefficientcertificate-chain-discoveryal- gorithmforSPKI/SDSIwaspresentedbyClarkeetal.[16]. (cid:3)ThisworkwassupportedinpartbytheNationalScienceFoundation AnimprovedalgorithmwaspresentedbyJhaandReps[24]. undergrantCCR-9619219, bytheOffice ofNaval Researchundercon- tractsN00014-01-1-0796andN00014-01-1-0708,andbytheAlexander ThelatteralgorithmisbasedontranslatingSPKI/SDSIcer- vonHumboldtFoundation.StuartStubblebineissupportedbyNSFunder tificatestorulesinapushdownsystem. In[24]itwasalso contractsCCR0208983.TheU.S.Governmentisauthorizedtoreproduce demonstratedhowthistranslationenablesmanyotherques- and distribute reprints for Governmental purposes, notwithstanding any copyrightnoticesaffixed thereon. Theviews andconclusionscontained tionstobeansweredaboutasecuritypolicyexpressedasa hereinarethoseoftheauthors,andshouldnotbeinterpretedasnecessar- setofcertificates. ilyrepresentingtheofficial policiesorendorsements,eitherexpressedor In this paper, we generalize the pushdown-systems ap- implied,oftheabovegovernmentagenciesortheU.S.Government. yInstitutsverbund Informatik, Universita¨t Stuttgart, Breitwiesenstr. proachtoenableittoaddressimportantsecurity-policyis- 20–22, 70565 Stuttgart, Germany; E-mail: [email protected] sues such as privacy, recency, validity, and trust. For in- stuttgart.de stance,considerthefollowingauthorizationexample: sup- zComp.Sci.Dept.,Univ.ofWisconsin,1210W.DaytonSt.,Madison, posethatcompanyXprovidesadditionalinsurancetocover WI53706.E-mail:fjha,[email protected]. xStubblebineResearchLabs,LLC8WayneBlvd.,Madison,NJ07940. prescription-drug expenses that are not covered by a pa- E-mail:[email protected] tient’shealth-maintenanceorganization(HMO).Forexam- Report Documentation Page Form Approved OMB No. 0704-0188 Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, Arlington VA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if it does not display a currently valid OMB control number. 1. REPORT DATE 3. DATES COVERED 2006 2. REPORT TYPE 00-00-2006 to 00-00-2006 4. TITLE AND SUBTITLE 5a. CONTRACT NUMBER On Generalized Authorization Problems 5b. GRANT NUMBER 5c. PROGRAM ELEMENT NUMBER 6. AUTHOR(S) 5d. PROJECT NUMBER 5e. TASK NUMBER 5f. WORK UNIT NUMBER 7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) 8. PERFORMING ORGANIZATION University of Wisconsin ,Computer Sciences Department,716 Langdon REPORT NUMBER Street,Madison,WI,53706 9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S) 11. SPONSOR/MONITOR’S REPORT NUMBER(S) 12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited 13. SUPPLEMENTARY NOTES 14. ABSTRACT 15. SUBJECT TERMS 16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF 18. NUMBER 19a. NAME OF ABSTRACT OF PAGES RESPONSIBLE PERSON a. REPORT b. ABSTRACT c. THIS PAGE 15 unclassified unclassified unclassified Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18 ple,theHMOmighthaveaveryhighdeductiblefordrugs, that provides functionality for solving GAPs. The li- which will be covered by the additional insurance. How- braryhasbeenmadeavailableontheInternet[42]and ever,companyX onlywants to providethisservicetopa- mayalsobeusedbythirdparties. tients of a certain hospital H. For Alice to be able to buy Theremainderofthepaperisorganizedasfollows:Sec- insurance, she needs to proveto X that she is a patient of tion 2 provides background on SPKI/SDSI. Section 3 de- H. Supposethattherearetwocertificatechainsthatprove fines the GAP framework and discusses several possible that Alice is a patient of H, where one reveals that Alice applicationsofit. Section4providesbackgroundonpush- isapatientintheinternal-medicineclinicandtheotherre- down systems (PDSs). Section 5 reviews the connection vealsthatAliceisapatientintheAIDSclinic. Forobvious betweenSPKI/SDSIandPDSs. Section6definesweighted reasonsAlice will prefer to use the formerchain. In other PDSs, and showshowan analysis of the transition system words,Aliceprefersacertificatechainthatrevealstheleast defined by a weighted PDS can be used to solve GAPs. amount of information about her. Such privacy-relatedis- Section 7 returns to the discussion of applications of the suescanbeaddressedinourgeneralizedframework. GAP framework. Section 8 discusses related work. Ap- In the contextof SPKI/SDSI, assume that we are given pendix A describes an enhancement to the algorithm de- ametric(cid:22)oncertificatechains,andhenceonproofsofau- scribedin Section6 to generate witnessesor proofsof au- thorization. The details of the metric depend on the spe- thorization. cific issue being addressed. In the generalized authoriza- tion problem (GAP) we are given a principal K, a set of name and authorization certificates C, a resource R, and a 2 Background onSPKI/SDSI metric (cid:22) on certificate chains. The question that GAP ad- dressesisthesameasAP—i.e.,givenC,isK authorizedto 2.1 PrincipalsandNames access resource R?—however, an authorization proof that solvesaGAPminimizesormaximizesthegivenmetric(de- In SPKI/SDSI, all principals are represented by their pending on the application). We demonstrate that several public keys, i.e., the principal is its public key. A princi- security-policyissues in trust management systems can be pal canbe an individual, process, host, or anyother active cast as GAPs with appropriate metrics. In particular, we entity. K denotesthe set of public keys. Specific keys are demonstratehowanextensionofpushdownsystems,called denoted by K;K ;K ;K0, etc. An identifier is a word A B weightedpushdownsystems,canbeusedtosolvesuchgen- over some alphabet (cid:6). The set of identifiers is denoted eralizedauthorizationproblems. by A. Identifiers will be written in typewriter font, e.g., The algorithm for solving GAPs can be thought of AandBob. as a generalization of the certificate-chain-discoveryalgo- A term is a key followed by zero or more identifiers. rithm. Thegeneralstrategyisasfollows: thesetoflabeled Terms are eitherkeys, local names, or extendednames. A SPKI/SDSIcertificatesisfirsttranslatedtoaweightedpush- localnameisoftheformK A,whereK 2 K andA 2 A. downsystem.1 Afterthetranslation,theanswerisobtained Forexample,K Bobisalocalname. Localnamesareim- bysolvingageneralizedshortest-pathproblem[27,46,34]. portant in SPKI/SDSI because they create a decentralized Themaincontributionsoftheworkreportedinthepaper namespace. ThelocalnamespaceofK isthesetoflocal areasfollows: namesofthe form K A. Anextended nameisof theform K (cid:27), where K 2 K and (cid:27) is a sequence of identifiers of (cid:15) TheGAPframework. Wedefinethegeneralizedau- lengthgreaterthanone. Forexample,K UWCSfacultyis thorizationproblemandshowhowversionsofseveral anextendedname. typesofsecurityissuesrelatedtoauthorizationcanbe handledintheGAPframework. 2.2 Certificates (cid:15) AnefficientalgorithmforsolvingGAPs. Wepresent an efficient algorithm for solving GAPs. This yields SPKI/SDSIhastwotypesofcertificates,or“certs”: severalnewalgorithmsforanumberofspecificautho- NameCertificates(ornamecerts): Anamecertprovidesa rizationproblems. definitionofalocalnameintheissuer’slocalnamespace. Only key K may issue or sign a cert that defines a name (cid:15) A prototype implementation. The algorithms de- in its local name space. A name cert C is a signed four- scribedinthepaperhavebeenimplementedinalibrary tuple (K;A;S;V). The issuer K is a public key and the certificateissignedbyK.Aisanidentifier.ThesubjectSis 1InaGAP,eachcertificate islabeledwithavalue. However, alabel aterm. Intuitively,Sgivesadditionalmeaningforthelocal mightdependonsomeglobalproperty. Forexample,forrecencypolicies nameK A. V isthevalidityspecificationofthecertificate. acertificate’s valuerepresentsthetimethecertificate wasissued,orlast knowntobecurrent. Usually,V takestheformofaninterval[t1;t2],i.e.,thecert 2 isvalidfromtimet tot inclusive.Avalidityspecification viewed as an ACL entry, where keys or principals repre- 1 2 canalsotaketheformofanon-linechecktobeperformed. sented by the subject S are given permission to access re- Authorization Certificates (or auth certs): An auth cert sourceK. grants or delegates a specific authorization from an issuer AtermSappearingintherulescanbeviewedasastring to a subject. Specifically, an auth cert C is a five-tuple overthealphabetK[A,inwhichelementsofKappearonly (K;S;D;T;V). TheissuerKisapublickey,whichisalso inthebeginning. Foruniformity,wealsorefertostringsof usedtosignthecert. ThesubjectSisaterm. Ifthedelega- theformS (cid:0) andS asterms. Assumethatwearegiven (cid:1) tionbitDisturnedon,thenasubjectreceivingthisautho- a rewrite rule L (cid:0)! R corresponding to a cert. Consider rization can delegatethis authorization to other principals. a term S = LX. In this case, the rewrite rule L (cid:0)! R The authorization specification T specifies the permission applied to the term S (denoted by (L (cid:0)! R)(S)) yields beinggranted; forexample,itmayspecifyapermissionto thetermRX.Therefore,arulecanbeviewedasafunction reada specific file, ora permission to login to a particular fromtermstoterms,forexample, host. The validity specification V for an auth cert is the (K Bob(cid:0)!K )(K BobmyFriends) = sameasinthecaseofanamecert. A B A A request r is a triple (K0;R;T0) consisting of princi- KB myFriends pals K0 and R, where R is a resource that K0 is trying to Considertwo rulesc = (L (cid:0)! R )andc = (L (cid:0)! 1 1 1 2 2 access,andanauthorizationspecificationT thatK0 istry- R ),and,inaddition,assumethatL isaprefixofR ,i.e., 2 2 1 ingto exerciseonR. Thegoal ofcertificate-chaindiscov- thereexistsanX suchthatR =L X. Thenthecomposi- 1 2 ery is to prove whether the request is valid. As described tionc (cid:14)c istheruleL (cid:0)!R X. Forexample,consider 2 1 1 2 inClarkeetal.[16],weremoveall“useless”certificatesas thetworules: follows: c : K friends(cid:0)!K BobmyFriends 1 A A (cid:15) Remove every name and auth cert that has an invalid c2 : KA Bob(cid:0)!KB validityspecification(e.g.,anexpiredvalidityspecifi- The composition c (cid:14) c is K friends (cid:0)! 2 1 A cation). K myFriends. Two rules c and c are called compat- B 1 2 ibleiftheircompositionc (cid:14)c iswelldefined.2 (cid:15) Remove every auth cert C = (K;S;D;T;V) for 2 1 A problem that often needs to be solved is the autho- which T does not imply the authorization specifica- rization question: “Given a set of certs C and a request tionT0oftherequest. r =(K0;R;T0),isK0allowedtoexerciseauthorizationT0 on R?” A certificate-chain-discovery algorithm provides In the rest of the paper, we assume that a request r = (K0;R;T0)isgivenandthesetofcertificatesdoesnotcon- morethanjustasimpleyes/noanswerto theauthorization question;inthecaseofayesanswer,itidentifiesachainof tainuselesscertificates. certificates to prove the result. Formally, certificate-chain Wewilltreatcertsasrewriterules: discovery attempts to find, after removing useless certifi- (cid:15) Anamecert(K;A;S;V)will bewritten asK A (cid:0)! cates,acertificatechainck(cid:14)(cid:1)(cid:1)(cid:1)c1suchthat S. (ck(cid:14)(cid:1)(cid:1)(cid:1)c1)(R (cid:0) )2fK0 (cid:0) ;K0 g: (cid:1) (cid:15) An auth cert (K;S;D;T;V) will be written as Intuitively, (c (cid:14)(cid:1)(cid:1)(cid:1)c ) represents a path from R, the re- k 1 K (cid:0) (cid:0)! S (cid:0) if the delegation bit D is turned on; source, to eitherK0 (cid:0) or K0 , representing “permission (cid:1) otherwise,itwillbewrittenasK (cid:0) (cid:0)!S . forK0toaccess”withandwithoutdelegation,respectively; (cid:1) theeliminationofuselesscertsensuresthatthechainrepre- In authorization problems, we only consider valid certifi- sentstheauthorizationspecificationT0. cates, so the validity specification V for a certificate does Clarke etal.[16]presentedanalgorithmfor certificate- not appear as part of its rewrite rule. However, for cer- chain discovery in SPKI/SDSI with O(n2 jCj) time com- K taingeneralizedauthorizationproblemsV isusedtoderive plexity,wheren isthenumberofkeysandjCjisthesum K weightsforrules. ofthe lengthsof theright-hand sidesofall rulesin C. Jha andReps[24]presentedadifferentalgorithm,basedonthe 2.3 TheAuthorizationProbleminSPKI/SDSI theoryofpushdownsystems. 2Notethatingeneralthecompositionoperator(cid:14)isnotassociative.For Intraditionaldiscretionaryaccesscontrol,eachprotected example,c3canbecompatiblewithc2(cid:14)c1,butc3mightnotbecompatible resourcehas anassociatedaccess-controllist, orACL,de- withc2.Therefore,c3(cid:14)(c2(cid:14)c1)canexistwhen(c3(cid:14)c2)(cid:14)c1doesnot scribing which principals have various permissions to ac- exist.However,when(c3(cid:14)c2)(cid:14)c1exists,sodoesc3(cid:14)(c2(cid:14)c1);moreover, theexpressionsareequalwhenbotharedefined. Thus,weallowourselves cess the resource. An auth cert (K;S;D;T;V) can be toomitparenthesesandassumethat(cid:14)isrightassociative. 3 3 TheGeneralizedAuthorizationProblem Certificates weights KX (cid:0) (cid:0)! KH patient (1) I (cid:1) Inthissection,weformallydefinethegeneralizedautho- KH patient (cid:0)! KH(cid:0)AIDS patient (2) I rizationproblem,orGAP.Laterinthesection,weshowthat KH patient (cid:0)! KH(cid:0)IM patient (3) I severalissues, such as privacy,validity, recency,and trust, KH(cid:0)AIDS patient (cid:0)! KAlice (4) S can be formulated in the GAP framework. In this frame- KH(cid:0)IM patient (cid:0)! KAlice (5) I work, certificates are labeled with weights that are drawn Figure1.Asetofweightedcertificates. fromaboundedidempotentsemiring. Definition3.1 Aboundedidempotentsemiringisaquintu- ple(D;(cid:8);(cid:10);0;1),whereD isaset,0and1areelements Noticethattheextenderoperation(cid:10)isusedtocalculatethe ofD,and(cid:8)(thecombineoperation)and(cid:10)(theextendop- valueofacertificatechain. Thevalueofasetofcertificate eration)arebinaryoperatorsonDsuchthat chainsiscomputedusingthecombineroperation(cid:8).Ingen- 1. (D;(cid:8))isacommutativemonoidwith0asitsneutral eral,itisenoughfor!tocontainonlyafinitesetofminimal element,and(cid:8)isidempotent(i.e.,foralla 2 D,a(cid:8) elements(i.e.,minimalwithrespecttothepartialorderv). a=a). Intuitively,GAPattempts to finda set of certificatechains provingthatK0canaccessresourceRsuchthatthecombi- 2. (D;(cid:10))isamonoidwiththeneutralelement1. nation(using theoperator ) oftheirweightsisminimal. (Definition 3.2 actually defines a more general machinery 3. (cid:10)distributesover(cid:8),i.e.foralla;b;c2Dwehave L thanrequiredfortheSPKI/SDSIcertificate-chain-discovery a(cid:10)(b(cid:8)c)=(a(cid:10)b)(cid:8)(a(cid:10)c) and problemdiscussedinSections2.2and2.3;theproblemde- (a(cid:8)b)(cid:10)c=(a(cid:10)c)(cid:8)(b(cid:10)c): fined here allows a witness set of certificate chains to be identified.) 4. 0isanannihilatorwithrespectto(cid:10),i.e.,foralla2D, We now demonstrate that several authorization-related a(cid:10)0=0=0(cid:10)a. problemscanbecastinthisframework. 5. Inthepartialordervdefinedby: 8a;b2D; avbiff Privacy-preservingcertificatechains a(cid:8)b=a,therearenoinfinitedescendingchains. We return to the example described in the Introduction, in A weighted SPKI/SDSI system WSS is a 3-tuple whichcompanyX offersadditionalinsurancetopatientsof (C;S;f), where C is a set of certs, S = (D;(cid:8);(cid:10);0;1) a certainhospital H. The certificates relevantto the prob- isa boundedidempotentsemiring, andf: C ! D assigns lemareshowninFigure1. KX (cid:0) representstheserviceof- weightstothecertsinC. We extendthefunctionf tocer- fered,i.e.,theadditionalinsuranceofferedbycompanyX. tificatechainsinanaturalway,i.e.,givenacertificatechain The filled squarerepresents the fact that thisauthorization c (cid:14)c (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c , f(c (cid:14)c (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c ) is defined as cannot be delegated, e.g., an eligible patient cannot dele- k k(cid:0)1 1 k k(cid:0)1 1 f(c )(cid:10)(cid:1)(cid:1)(cid:1)(cid:10)f(c )(cid:10)f(c ). gatethepermissiontobuyinsurancetooneoftheirfriends. 1 k(cid:0)1 k The principals corresponding to the AIDS and internal- Definition3.2 Given a weighted SPKI/SDSI system medicine clinics in hospital H are denoted by K H(cid:0)AIDS WSS = (C;S;f) and a request r = (K0;R;T0), andK . Aliceisapatientinbothclinics. H(cid:0)IM proof(C;r) denotes the set of certificate chains that prove Suppose that Alice wants to buy the insurance. In this thatrequestr canbefulfilled. Formally,proof(C;r)isthe case, both (4)(cid:14)(2)(cid:14)(1) and (5)(cid:14)(3)(cid:14)(1) are equal to set of certificate chains c (cid:14) (cid:1)(cid:1)(cid:1) (cid:14) c not containing any k 1 uselesscertificatessuchthat: KX (cid:0) (cid:0)! KAlice . However, the certificate chain (cid:1) (4)(cid:14)(2)(cid:14)(1)revealsthatAliceprobablyhasAIDS,which (ck (cid:14)(cid:1)(cid:1)(cid:1)c1)(R (cid:0) )2fK0 (cid:0) ;K0 g isinformationthatAlicemaynotwishtorevealtocompany (cid:1) X. Therefore, Alice would prefer to offer the certificate The generalized authorization problem (GAP) asks the chain (5)(cid:14)(3)(cid:14)(1) to company X; it proves that she is followingtwoquestions: (1)Isproof(C;r)non-empty? (2) authorizedtobuyadditionalinsurance,butrevealstheleast If proof(C;r) is non-empty, then find the following two amountofinformationabouther. quantities: PrivacycanbemodeledintheGAPframeworkusingthe (cid:15) (cid:14) := ff(cc)jcc2proof(C;r)g; semiring (D;(cid:8);(cid:10);0;1), defined as follows: D = fI;Sg, where I and S stand for “insensitive” and “sensitive”, re- (cid:15) a witLness set of certificate chains ! (cid:18) proof(C;r) spectively. The0and1elementsareS andI,respectively. suchthat f(cc)=(cid:14). The(cid:8)and(cid:10)operatorsaredefinedasfollows(wherexde- cc2! L 4 noteseitherS orI): D (cid:8) (cid:10) 0 1 Validity [f(cid:6)1g max min (cid:0)1 +1 I(cid:8)x=x(cid:8)I =I and S(cid:8)x=x(cid:8)S =x Recency (cid:0) [f1g min max 1 0 (cid:0) S(cid:10)x=x(cid:10)S=S and I (cid:10)x=x(cid:10)I =x Trust fN;L;M;Hg u t N H It is easy to check that conditions 1(cid:0)4 of Definition 3.1 are satisfied. Condition 5 is trivially satisfied because D Table 1. Semirings for validity, recency, and isfinite. Theweightsfor thecertificatesareshowninFig- trust. ure 1: certificate (4), KH(cid:0)AIDS patient (cid:0)! KAlice, islabeledS becauseitrevealsthatAliceisapatientinthe AIDSclinic;allothercertificatesarelabeledI.Theweights Formalization using semirings. The semirings for the ofthecertificatechain(4)(cid:14)(2)(cid:14)(1)and(5)(cid:14)(3)(cid:14)(1)are three cases discussed above are shown in Table 1. In I (cid:10)I (cid:10)S = S andI (cid:10)I (cid:10)I = I, respectively. Ob- the case of the maximal-trust example, the trust levels viously,AliceprefersthecertificatechainwithweightI. In are drawn from a totally ordered set with four elements Section 6, we show howAlice can discoversuch a certifi- fN;L;M;Hg, where N w L w M w H. Elements L, catechain. M,andH denotelow,medium,andhighlevelsoftrust,re- Maximally-valid certificate chain. Let V(c) be the ex- spectively. TheelementN standsfor “nolink”.3 Thejoin piration value of cert c, i.e., the cert c will expire at time t and the meet u operator on this totally ordered set are T +V(c), where T is the current time. The definedasfollows(wherexandyarearbitraryelementsof current current expiration value of a certificate chain c (cid:14)c (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c fN;L;M;Hg): k k(cid:0)1 1 ismink V(c ). SupposethatAlicewantstologintohost i=1 i x ifxwy y ifxwy H.IfAliceprovidesacertificatechainthatisonlyvalidfor xty= xuy= two minutes, then she will be logged off by the host after (y otherwise (x otherwise two minutes. Thus, Alice wants to find a certificate chain thatauthorizeshertologintoH,buthasthemaximumex- pirationvalueamongallsuchcertificatechains. 4 Pushdown Systems Most-recent certificate chain. Let R(c) be the time (rel- ativeto the current time) when the cert c was issued or an A pushdownsystem is a transition system whose states on-linecheckwasperformedoncertc,i.e.,T (cid:0)R(c) involveastackofunboundedlength. current istheactualtimeofissueorthelaston-linecheck. Wecall Definition4.1 A pushdown system is a triple P = R(c) the recency associated with cert c. The recencyof a certificatechainc (cid:14)c (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c isequaltomaxk R(c ). (P;(cid:0);(cid:1)), where P and (cid:0)are finite setscalled thecontrol k k(cid:0)1 1 i=1 i locationsandthestackalphabet,respectively. Aconfigura- Suppose that Alice wants to login to host H. For risk- tionofPisapairhp;wi,wherep2P andw2(cid:0)(cid:3). (cid:1)con- reductionpurposes,hostH mightmandatetheuseofacer- tainsafinitenumberof rulesoftheformhp;(cid:13)i,! hp0;wi, tificatechainwhoserecencyisnomorethantenminutes.In P wherep;p0 2 P, (cid:13) 2 (cid:0),andw 2 (cid:0)(cid:3),whichdefineatran- thiscase,Alicewishestofindacertificatechainthatautho- sitionrelationbetweenconfigurationsofP asfollows: rizeshertologintoHandhastheminimumrecencyamong all such chains. Let ck (cid:14)ck(cid:0)1 (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c1 be the certificate Ifr =hp;(cid:13)i,!P hp0;wi,thenhp;(cid:13)w0i=h=r)i P hp0;ww0i chainwithminimumrecency. Ifmaxki=1R(ci)islessthan forallw0 2(cid:0)(cid:3). or equal to ten minutes, then Alice can use the certificate Wealsowritec ) c0 toexpressthatthereissomeruler chaintologintoH. P such that c =h=r)i c0, and we omit the index P if P is Certificatechainswithmaximaltrust P understood. The reflexive and transitive closure of ) is AssumethateachcertificatecisassignedatrustlevelTr(c) written )(cid:3). Given a set of configurations C, we define by the issuer of the certificate. Intuitively, Tr(c) denotes pre(cid:3)(C) := fc0 j 9c 2 C: c0 )(cid:3) cg and post(cid:3)(C) := the confidence that the issuer of c has in the relationship fc0 j 9c 2 C: c )(cid:3) c0g to be the sets of configurations expressedbythecertificatec. Thetrustlevelofacertificate that are backwards and forwards reachable from elements chainc (cid:14)c (cid:14)(cid:1)(cid:1)(cid:1)(cid:14)c is k Tr(c ),where isdefined k k(cid:0)1 1 i=1 i ofC,respectively. in Table 1. Suppose that Alice wants to use server S, but N N S requires a certificate chain that has a trust levelabovea Withoutlossofgenerality,weassumehenceforththatfor certainvaluev. Inthiscase,Alicewantstofindacertificate everyhp;(cid:13)i,!hp0;wiwehavejwj(cid:20)2;thisisnotrestric- chainthatauthorizeshertouseS,buthasthemaximaltrust tive because every pushdown system can be simulated by levelamongallsuchchains. Ifsuchacertificatechainhas 3Notethat“highestleveloftrust”isdenotedbytheelementH,which atrustlevelabovev,AlicecanuseS. islowestinthetotalorder. 5 anotheronethatobeysthisrestrictionandislargerbyonly hKX;(cid:0) i,!hKH;patient i (1) aconstantfactor;e.g.,see[24]. hK ;patienti,!hK (cid:1) ;patienti (2) H H(cid:0)AIDS Becausepushdownsystemshaveinfinitelymanyconfig- hK ;patienti,!hK ;patienti (3) H H(cid:0)IM urations,weneedsomesymbolicmeanstorepresentsetsof hKH(cid:0)AIDS;patienti,!hKAlice;"i (4) configurations.Wewillusefiniteautomataforthispurpose. hKH(cid:0)IM;patienti,!hKAlice;"i (5) Definition4.2 Let P = (P;(cid:0);(cid:1)) be a pushdown system. Figure 2. The PDS rules that correspond to AP-automatonisaquintupleA = (Q;(cid:0);!;P;F)where Figure1. Q(cid:19)P isafinitesetof states,!(cid:18)Q(cid:2)(cid:0)(cid:2)Qisthesetof transitions,andF (cid:18)Qarethefinalstates. Theinitialstates ofAarethecontrollocationsP. Aconfigurationhp;wiis accepted by A if p (cid:0)(cid:0)w!(cid:3) q for some final state q. A set of (cid:15) if C contains a name cert K A (cid:0)! K0 (cid:27) (where (cid:27) configurationsofP isregularifitisrecognizedbysomeP- is a sequence of identifiers), then (cid:1) contains a rule C automaton. (If P is understood, we omit the prefix P and hK;Ai,!hK0;(cid:27)i; merelyreferto“automaton”.) (cid:15) ifC containsanauthcertK (cid:0) (cid:0)!K0(cid:27)b(whereb2 Aconvenientpropertyofregularsetsofconfigurationsis f(cid:0) ; g),then(cid:1)C containsarulehK;(cid:0) i,!hK0;(cid:27)bi. thattheyareclosedunderforwardandbackwardreachabil- (cid:1) ity. Inotherwords,givenanautomatonAthatacceptsthe Forinstance,considerthesetofcertificatesC fromFig- setC,onecanconstructautomataApre(cid:3) andApost(cid:3)thatac- ure1.ThecorrespondingpushdownsystemPC hasthecon- ceptpre(cid:3)(C)andpost(cid:3)(C),respectively. Thegeneralidea trollocationsfKX;KH;KH(cid:0)AIDS;KH(cid:0)IM;KAliceg,the behindthealgorithmforpre(cid:3) [11,20]isasfollows: stackalphabetfpatient;(cid:0) ; g,andthesetofruleslisted (cid:1) Let P = (P;(cid:0);(cid:1)) be a pushdown system and A = inFigure2. (Q;(cid:0);! ;P;F)beaP-automatonacceptingasetofcon- The usefulness of this correspondence stems from the 0 figurations C. Without loss of generality we assume that following simple observation: A configuration hK;(cid:27)i of A has no transition leading to an initial state. pre(cid:3)(C) PC can reach another configuration hK0;(cid:27)0i if and only if is obtained as the language of an automaton Apre(cid:3) = Ccontainsachainofcertificatesthat,whenappliedtoK(cid:27), (Q;(cid:0);!;P;F)derivedfromAbyasaturationprocedure. yieldK0 (cid:27)0. Forinstance, inthe exampleaboveAlicecan The procedure adds new transitions to A according to the provethatshehastherighttobuyadditionalinsurancebe- followingrule: causehKX;(cid:0) i)(cid:3) hKAlice; i. Intheauthorizationprob- (cid:1) lem,wearegivenasetofcertsCandarequest(K0;R;T0). Ifhp;(cid:13)i ,! hp0;wi andp0 (cid:0)(cid:0)w!(cid:3) q in thecurrent In terms of the PDS P corresponding to certificate set C automaton,addatransition(p;(cid:13);q). C, the authorization problem can be stated as follows: K0 In [20] an efficient implementation of this procedure is should be granted access to R iff the condition hR;(cid:0) i 2 given, which requires O(jQj2j(cid:1)j) time and O(jQjj(cid:1)j + pre(cid:3)(fhK0;(cid:0) i;hK0; ig) holds. Thus, in the medical ex- (cid:1) j!0j)space. Moreover,anotherprocedure(andimplemen- ample,wewishtodeterminewhetherhKX;(cid:0) i2pre(cid:3)(S), tation) are presented for constructing a P-automaton that where S = fhKAlice;(cid:0) i;hKAlice; ig. The automaton (cid:1) accepts post(cid:3)(C). In the following, we show that exten- shown in Figure 3(a) accepts the set S. The set pre(cid:3)(S) sions of these procedures provide efficient algorithms for is shown in Figure 3(b). Because there is a transition discoveringthecertificatechainsneededingeneralizedau- on the symbol (cid:0) from state KX to the accepting state s, thorizationproblems,suchasthosediscussedinSection3. hKX;(cid:0) i2pre(cid:3)(S). Inotherwords,Aliceisauthorizedto We will present these extensions for pre(cid:3); the same basic buy additional insurance. (The extraannotations I (insen- ideasapplytopost(cid:3),butthisisomittedforlackofspace. sitive)andS (sensitive)onthetransitionsindicatewhether thetransitionsinvolvesensitiveinformation.Thealgorithm forderivingtheselabelsispresentedinSection6.) 5 The Connection Between SPKI/SDSI and Pushdown Systems 6 Solving the Generalized Authorization Problem ThefollowingcorrespondencebetweenSPKI/SDSIand pushdownsystemswaspresentedin[24]: letC bea(finite) setofcertificatessuchthatK andI arethekeysandiden- The types of problems treated in [24] could be charac- C C tifiersthatappearinC,respectively;withCweassociatethe terized as having a qualitative nature; they answer ques- pushdown system PC = (KC;IC [f(cid:0) ; g;(cid:1)C), i.e., the tionssuchas“Isagivenprincipalallowedtoaccessagiven (cid:1) keysofC arethecontrollocationsandtheidentifiersform resource?” In this section, we show how to answer ques- thestackalphabet;theruleset(cid:1) isdefinedasfollows: tions that have an additional quantitative component, e.g. C 6 patient [S] patient [I] K K K K K K K K K K X H H−AIDS H−IM Alice X H H−AIDS H−IM Alice patient [I] { , } [I] [I] { , } [I] S S (a) (b) Figure3.(a)AutomatonrepresentingtheconfigurationsS =fhKAlice;(cid:0) i;hKAlice; ig. (b)Automaton (cid:1) representingtheconfigurationsinpre(cid:3)(S). “How long is a given principal allowed to access a given (cid:27) 2path(c;c0); c0 2 Cg,i.e.,minimalwithrespecttothe resource?”Todoso,weconsiderpushdownsystemswhose partialordervdefinedinDefinition3.1(5). rulescarryweights. For the remainder of this section, let W denote a fixed weighted pushdownsystem: W = (P;S;f), where P = 6.1 WeightedPushdownSystems (P;(cid:0);(cid:1)) and S = (D;(cid:8);(cid:10);0;1); let C denote a fixed regularsetofconfigurations,representedbyaP-automaton Weconsiderpushdownsystemwhoserulesaregivenval- A=(Q;(cid:0);!0;P;F)suchthatAhasnotransitionleading uesfromsomedomainofweights. Theweightdomainsof toaninitialstate. interestaretheboundedidempotentsemiringsfromDefini- The GPR problem is a multi-target meet-over-all-paths tion3.1. problemonagraph. Theverticesofthegrapharethecon- figurationsofP,andtheedgesaredefinedbyP’stransition Definition6.1 A weighted pushdown system is a triple relation. ThetargetverticesaretheverticesinC. Boththe W =(P;S;f)suchthatP =(P;(cid:0);(cid:1))isapushdownsys- graphandthesetoftargetverticescanbeinfinite,buthave tem,S =(D;(cid:8);(cid:10);0;1)isaboundedidempotentsemiring, somebuilt-instructuretothem;inparticular,C isaregular andf: (cid:1)!DisafunctionthatassignsavaluefromDto set. eachruleofP. BecausetheGPRproblemconcernsinfinitegraphs,and not just an infinite set of paths, it differs from other work Let (cid:27) 2 (cid:1)(cid:3) be a sequence of rules. Using f, we can on meet-over-all-paths problems. As in the (ordinary) associate a value to (cid:27), i.e., if (cid:27) = [r1;::: ;rk], then we pushdown-reachabilityproblem[11,20],theinfinitenature definev((cid:27)):=f(r1)(cid:10)(cid:1)(cid:1)(cid:1)(cid:10)f(rk). Moreover,foranytwo of the problem is addressed by reporting the answer in an configurationscand c0 of P, we let path(c;c0) denote the indirect fashion, namely, in the form of an annotated au- setofallrulesequences[r1;::: ;rk]thattransformcintoc0, tomaton.Ananswerautomatonwithoutitsannotationswill i.e.,c==hr=1)i (cid:1)(cid:1)(cid:1)==hr=k)i c0. beidenticaltoanApre(cid:3) automatoncreatedbythealgorithm of[20]. Foreachc 2 pre(cid:3)(C),thevaluesof(cid:14)(c)and!(c) Definition6.2 Given a weighted pushdown system W = can be read off from the annotations by following all ac- (P;S;f), where P = (P;(cid:0);(cid:1)), and aregularsetof con- ceptingpathsforcintheautomaton; forc 62 pre(cid:3)(C), the figurationsC (cid:18)P (cid:2)(cid:0)(cid:3),thegeneralizedpushdownreacha- valuesof(cid:14)(c)and!(c)are0and;,respectively. bility(GPR)problemistofindforeachc2P (cid:2)(cid:0)(cid:3): ThesolutiontotheGPRproblemispresentedinseveral stages: (cid:15) (cid:14)(c):= fv((cid:27))j(cid:27) 2path(c;c0);c0 2Cg; (cid:15) We first define a language that characterizes the se- (cid:15) a witnesLs set of paths !(c) (cid:18) path(c;c0) such quencesoftransitionsthatcanbemadebyapushdown c02C that v((cid:27))=(cid:14)(c). S systemP andautomatonAforC. (cid:27)2!(c) L (cid:15) We then turn to weighted pushdown systems and the Ingeneral, itisenoughfor!(c)to containonlya finite GPR problem. We use the language characteriza- setofpathswhosevaluesareminimalelementsoffv((cid:27)) j tionsoftransitionsequences,togetherwithpreviously 7 known results on a certain kind of grammar problem Proof: [Sketch]Toshrinkthestackbyremovingthestack [46,34]toobtainasolutiontotheGPRproblem. symbolontheleft-handsideofeachruleofPA,theremust be a transitionsequence that removeseachof the symbols (cid:15) However,thesolutionbasedongrammarsissomewhat thatappearinthestackcomponentoftherule’sright-hand inefficient;toimprovetheperformance,wespecialize side. Inotherwords,apopsequencefortheleft-hand-side the computation to our case, ending up with an algo- stack symbol must involve a pop sequence for each right- rithmforcreatinganannotatedautomatonthatisquite hand-sidestacksymbol. similartothepre(cid:3) algorithmfrom[20]. Theleft-handandright-handsidesoftheproductionsin Figure 4 reflect the pop-sequence obligations incurred by 6.2 Languages that Characterize Transition Se- thecorrespondingruleofPA. 2 quences TocapturethesetReachabilityWitnesses(hp;(cid:13) (cid:13) :::(cid:13) i;C), 1 2 n Inthissection,wemakesomedefinitionsthatwillaidin where C is recognized by automaton A, we define a context-free language given by the set of productions reasoningaboutthesetofpathsthatleadfromaconfigura- tionctoconfigurationsin aregularsetC. We callthisset showninFigure5. thereachabilitywitnessesforc2P(cid:2)(cid:0)(cid:3)withrespecttoC: This language captures all ways in which PDS ReachabilityWitnesses(c;C)= c02Cpath(c;c0). PA can accept hp;(cid:13)1(cid:13)2:::(cid:13)ni: the set of reach- ItisconvenienttothinkofPDSP andautomatonA(for ability witnesses for hp;(cid:13)1(cid:13)2:::(cid:13)ni corresponds to C) as being combined in sequeSnce, to create a combined the complete derivation trees derivable from nontermi- PDS,whichwewillcallPA. PA’sstatesareP [Q=Q, nal Accepted[(cid:13)1(cid:13)2:::(cid:13)n](p). The subtree rooted at anditsrulesarethoseofP,augmentedwitharulehq;(cid:13)i,! PS(qi(cid:0)1;(cid:13)i;qi) givesthe pop sequence that PA performs to hq0;(cid:15)iforeachtransitionq (cid:0)!(cid:13) q0 inA’stransitionset! . consumesymbol(cid:13)i. (Iftherearenoreachabilitywitnesses 0 We say that a configuration c = hp;(cid:13)1(cid:13)2:::(cid:13)ni is ac- for hp;(cid:13)1(cid:13)2:::(cid:13)ni, there are no complete derivation trees cepted by PA if there is a path to a configuration hqf;(cid:15)i withrootAccepted[(cid:13)1(cid:13)2:::(cid:13)n](p).) such that q 2 F. Note that because A has no transitions f 6.3 WeightedPDSsandAbstractGrammarProb- leading to initial states, PA’s behavior during an accept- lems ingruncanbedividedintotwophases—transitionsduring whichPAmimicsP,followedbytransitionsduringwhich Turning now to weighted PDSs, we will consider the PAmimicsA: oncePAreachesastatein(Q(cid:0)P),itcan onlyperformasequenceofpops, possiblyreachingastate weighted version of PA, denoted by WA, in which in F. If the run of PA does reach a state in F, in terms weighted PDS W is combined with A, and each rule hq;(cid:13)i,!hq0;(cid:15)ithatwasaddedduetotransitionq (cid:0)!(cid:13) q0in of the features of the original P and A, the second phase correspondstoautomatonAacceptingsome configuration A’stransitionset!0 isassignedtheweight1. c0thathasbeenreachedbyP,startinginconfigurationc.In We are able to reason about semiring sums ((cid:8)) of otherwords,PAacceptsaconfigurationciffc2pre(cid:3)(C). weightson thepaths that arecharacterizedbythe context- freegrammarsdefinedaboveusingthefollowingconcept: The first language that we define characterizes the pop sequences of PA. A pop sequence for q 2 Q, (cid:13) 2 (cid:0), Definition6.3 [34]Let(S;u)beasemilattice. Anabstract and q0 2 Q is a sequence of PA’s transitions that, and grammar over (S;u) is a collection of context-free gram- (i) starts in a configuration hq;(cid:13)i, and (ii) ends in a con- marproductions,whereeachproduction(cid:18)hastheform figurationhq0;"i. Thefamilyofpopsequencesforagiven q,(cid:13),andq0canbecharacterizedbythecompletederivation X0 !g(cid:18)(X1;::: ;Xk): trees4 derivedfromnonterminalPS(q;(cid:13);q0),usingthegram- Parentheses,commas,andg (where(cid:18)isaproduction)are marshowninFigure4. (cid:18) terminal symbols. Every production (cid:18) is associated with Theorem6.1 PDS PA has a pop sequence for q, (cid:13), and a function g(cid:18): Sk ! S. Thus, every string (cid:11) of termi- q0 iffnonterminal PS(q;(cid:13);q0) of thegrammar shownin Fig- nal symbols derived in this grammar (i.e., the yield of a ure 4 has a complete derivation tree. Moreover, for each complete derivation tree) denotes a composition of func- derivation tree with root PS(q;(cid:13);q0), a preorder listing of tions, and corresponds to a unique value in S, which we the derivation tree’s production instances (where Figure 4 callvalG((cid:11))(orsimplyval((cid:11))whenGisunderstood).Let defines the correspondence between productions and PDS LG(X) denote the strings of terminals derivable from a rules)givesasequenceofrulesforapopsequenceforq,(cid:13), nonterminal X. The abstract grammarproblem is to com- and q0; and every such sequence of rules has a derivation pute,foreachnonterminalX,thevalue treewithrootPS(q;(cid:13);q0). m (X):= u val ((cid:11)): G G 4Aderivationtreeiscompleteifithasisaterminalsymbolateachleaf. (cid:11)2LG(X) 8 Production foreach (1) PS(q;(cid:13);q0) ! (cid:15) q (cid:0)!(cid:13) q0 2!0 (2) PS(p;(cid:13);p0) ! (cid:15) hp;(cid:13)i,!hp0;"i2(cid:1); p2P (3) PS(p;(cid:13);q) ! PS(p0;(cid:13)0;q) hp;(cid:13)i,!hp0;(cid:13)0i2(cid:1); p2P; q 2Q (4) PS(p;(cid:13);q) ! PS(p0;(cid:13)0;q0) PS(q0;(cid:13)00;q) hp;(cid:13)i,!hp0;(cid:13)0(cid:13)00i2(cid:1); p2P; q;q0 2Q Figure4.Acontext-freelanguageforthepopsequencesofPA,andthePArulesthatcorrespondto eachproduction. Production foreach (1) Accepting[(cid:13)1(cid:13)2:::(cid:13)n](p;q) ! PS(p;(cid:13)1;q1) PS(q1;(cid:13)2;q2) ::: PS(qn(cid:0)1;(cid:13)n;q) qi 2Q; for1(cid:20)i(cid:20)n(cid:0)1; andq2F (2) Accepted[(cid:13)1(cid:13)2:::(cid:13)n](p) ! Accepting[(cid:13)1(cid:13)2:::(cid:13)n](p;q) q2F Figure5.Setofproductions. Because the complete derivation trees with root 2. The distributivity of each of the production functions Accepted[(cid:13) (cid:13) :::(cid:13) ] encodethetransitionsequencesby g , :::, g overarbitrary,non-empty,finiteindexsets 1 2 n (p) 1 6 which WA accepts hp;(cid:13) (cid:13) :::(cid:13) i, to cast the GPR as a followsfromrepeatedapplicationofDefinition3.1(3). 1 2 n grammar problem, we merely have to attach appropriate productionfunctionstotheproductionssothatforeachrule 3. Productionfunctionsg3,:::,g6 arestrictin0ineach sequence(cid:27), andcorrespondingderivationtree(withyield) argument because 0 is an annihilator with respect to (cid:11),wehavev((cid:27))=valG((cid:11)). ThisisdoneinFigure6: note (cid:10)(Definition3.1(4)). Productionfunctionsg1 andg2 are constants (i.e., functions with no arguments), and howfunctionsg ,g ,andg placef(r)atthebeginningof 2 3 4 hencemeettherequiredconditiontrivially. thesemiring-productexpression;thiscorrespondstoapre- orderlistingofaderivationtree’sproductioninstances(cf. Thus, one algorithm for solving the GPR problem Theorem6.1). for a given weighted PDS W, initial configuration To solve the GPR problem, we appeal to the following hp;(cid:13) (cid:13) :::(cid:13) i,andregularsetC (representedbyautoma- theorem: 1 2 n tonA)isasfollows: Theorem6.2 [46, 34] The abstract grammar problem for (cid:15) CreatethecombinedweightedPDSWA. Gand(S;u)canbesolvedbyaniterativecomputationthat finds the maximum fixed point, when the following condi- (cid:15) Define the corresponding abstract grammar problem tionshold: accordingtotheschemashowninFigure6. 1. The semilattice (S;u) has no infinite descending (cid:15) Solve this abstract grammar problem by finding the chains. maximum fixed point using chaotic iteration: for eachnonterminalX,thefixed-point-findingalgorithm 2. Everyproductionfunctiong inGisdistributive,i.e., (cid:18) maintainsa valuel(X), which is the current estimate for X’s value in the maximum fixed-point solution; g( u x ;::: ; u x )= u g(x ;::: ;x ) i1 ik i1 ik initially, all l(X)values are set to 0; l(X) is updated i12I1 ik2Ik (i1;:::;ik)2I1(cid:2)(cid:1)(cid:1)(cid:1)(cid:2)Ik wheneveravaluel(Y)changes,foranyY usedonthe forarbitrary,non-empty,finiteindexsetsI1;::: ;Ik. right-hand side of a production whose left-hand-side nonterminalisX. 3. Everyproductionfunctiong inGisstrictin0ineach (cid:18) argument. 6.4 AMoreEfficientAlgorithmfortheGPRProb- lem The abstract grammar problem givenin Figure 6 meets theconditionsofTheorem6.2because The approach given in the previous section is not very 1. ByDefinition3.1, the(cid:8)operatorisassociative,com- efficient: for a configuration hp;(cid:13) (cid:13) :::(cid:13) i, it takes 1 2 n mutative, and idempotent; hence (D;(cid:8)) is a semilat- (cid:2)(jQjn(cid:0)1jFj) time and space just to create the grammar tice. By Definition 3.1(5), (D;(cid:8)) has no infinite de- productions in Figure 6 with left-hand-side nonterminal scendingchains. Accepting[(cid:13) (cid:13) :::(cid:13) ] . However, we can improve on 1 2 n (p;q) 9

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.