Combinaison des logiques temporelle et déontique pour la

Transcription

UNIVERSITÉ TOULOUSE III - Paul Sabatier
U.F.R. Mathématiques, Informatique, et Gestion
École doctorale Mathématiques, Informatique, et Télécomunications de
Toulouse
Institut de Recherche en Informatique de Toulouse
THÈSE
en vue de l’obtention du
DOCTORAT DE L’UNIVERSITÉ DE TOULOUSE
délivré par l’université Toulouse III - Paul Sabatier
Discipline : Informatique
Combinaison des logiques temporelle et
déontique pour la spécification de
politiques de sécurité
Julien Brunel
soutenue le 12 décembre 2007
devant le jury composé de
Philippe Balbiani
Jean-Paul Bodeveix
Jan Broersen
Frédéric Cuppens
Stéphane Demri
Mamoun Filali Amine
Sergei Soloviev
Wiebe van der Hoek
examinateur
directeur de thèse
examinateur
examinateur
rapporteur
co-directeur de thèse
examinateur
rapporteur
i
Combining temporal and deontic logics for the
specification of security policies
Julien Brunel
supervisors: Jean-Paul Bodeveix, Mamoun Filali Amine
Abstract
In order to formally specify a security policy, it is natural to reason about
time on the one hand, and obligations, permissions, and prohibitions on the
other hand. Indeed, we have to express for instance the permission to access
a resource for a certain period, the obligation to release a resource before a
deadline, or the prohibition to execute a task for a too long period. Temporal
and deontic logics seem well suited to specify such concepts. In this thesis,
we study how to combine these logics.
Firstly, we study the product of linear temporal logic and standard deontic logic, and define obligation with deadline in this context. It has to
satisfy a property called propagation property: while it is not fulfilled, it is
propagated to the next instant. We then propose a more general propagation
property, and propose a semantics to validate it. For the until-free fragment
of our logic, we define an axiomatics and a tableaux-like decision procedure.
Lastly, we investigate the notion of compliance of a system with respect to
a policy specified in such a language. The first definition we come up with
is a weak version of compliance called compatibility. For a new fragment
of our logic, we adapt the Büchi approach of Vardi and Wolper to decide
whether a system is compliant with a policy. We then restrict again the
language so that we can define a stronger version of compliance. Actually, a
careful analysis shows the necessity to refine the notion of compliance into
five different diagnostic cases which give ’levels of compliance’. We provide
an algorithm to establish this diagnostic.
Keywords: temporal logic, deontic logic, security policy
ii
iii
Combinaison des logiques temporelle et déontique pour
la spécification de politiques de sécurité
Julien Brunel
directeurs de thèse : Jean-Paul Bodeveix, Mamoun Filali Amine
Résumé
Pour spécifier formellement une politique de sécurité, il est naturel de raisonner d’une part sur la notion de temps, et d’autre part sur les notions
d’obligation, de permission, et d’interdiction. En effet, il s’agit d’exprimer
par exemple le droit d’accès à une ressource pendant une certaine durée,
l’obligation de la libérer avant un instant donné, ou encore l’obligation qu’une
certaine tâche ne soit pas exécutée pendant un temps trop important. Les
logiques temporelle et déontique apparaissent comme des outils adéquats
pour spécifier de telles notions. Dans cette thèse, nous étudions comment
combiner de telles logiques.
Nous étudions dans un premier temps le produit de la logique temporelle
linéaire avec la logique déontique standard, et définissons une obligation avec
délai dans ce contexte. L’obligation avec délai doit notamment satisfaire une
propriété que l’on nomme propagation : tant qu’elle n’est pas remplie et que
le délai n’est pas atteint, elle se propage à l’instant suivant. Nous proposons
ensuite une sémantique qui valide une propriété de propagation plus générale,
puis définissons une axiomatique et une procédure de décision pour fragment
du langage qui ne contient pas l’opérateur temporel ’until’.
Nous nous intéressons enfin à la notion de conformité d’un système vis
à vis d’une politique de sécurité spécifiée dans un tel langage. La première
définition que nous proposons est une version faible de la conformité que l’on
nomme compatibilité. Nous restreignons ensuite le langage afin définir une
version plus forte de la conformité, et proposons un algorithme pour vérifier
la conformité d’un système vis à vis d’une politique.
Mots-clés : logique temporelle, logique déontique, politique de sécurité
iv
Remerciements / Acknowledgments
Remerciements
Une première étape se termine aujourd’hui. Je saisis l’occasion de remercier ceux qui ont contribué, d’une manière ou d’une autre, à mon travail
durant ces trois années et demie. Tout d’abord, je tiens à remercier très
chaleureusement mes directeurs de thèse Jean-Paul Bodeveix et Mamoun
Filali Amine, qui m’ont donné l’opportunité de faire cette thèse, pour leur
soutien permanent et leurs conseils. Je me souviens du stage, durant l’été
2002, pendant lequel ils m’ont initié à la recherche et transmis leur passion
pour les méthodes formelles. Leur enthousiasme et leur complémentarité ont
constitué un grand atout pour ma thèse, et travailler avec eux a été un grand
plaisir.
Je voudrais ensuite remercier Stéphane Demri et Wiebe van der Hoek,
pour l’intérêt qu’ils ont apporté à mon travail en acceptant d’être rapporteurs de cette thèse. Leurs corrections, remarques, et questions, m’ont permis
d’améliorer ce mémoire et m’ont donné des perspectives très intéressantes.
Merci à Jan Broersen qui a accepté de m’accueillir à Utrecht, en février
2006, avant même de me connaître ! L’accueil fut très chaleureux, et le séjour très agréable. J’y ai appris beaucoup sur les logiques déontiques, et les
logiques d’action. La collaboration qui a suivi a été un excellent stimulant
jusqu’à la fin de ma thèse, et la logique proposée en est le fruit.
Merci à Philippe Balbiani, pour les nombreuses discussions, pour ses
conseils aussi bien sur des aspects scientifiques pointus que sur le déroulement
de ma thèse. J’ai beaucoup apprécié sa disponibilité. Sa connaissance des
logiques modales m’a apporté beaucoup.
Merci également à Frédéric Cuppens et Nora Cuppens-Boulahia. Grâce à
leur enthousiasme, la collaboration entamée dans le cadre du projet DISPO a
pu se poursuivre lors de plusieurs séjours à Rennes, où nous avons pu discuter
v
vi
longuement des obligations et des violations dans une politique de sécurité.
Je voudrais également remercier Sergei Soloviev pour le regard extérieur qu’il
a porté sur mon travail, et pour avoir accepté de présider le jury. Je remercie Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, et
Wiebe van der Hoek, pour leurs questions et commentaires stimulants lors
de la soutenance.
Je remercie toutes les personnes que j’ai côtoyées à l’IRIT (chercheurs,
secrétaires, enseignants, et techniciens) qui ont contribué à un environnement
agréable. Merci en particulier à ceux qui ont partagé mon bureau (Abbassia,
Jean-François, Lei, et Marjorie) avec qui j’ai passé de bons moments.
Je pense aussi à ma famille, que j’étais très heureux de retrouver pendant
la semaine de ma soutenance. À mon père, qui a traversé l’océan Indien pour
y assister ! À ma mère, qui a fait preuve d’un sang froid à toute épreuve pour
la gestion de mon pot de thèse ! Je leur dois beaucoup.
À ma grand-mère, Mamette, qui a apporté un peu de notre île de beauté
avec elle. À Vanina et Yann, sans qui j’aurais sûrement renoncé à la partie 4.2.3 (quel dommage ça aurait été !). Et bien sûr à Benjamin, mon petit
frère, qui est malheureusement déjà plus grand que moi.
À tous les toulousains qui ont contribué aux conditions agréables dans
lesquelles j’ai effectué cette thèse, à travers les soirées, repas, discussions,
élaborations de théories-minute, etc. : Mehdi, Camille, Jérôme, Matthieu,
Simon, Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas,
Arnaud, Marie, David et Marie. Je pense aussi à ceux qui me supportent
depuis bien plus longtemps : Thierry, Rémi, Viviane, Rémy, Nico, Gilles,
Sonia, Candice, Ben, . . .
À Anne-Laure, qui m’a subi pendant la période d’autisme/rédaction, et
qui a su m’apporter toute sa douceur. Je lui dédie cette thèse.
Acknowledgments
I would like to use this page as an opportunity to thank the people who have
played a role, in a way or another, in my work during these three years and
a half.
First of all, I would like to thank my supervisors Jean-Paul Bodeveix and
Mamoun Filali Amine for their support and advice. I remember in particular
this training period in 2002, during which they introduce me to research, and
impart their passion for formal methods to me. Their enthusiasm and their
complementarity were a great asset for my thesis, and I have really enjoyed
working with them.
My acknowledgment also goes to Stéphane Demri and Wiebe van der
Hoek, for having reviewed this thesis. Their corrections, remarks, and questions, allowed me to improve this dissertation, and gave me some interesting
leads for future work.
vii
I also thank Jan Broersen, who accepted to welcome me in February
2006 in Utrecht, before even knowing me! The welcome was warm, and the
stay very pleasant. I learnt a lot about deontic logics and action logics. The
collaboration that followed was really stimulating until the end of my PhD,
and the logic proposed in this dissertation is its fruit.
My acknowledgment then goes to Philippe Balbiani, for all the discussions we had, about scientific aspects as much as about the progress of my
PhD. I have really appreciated his availability. His knowledge of modal logics
was very helpful.
I also owe thanks to Frédéric Cuppens and Nora Cuppens-Boulahia.
Thanks to their enthusiasm, the collaboration we started in the DISPO
project went on with some stays in Rennes, during which we were able to
talk a lot about obligations and violations in a security policy.
I would also like to thank Sergei Soloviev, for the interesting look he gave
to my work, and for having accepted to be president of the jury. I thank
Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, and
Wiebe van der Hoek for being part of the jury, and for their stimulating
questions and comments during the defense.
I thank all the IRIT staff members who played a part in making the
environment pleasant, in particular those who shared my office: Abbassia,
Jean-François, Lei, and Marjorie.
My thoughts go to my family, that I was so happy to see the week after
the defense. To my father, who crossed Indian ocean to attend it! To my
mother, who handled the organisation of the drinks party with a lot of selfcontrol! I owe them much.
To my grand-mother, who brought a little of our “île de beauté” with
her. To Vanina and Yann, without who I would have given section 4.2.3 up
(what a pity it would have been!). To Benjamin, my little brother, who is
unfortunately already taller than me.
To people from Toulouse, who made my after work enjoyable thanks to
parties, meals, discussions, etc.: Mehdi, Camille, Jérôme, Matthieu, Simon,
Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas, Arnaud,
Marie, David and Marie. I also think about those I have known for much
more time: Thierry, Rémi, Viviane, Rémy, Nico, Gilles, Sonia, Candice,
Ben, . . .
To Anne-Laure, who endured me during the autism/writing period, and
who gave me all her sweetness. This thesis is dedicated to her.
viii
ix
À Anne-Laure
x
Contents
1 Introduction
1.1 Security . . . . . . . . . .
1.2 Formal methods and logics
1.3 Outline . . . . . . . . . .
1.4 Bibliographic notes . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2 Basic logical concepts
2.1 Modal logic . . . . . . . . . . . . . . .
2.1.1 Axiomatics . . . . . . . . . . .
2.1.2 Semantics . . . . . . . . . . . .
2.2 Deontic logic . . . . . . . . . . . . . .
2.2.1 Standard Deontic Logic SDL .
2.2.2 Some theorems and paradoxes .
2.2.3 Dyadic deontic logic based on a
2.3 Temporal logic . . . . . . . . . . . . .
2.3.1 Linear temporal logic . . . . . .
2.3.2 LT L semantics . . . . . . . . .
2.3.3 Characterization of properties .
2.3.4 LT L axiomatization . . . . . .
2.3.5 Branching-time temporal logic
2.3.6 Timed logic . . . . . . . . . . .
2.4 Model checking . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
preference
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
3 Combining temporal and deontic logics
3.1 Fusion of modal logics . . . . . . . . . .
3.1.1 Fusion of LT L and SDL . . . . .
3.1.2 Fusion of CT L and SDL . . . .
3.2 Interaction properties . . . . . . . . . .
xi
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
7
7
8
10
11
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
relation
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
. . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
13
13
14
15
19
19
19
21
22
23
24
25
27
29
33
37
.
.
.
.
39
40
41
43
44
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
xii
.
.
.
.
.
.
.
.
.
.
.
.
.
.
44
46
46
47
48
48
50
4 Propagation property
4.1 Deadline obligation . . . . . . . . . . . . . . . . . . . . . . .
4.1.1 Studied properties . . . . . . . . . . . . . . . . . . .
4.1.2 A first attempt for defining deadline obligation . . .
4.1.3 Validation of the propagation property . . . . . . . .
4.1.4 New operator Ok . . . . . . . . . . . . . . . . . . . .
4.2 General propagation property . . . . . . . . . . . . . . . . .
4.2.1 Propagation property and product . . . . . . . . . .
4.2.2 Semantics based on the restriction of the ideal states
4.2.3 Model correspondence for the propagation . . . . . .
4.2.4 Semantics with levels of deontic ideality . . . . . . .
4.2.5 Branching time structures . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
53
53
54
56
57
58
63
63
65
69
74
79
5 Decision procedure and axiomatization
5.1 Tableaux decision procedure for satisfiability . . . .
5.1.1 Tableau data structure and update operations
5.1.2 Tableaux rules . . . . . . . . . . . . . . . . .
5.1.3 Soundness and completeness . . . . . . . . . .
5.1.4 Termination . . . . . . . . . . . . . . . . . . .
5.2 Axiomatization . . . . . . . . . . . . . . . . . . . . .
5.2.1 Admissible forms . . . . . . . . . . . . . . . .
5.2.2 Axiomatization . . . . . . . . . . . . . . . . .
5.2.3 Soundness and completeness . . . . . . . . . .
5.2.4 Theories . . . . . . . . . . . . . . . . . . . . .
5.2.5 Canonical model construction . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
81
82
83
84
86
88
90
91
91
92
93
96
6 Computer security application
6.1 Specification of the system . . . . . .
6.1.1 Events or actions? . . . . . .
6.1.2 Labeled Kripke Structures . .
6.2 Deontic extension and compatibility
6.2.1 Deontic extension . . . . . . .
6.2.2 Compatibility . . . . . . . . .
6.2.3 Illustration . . . . . . . . . .
6.3 Decidable fragment . . . . . . . . . .
6.3.1 Preliminaries . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
99
100
100
101
102
103
103
105
106
106
3.3
3.2.1 ’Perfect recall’ property . . . .
3.2.2 ’No learning’ property . . . . .
3.2.3 ’Confluence’ property . . . . .
3.2.4 Obligation and branching time
Product . . . . . . . . . . . . . . . . .
3.3.1 Product of modal logics . . . .
3.3.2 Product LT L SDL . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
xiii
6.4
6.3.2 Checking internal consistency and compatibility
Beyond compatibility . . . . . . . . . . . . . . . . . . .
6.4.1 Policy language . . . . . . . . . . . . . . . . . .
6.4.2 Compliance of a system with its security policy
6.4.3 Diagnostic algorithm . . . . . . . . . . . . . . .
6.4.4 Concluding example . . . . . . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
108
111
111
113
124
129
7 Conclusion
133
7.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.2 Future investigations . . . . . . . . . . . . . . . . . . . . . . . 134
A Proofs of section 4.1.4
A.1 Proofs of property 11
A.2 Proofs of property 12
141
. . . . . . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . 142
xiv
Introduction
Cette thèse propose un cadre logique qui permet de traiter des notions
de temps et d’obligation, dans le but de spécifier des politiques de sécurité.
Le point de départ de ce travail est la nécessité de méthodes formelles pour
spécifier et vérifier des propriétés de sécurités spécifiques. Cette introduction
présente la sécurité informatique, et introduit le point de vue logique que
nous allons adopter.
Sécurité
Les systèmes informatiques sont présents dans de plus en plus de domaines faisant intervenir des aspects de coopération, de distribution, et de
réseau. L’augmentation de la complexité des systèmes a permis de nombreuses innovations, mais a aussi soulevé de nouvelles questions. En particulier, garantir des exigences de sécurité est devenu de plus en plus complexe.
Ces exigences sont habituellement classifiées comme suit :
– confidentialité : assurance que l’information est partagée seulement par
des personnes ou organisations autorisées ;
– intégrité : assurance que l’information est authentique et complète ;
– disponibilité : assurance que les systèmes chargés de délivrer, stocker,
ou traiter des informations sont accessibles en cas de besoin.
De manière à garantir ces exigences, une politique de sécurité est traditionnellement spécifiée. Il s’agit d’un ensemble de normes et de procédures
à mettre en oeuvre pour assurer au mieux les exigences. Cela consiste par
exemple à décrire comment les utilisateurs peuvent accéder au système ou
aux informations.
1
2
La modélisation de politiques de contrôle d’accès a été beaucoup étudiée dans la littérature [64, 115, 21, 73, 2]. Une politique de contrôle d’accès
consiste en un ensemble de règles qui spécifient quelles actions les sujets
sont autorisés à effectuer. Une permission peut ne s’appliquer que lorsque
certaines conditions sont satisfaites [94, 42, 121]. Par exemple, dans une
banque, la politique de contrôle d’accès peut spécifier qu’un employé a l’autorisation d’accorder un prêt à un client seulement si le montant du prêt est
inférieur à 50 000 euros. La politique de contrôle d’accès peut aussi inclure
des interdictions qui sont en particulier utiles pour spécifier des exceptions
à des permissions.
Plus récemment, il a aussi été suggéré de considérer d’autres exigences
dans une politique de sécurité qui correspondent à des obligations [22, 41].
Par exemple, la politique peut spécifier que n’importe quel utilisateur dans
le système informatique de la banque a l’obligation de changer son mot de
passe s’il n’a pas été changé depuis trente jours. Les modèles qui considèrent
les obligations vont au-delà du contrôle d’accès et sont utilisés pour spécifier
des exigence de contrôle d’usage [99]. Comme exemple d’exigence de contrôle
d’usage, la banque peut spécifier dans sa politique qu’il est obligatoire d’interrompre la transaction d’un client sur Internet si celui-ci est resté inactif
pendant plus d’une minute.
Comme dans de nombreux autres domaines scientifiques, les méthodes
formelles sont utiles pour lever certaines ambiguïtés et améliorer la qualité
de compréhension et d’analyse. Dans le contexte de la sécurité, l’application
de méthodes formelles permet de vérifier que la politique est cohérente, ou
qu’un système est conforme à une politique.
Méthodes formelles et logiques
Les méthodes formelles [98] font références à des techniques et des outils
mathématiques pour raisonner de manière rigoureuse. Elles permettent de
spécifier, concevoir, et valider des systèmes logiciels et matériels. Les spécifications utilisées dans les méthodes formelles sont des énoncées bien formés
dans un langage mathématique, et les validations (ou vérifications) sont des
preuves de ces énoncés. La définition d’un tel langage de spécification, assortie d’un moyen de déterminer si un énoncé est vrai, est appelée une logique.
Un énoncé dans le langage est une formule. Le moyen de déterminer la «valeur de vérité» d’une formule peut être soit syntaxique soit sémantique. Une
déduction syntaxique est une séquence finie de formules, qui commence par
un axiome (formule arbitrairement vraie) et telle que chaque formule dans
la séquence est obtenue à partir des formules précédentes par l’application
d’une règle d’inférence. Le moyen sémantique consiste à donner un cadre intuitif à la définition de la vérité d’une formule. Plusieurs familles de logiques
ont été étudiées, selon le domaine d’application. Les logiques constructives
3
sont utilisées en informatique, en particulier avec le but de généré du code
à partir de la spécification d’un programme [67, 100]. Chaque formule est
associée à une preuve qui démontre cette formule, plutôt qu’à une valeur
de vérité (vrai ou faux). Une preuve peut aussi être vue comme un algorithme. Une autre famille de logiques a été développée à l’origine par les
philosophes : les logiques modales. Elles étudient au départ les raisonnements qui utilisent les notions de nécessité («il est nécessaire que . . . ») et
de possibilité («il est possible que . . . »). Les logiques modales sont maintenant plus largement utilisées pour des concepts comme les croyances [53],
les intentions [26], les exécutions de programmes [63], les obligations [136],
et les aspects temporels [106]. Les formules modales sont construites à partir d’énoncés atomiques, appelés propositions, et d’opérateurs modaux, qui
expriment les notions mentionnées ci-dessus. Dans cette thèse, nous nous focaliserons sur les obligations et les aspects temporels, habituellement étudiés
à l’aide des logiques temporelles et déontiques.
La logique temporelle a été introduite par Prior [106, 107], pour exprimer des phrases comme «il sera toujours le cas que . . . », «il sera un jour le
cas que . . . », qui correspondent respectivement aux opérateurs modaux G
et F . Kamp [74] a proposé une extension avec l’opérateur binaire U (until) :
A U B signifie que A est vrai, et reste vrai jusqu’à ce que B le devienne.
Pnueli a proposé en 1977 d’utiliser la logique temporelle pour la spécification et la vérification des systèmes réactifs [101]. Cette idée a donné lieu,
peu après, à une technique de vérification appelée vérification de modèle
(model checking en anglais) [38, 108]. La première étape consiste à fournir
un modèle du système à vérifier - en général, un automate fini - dans un
formalisme accepté par l’outil de vérification de modèle. La seconde étape
consiste à spécifier le propriété exigée par une formule logique. L’outil applique ensuite une procédure de parcours pour déterminer si la formule est
vraie dans l’abstraction du système. Dans les années 80, lors des débuts de
la vérification de modèle, il n’était possible que de gérer des systèmes avec
quelques milliers d’états. Aujourd’hui, de grands progrès dans les techniques
permettent une bien meilleure efficacité, mais l’explosion de l’espace d’états
reste un défi important.
Le premier système de logique déontique a été introduit par Mally en
1926 [90] ! Malheureusement, ce système a de nombreuses propriétés indésirables, et la logique déontique est seulement devenue un domaine de recherche actif après le premier système de von Wright [136], dont la version
avec modèle de Kripke est connue sous le nom de Logique Déontique Standard (Standard Deontic Logic, ou SDL, en anglais). Depuis lors, les logiciens
ont soulevé des paradoxes dans SDL, et proposé différentes variantes de SDL
pour les éliminer. Cet aspect sera discuté dans le chapitre suivant. Nous pensons que la logique déontique peut être utile à la sécurité informatique dans
un contexte où les normes peuvent être violées, et où on voudrait raisonner
explicitement sur ces violations. Ça concerne typiquement une politique de
4
sécurité qui spécifie des contraintes faibles. Considérons, par exemple, les
règles suivantes dans un contexte d’allocation de ressource :
(1) useri a l’obligation de libérer la ressource r après 5 unités de temps
d’utilisation ;
(2) Si useri utilise la ressource sans la permission, alors il doit ne plus
la demander pendant 10 unités de temps.
La règle (1) spécifie que useri a l’obligation de libérer la ressource r
lorsqu’une certaine condition est vraie. Cette obligation peut être violée, et
la règle (2) raisonne explicitement sur cette violation. La logique déontique
semble appropriée pour spécifier et raisonner sur ces notions. Par ailleurs,
ces deux règles contiennent clairement un aspect temporel.
Notre travail consiste à combiner les logiques temporelles et déontiques
de manière à pouvoir
– exprimer de telles politiques de sécurité ;
– vérifier qu’une politique est cohérente ;
– vérifier qu’un système est conforme à une politique.
Plan du document
Cette thèse est organisée de la manière suivante.
Le chapitre 2 présente des concepts logiques basiques. Nous y développons
les aspects syntaxiques et sémantiques des logiques modales. Nous étudions
d’abord les logiques déontiques, qui traitent des obligations, permissions,
et interdictions, puis nous nous intéressons aux logiques temporelles. Nous
détaillons particulièrement le cas du temps discret et linéaire, dans lequel
nous nous situerons dans la suite de la thèse, puis présentons plus brièvement
les principales logiques du temps arborescent, et du temps continu.
Le chapitre 3 introduit la combinaison des logiques temporelle et déontique. Tout d’abord, nous présentons rapidement les autres propositions
pour combiner ces notions, et les mettons en relation avec notre approche.
Ensuite, nous appliquons la plus simple des combinaisons logiques, appelée
fusion, aux logiques temporelle et déontique, et discutons les variantes déontiques des propriétés d’interaction temporelles-épistémiques connues. Enfin,
nous présentons le produit de logiques modales, une manière générique de
combiner des logiques en garantissant certaines propriétés d’interaction.
Dans le chapitre 4, nous considérons le produit des logiques temporelle et
déontiques comme un point de départ. Nous nous intéressons à une nouvelle
propriété d’interaction, que nous appelons propriété de propagation, particulièrement intuitive dans le contexte temporel et déontique. Nous étudions
dans un premier temps la propagation des obligations avec délai. Nous proposons alors deux sémantiques possibles pour un opérateur dédié à l’obligation
5
avec délai, et discutons certaines propriétés caractéristiques pour chacune.
Dans un deuxième temps, nous présentons une formulation plus générale
de la propriété de propagation, qui concerne une disjonction de formules
temporelles particulières. Nous proposons ensuite une sémantique intuitive
qui valide la propagation, mais perd l’axiome D (garant de la cohérence des
obligations entre elles). De plus, si nous considérons seulement la classe des
modèles qui satisfait l’axiome D, alors aucune violation n’est satisfiable. Nous
prenons alors le problème sous un angle différent, et recherchons une condition nécessaire et suffisante, sur un modèle temporel et déontique arbitraire,
pour valider la propriété de propagation. La conclusion est que lorsque une
obligation est violée à un certain instant, alors des propriétés indésirables
surviennent à partir de cet instant. Nous raffinons alors notre sémantique
à l’aide d’une relation de préférence, de manière à ce que l’axiome D soit
valide, et que la propriété de propagation ne soit satisfaite que dans les états
qui ne violent pas d’obligations immédiates.
Le chapitre 5 présente une procédure de décision basée sur une méthode
des tableaux, ainsi qu’une axiomatisation, pour le fragment de notre logique
sans l’opérateur «until». La sémantique de l’obligation semble trop complexe
pour développer des directement de tels outils pour notre logique. En effet, deux quantificateurs différents sont cachés dans la définition sémantique
de l’opérateur d’obligation. Nous proposons de décomposer cet opérateur
à l’aide de nouveaux opérateurs plus simples. Nous développons alors un
système de tableaux, et une axiomatisation pour cette logique. L’axiomatisation comporte deux règles d’inférence non classiques qui correspondent à
deux particularités de la logique : d’une part, une des relations d’accessibilité
dépend des valuations, et d’autre part, un des opérateurs est interprété par
l’intersection de deux relations d’accessibilité.
Le chapitre 6 propose une application à la sécurité de l’étude logique
présentée dans les chapitres précédents. Nous considérons un modèle d’un
système, et une formule temporelle déontique qui spécifie la politique. Le
but est de déterminer d’une part si la politique est cohérente, et d’autre part
si le système est conforme à la politique. La cohérence d’une politique est
réduite à la satisfiabilité de la formule correspondante. La première définition
de conformité à laquelle nous parvenons est une version faible appelée compatibilité. Dans le cas général, nous n’avons pas de résultat de décidabilité,
ni pour la vérification de cohérence, ni pour la vérification de conformité.
Nous exhibons alors un fragment de notre logique temporelle déontique tel
que les deux problèmes sont décidables pour une politique exprimée dans
ce fragment. Nous réduisons de nouveau le langage pour pouvoir définir une
version plus forte de la conformité. En fait, une analyse approfondie montre
la nécessité de raffiner la notion de conformité en cinq différents cas de diagnostic qui donnent des «niveaux de conformité». Nous fournissons enfin un
algorithme qui permet d’établir ce diagnostic (la correction et la terminaison
sont établies).
6
Dans le chapitre 7, nous concluons la thèse et discutons quelques perspectives.
Indications bibliographiques
Le contenu de cette thèse a été partiellement publié dans différentes communications. La partie 3.2 du chapitre 3 est extraite de [31]. L’étude de l’obligation avec délai dans un produit de logiques (chapitre 4, partie 4.1) vient
de [32]. La sémantique qui garantit la propriété de propagation (chapitre 4,
partie 4.2) a été publiée dans un travail commun avec Jan Broersen [28, 29].
La procédure de décision et l’axiomatisation pour cette sémantique (chapitre 5) sont extraites d’un travail commun avec Philippe Balbiani et Jan
Broersen [17]. Le chapitre 6 est une version enrichie d’un article écrit avec
Frédéric Cuppens, Nora Boulahia-Cuppens, et Thierry Sans [33]. Bien entendu, mes directeurs de thèse, Jean-Paul Bodeveix et Mamoun Filali-Amine,
ont contribué à toutes les parties ce travail, qu’ils apparaissent ou non en
tant que co-auteurs.
1
Introduction
This thesis deals with providing a logical framework which handles the notions of time and obligation, with the aim of being useful to computer security. The starting point of this work is a need for formal tools to specify
and verify some specific security properties. This introduction presents the
security context in which the thesis takes place, and introduces the logical
point of view we will adopt.
1.1
Security
Electronic systems are present in more and more areas which involve cooperation, distribution, and networking aspects. This growth of systems’
complexity has brought many innovations, but has also raised several new
concerns. In particular, ensuring security requirements have become more
and more complex. These requirements are usually classified as follows:
• confidentiality: assurance that information is shared only among authorised persons or organisations. Breaches of confidentiality can occur
when data is not handled in a manner adequate to safeguard the confidentiality of information;
• integrity: assurance that information is authentic and complete, i.e.,
that information can be relied upon to be sufficiently accurate for its
purpose;
• availability: assurance that the systems responsible for delivering, storing and processing information are accessible when needed, by those
who need them.
In order to ensure these requirements, a security policy is traditionally
specified. A security policy is a set of regulations and laws that describes
7
8
CHAPTER 1. INTRODUCTION
how users may access the system or information. It regulates how entities
access objects in a system.
Modelling such access control policies has been extensively investigated
in the literature [64, 115, 21, 73, 2]. An access control policy corresponds to a
set of permission rules which specifies which actions subjects are authorized
to perform in the information system controlled by this policy. A permission
may only apply when some contextual conditions are satisfied [94, 42, 121].
For instance, in a bank, the access control policy may specify that a clerk is
permitted to grant a loan to a customer, only if the amount of the loan is less
than 50,000 euros. The access control policy can also include prohibitions
that are especially useful to specify exceptions to permissions.
More recently, it has also been suggested to consider other requirements
in the security policy that correspond to obligations [22, 41]. For instance,
the policy may specify that any user in the bank information system is
obliged to change his or her password if this password has not been changed
for more than 30 days. Models that consider obligations go beyond access
control and are used to specify usage control requirements [99]. As an example of usage control requirement, the bank can specify in its policy that it
is obligatory to stop the internet transaction of a bank customer if this user
has been idle for more than one minute.
As in many other scientific areas, formal methods are useful in order to
avoid ambiguities and improve quality of understanding and model analysis.
In the context of security, applying formal methods allows to verify that a
policy is coherent, or that a system complies with a policy.
1.2
Formal methods and logics
’Formal Methods’ [98] refers to mathematically rigorous techniques and tools
for the specification, design, and verification of software and hardware systems. The phrase ’mathematically rigorous’ means that the specifications
used in formal methods are well-formed statements in a mathematical language and that the formal verifications are rigorous proofs of these statements. The definition of such a language with a way to determine whether
a statement is true, is called a logic. A statement in the language is called a
formula. The way to determine the truth of a formula can be can be either
syntactic or semantic. A syntactic deduction is a finite sequence of formulas,
which starts from an axiom (arbitrary true formula), such that each formula
in the sequence is obtained from earlier formulas by applying some inference
rule. The semantic way aims at giving an intuitive framework to the definition of truth for a formula. Several families of logics have been investigated,
depending on the application area. Constructive logics are used in computer
science, in particular with the aim of generating code from the specification of a program [67, 100]. Each formula is associated with a proof which
1.2. FORMAL METHODS AND LOGICS
9
demonstrates this formula, instead of a value (true or false). A proof of a
formula can also be seen as an algorithm. Another family of logics, originating from philosophy, is called modal logic. It originally studies reasoning
that involves the use of the expressions “necessarily” and “possibly”. Modal
logics are now used more broadly for concepts such as belief [53], intention
[26], program execution [63], obligation [136], and temporal ordering [106].
Modal formulas are built from atomic statements, called propositions, and
modal operators, which handle the above-mentioned notions. Here, we focus
on obligation and temporal ordering, usually addressed through deontic and
temporal logics.
Temporal logic was introduced by Prior [106, 107], in order to express
sentences as ’henceforth, it will be the case that . . . ’, and ‘it will eventually
be the case that . . . ’ corresponding to modal operators G and F respectively. Kamp proposed an extension with binary modal operator U (read
until): A U B means that A is true, and remains true until B becomes true.
Pnueli proposed in 1977 to use temporal logic for the specification and the
verification of reactive systems [101]. This idea gave rise, shortly after, to
the verification technique called temporal logic model checking [38, 108]. The
first step is to provide a model of the system to verify - usually, a finite state
transition graph - in a formalism accepted by a model checking tool. The
second step consists in specifying the required property as a logic formula.
The model checker then applies a search procedure to determine whether
the formula is true in the abstraction of the system. In the 1980s, when
temporal model checking was first developed, it was only possible to handle
systems with a few thousands states. Even if today, sophisticated procedures
have a better efficiency, state space explosion problem remains an important
challenge.
The first logical system of deontic logic was introduced by Mally in
1926 [90]! Unfortunately, this system had a lot of undesirable theorems,
and deontic logic has only become an ongoing active academic area after the
first system of von Wright [136], of which the first Kripke-style version is
known as Standard Deontic Logic (SDL). Since then, logicians have raised
some paradoxes in SDL, and proposed different variants of SDL to avoid
them. This we will be discussed in the first chapter. According to us, deontic
logic can be useful in computer security in a context where norms can be
violated, and where we want to reason explicitly about these violations. This
typically concerns a security policy which specifies some soft (violable) constraints. Consider for instance, the following rules in a resource monitoring
context:
(1) useri has to release resource r after 5 time units of utilization;
(2) if useri uses the resource without the permission, then he must not ask
for it for 10 time units.
10
Rule (1) specifies that useri is obliged to release resource r when some condition is true. This obligation can be violated, and rule (2) explicitly reasons
about this violation. Deontic logic seems appropriate to express and reason
about these notions. Besides, both rules clearly capture temporal aspects.
Our work consists in combining temporal and deontic logics so that we
can easily
• express such security policies;
• check that a policy is coherent;
• check that a system is compliant with a policy.
1.3
Outline
This dissertation is organized as follows.
Chapter 2 deals with basic logical concepts. We review syntactic and semantic aspects of modal logic. Firstly, we present the family of modal logics
which model deontic concepts. Secondly, we focus on temporal logics. We
especially develop the linear and discrete time case, in which we are particularly interested. We also present the main temporal logics of branching-time
and of continuous time.
Chapter 3 introduces the combination of temporal and deontic logics.
Firstly, we give a brief presentation of other attempts to combine these notions, and express how we are in relation with them. Secondly, we apply
the simplest logical combination, called fusion, to temporal and deontic logics, and discuss deontic variants of temporal-epistemic interaction properties.
Then, we present the product of modal logics, a natural and generic logic
combination, which ensures these interaction properties.
In chapter 4, we take the product of temporal and deontic logics as a
starting point. We investigate another interaction property, called propagation property, which is particularly intuitive in a temporal and deontic
context. We first discuss the propagation of deadline obligations. We propose two possible semantics for an operator dedicated to obligation with
deadline, and discuss some characteristic properties for each one. Secondly,
we provide a more general formulation of the propagation property, which
concerns a special temporal disjunction. We propose an intuitive semantics
which validates the propagation, but loses axiom D (which guarantees the
coherence of obligations). Moreover, if we only consider the class of models
which satisfy axiom D, then no violation is satisfiable. We then consider
the problem from a different point of view, and look for a necessary and
sufficient condition on an arbitrary temporal deontic model to validate the
propagation property. The conclusion is that when an obligation is violated
at some moment, undesirable properties necessarily occur from that instant
1.4. BIBLIOGRAPHIC NOTES
11
on. We then refine our semantics with a preference-based deontic relation,
so that the propagation property is only satisfied in the states that do no
violate any immediate obligations.
Chapter 5 deals with a tableaux-like decision procedure and an axiomatization for the until-free fragment of this logic. The semantics of obligation
seems too complicated to develop logical tools. Two different quantifiers are
hidden in the semantic definition of the obligation operator. We propose to
decompose this operator into more simple ones. We then develop a tableau
system with explicit accessibility relations, and an axiomatization with nonclassical rules which handle the two following semantic particularities of our
logic: one of the accessibility relations depends on valuations, one operator
corresponds to the intersection of two accessibility relations.
Chapter 6 provides a security application of the logical study. We consider a model of a system, and a temporal deontic formula which specifies
the policy. The goal is to determine whether the policy is coherent on the
one hand, and whether the system complies with the policy on the other
hand. The coherence of a policy is reduced to the satisfiability of the corresponding formula. The first definition of compliance we come up with is
a weak version called compatibility. In the general framework, we have no
decidability result, neither for coherence checking, nor for compliance checking. We then exhibit a fragment of our temporal deontic logic such that for
a policy expressed in this fragment, both problems are decidable. We then
constrain again the policy language in order to define a stronger version of
compliance. Actually, a careful analysis shows the necessity to refine the
notion of compliance into five different diagnostic cases which give ’levels of
compliance’. A terminating and correct algorithm is provided to establish
the diagnostic.
In chapter 7 we conclude the thesis and discuss some perspectives.
1.4
Bibliographic notes
The content of this thesis has been partially published in several communications. Section 3.2 of chapter 3 is extracted from [31]. The study of deadline
obligations in a product settings (chapter 4, section 4.1) comes from [32]. The
semantics which ensures the propagation property (chapter 4, section 4.2)
has been published in a joint work with Jan Broersen [28, 29]. Decision
procedure and axiomatization for this semantics (chapter 5) are extracted
from a joint work with Philippe Balbiani and Jan Broersen [17]. Chapter 6
is the sequel of a paper with Frédéric Cuppens, Nora Boulahia-Cuppens,
and Thierry Sans [33]. Of course, my supervisors Jean-Paul Bodeveix and
Mamoun Filali-Amine have played an important role in all parts of this work,
whether they appear or not as co-authors.
12
2
Basic logical concepts
In this chapter, we introduce the basic concepts of logics which are needed
in the remainder of the Ph.D. thesis. Section 2.1 deals with some general points of modal logic: we present Hilbert-style axiomatization, possible
worlds semantics, and some basics about correspondence between axioms
and semantic conditions. Section 2.2 focuses on deontic logic. Section 2.3
introduces temporal logic, and section 2.4 presents model-checking results
for temporal logics.
2.1
Modal logic
In this section, we present some basics of modal logic. We stay in the framework of unimodal logic because it is simpler to write and sufficient for the
remainder of the thesis, although every definition can easily be extended to
multimodal logic.
Definition 1 (Modal language). Given a set P of atomic propositions, the
propositional modal language ML is defined as
ϕ ::= p | ⊥ | ϕ ⇒ ϕ | ϕ
where ⊥ is a constant (’false’) and p ∈ P is an atomic proposition. The usual
boolean operators are defined in terms of the constant ⊥ and the operator ⇒:
def
def
¬ϕ = ϕ ⇒ ⊥
= ¬⊥
def
def
ϕ1 ∨ ϕ2 = (¬ϕ1 ) ⇒ ϕ2
ϕ1 ∧ ϕ2 = ¬(¬ϕ1 ∨ ¬ϕ2 )
def
is called the necessity modal operator and ♦ = ¬¬, defined as its
dual, is called the possibility operator.
We can define similarly the propositional n-modal language MLn with n
necessity and n possibility operators 1 , . . . , n and ♦1 , . . . , ♦n .
13
CHAPTER 2. BASIC LOGICAL CONCEPTS
14
A logical system in general, and a modal system in particular, consists in
singling out and describing a subset of formulas considered as true, no matter
what values are assigned to their variables. There are two ways of defining
logics: semantic and syntactic. Both complement each other. Usually, the
semantic way introduces a semantic domain and explains the meaning of the
logical constants and connectives as operators of the semantic domain, while
the syntactic way reasons about the structure of a formula.
2.1.1
Axiomatics
As a syntactic way, we consider in this thesis Hilbert-style inference systems.
They consist in indicating which formulas are chosen as axioms, and defining
inference rules. A derivation of a formula ϕ in such a system is a finite
sequence ending with ϕ and such that each formula in the sequence is either
an axiom or obtained from earlier formulas in the sequence by applying some
inference rule. The logic of the inference system is then defined as the set of
all derivable formulas.
A set of ML-formulas which contains
• all axioms of propositional logic
• the modal axiom scheme (K)
(ϕ1 ⇒ ϕ2 ) ⇒ (ϕ1 ⇒ ϕ2 )
(K)
and which is closed under the following inference rules
•
ϕ1
ϕ1 ⇒ϕ2
Modus Ponens (MP)
ϕ2
ϕ(x ,...,x )
• ϕ(ψ /x1,...,ψn /x ) Uniform Substitution (US)
1
1
n
n
where ϕ(ψ1 /x1 , . . . , ψn /xn ) is obtained from ϕ(x1 , . . . , xn ) by substituting formulas ψ1 , . . . , ψn for the atomic propositions x1 , . . . , xn in
ϕ.
ϕ
• ϕ Necessitation
is called a normal modal logic.
The minimal normal modal logic is denoted by K (its only axioms and
inference rules are the ones listed above). It is too weak to provide an
adequate account of necessity. For instance, axiom ϕ ⇒ ϕ, called T , is
not provable in K , but it is clearly desirable. It claims that whatever is
necessary is the case. On the other hand, axiom T is not correct if we read
as it is obligatory that, or some agent believes that. Thus, depending on
the concept to be modeled, several modal systems have been introduced.
2.1. MODAL LOGIC
15
Actually, every modal logic L can be obtained be extending system K with
a set Γ of extra axioms. In this case, we note
L=K⊕Γ
Here are some modal systems obtained by enriching K with extra axioms.
def
⊕
ϕ ⇒ ♦ϕ
def
⊕
ϕ ⇒ ϕ
• KD = K
• KT = K
def
• S4 = KT
def
• S5 = S4
2.1.2
⊕
⊕
ϕ ⇒ ϕ
ϕ ⇒ ♦ϕ
Semantics
The semantic way aims at giving an intuitive framework to the definition
of truth for a modal formula. It has been developed by Hintikka [69] and
Kripke [78, 77]. Necessity is then understood as truth in all possible worlds.
Thus, structures in which formulas are interpreted contain different worlds
which can have some alternatives. Every world ’lives’ under the laws of
classical logic: an atomic proposition is either true or false in it, and the
truth-values of a boolean combination of atoms (propositional formulas) is
determined by boolean truth-tables.
Definition 2 (Possible worlds semantics). The semantics of ML-formulas
is given through relational structures F = (W, R) called Kripke frames, or
simply frames.
• W is non empty a set of worlds
• R ⊆ W × W is an accessibility relation on W which associates each
world with a set of alternative worlds
A valuation V : W → 2P for a structure F = (W, R) is a function which
associates each world with a set of atomic propositions. The pair (F, V ) is
called a Kripke model, or simply a model.
Figure 2.1 shows an illustration of a model, where the states are the circles, the accessibility relation is represented by the arrows, and the valuation
by the sets of atomic propositions associated with each state.
We can now define the conditions under which a world of a model satisfies
a formula.
16
{q}
{p, q}
{p}
Figure 2.1: Kripke model
Definition 3 (Satisfaction). Given a frame F = (W, R), a valuation V for
F , and a formula ϕ, we can define the satisfaction relation |= by induction
on ϕ, where F, V, w |= ϕ is read as ’ϕ is satisfied by the world w of the model
(F, V )’ or ’ϕ is true in the world w of the model (F, V )’:
F, V, w
F, V, w
F, V, w
F, V, w
|= p
⊥
|= ϕ1 ⇒ ϕ2
|= ϕ
iff
p ∈ V (w)
iff
iff
if F, V, w |= ϕ1 then F, V, w |= ϕ2
∀w ∈ W if wRw then F, V, w |= ϕ
where
p∈P
When there is no ambiguity, we write w |= ϕ instead of F, V, w |= ϕ for the
sake of brevity.
The semantics of MLn -formulas is then given through structures F =
(W, R1 , . . . , Rn ) with n accessibility relations, called n-frames.
A model (F, V ) satisfies ϕ if every world in W satisfies it.
F, V |= ϕ
iff
∀w ∈ W
F, V, w |= ϕ
A frame F validates ϕ if every model based on F satisfies it.
F |= ϕ
iff
for every valuation V
F, V |= ϕ
A formula ϕ is valid if every frame validates it.
|= ϕ
iff
for every frame F
F |= ϕ
A formula ϕ is satisfiable if there exists a model and a world which satisfies it, or equivalently, if its negation is not valid.
2.1. MODAL LOGIC
17
Definition 4 (Logic: a semantic definition).
• Given a class C of frames, we can define the set Log(C) of the formulas
that every frame of C validates:
def
Log(C) = {ϕ / ∀F ∈ C F |= ϕ}
It is easy to check that Log(C) is a normal modal logic, and we call it
the logic of C.
• A normal logic L is said to be sound with respect to C if ∀ϕ ∈ L ∀F ∈
C F |= ϕ, i.e., L ⊆ Log(C). L is complete with respect to C if every
formula which is valid in every frame of C is in L, i.e., Log(C) ⊆ L.
L is determined, or characterized by C if L = Log(C).
• A logic L is Kripke-complete if there exists a class C of frames such
that L = Log(C).
• Then F r(L) denotes the class of all the frames which validate every
formula of L. For L Kripke complete, it can be proved that L =
Log(F r(L)) [23, 57].
An attractive feature of the possible worlds semantics is that many logics are characterized by classes of frames satisfying simple conditions. For
instance, we have the following completeness results concerning the modal
logics introduced in section 2.1.1.
Theorem 1 (Completeness [78]).
The logics K, KD, KT, S4, and S5, are Kripke-complete. Besides, we have:
• F r(KD) is the class of all frames (W, R) such that R is serial1 .
• F r(KT) is the class of all frames (W, R) such that R is reflexive.
• F r(S4) is the class of all frames (W, R) such that R is reflexive and
transitive.
• F r(S5) is the class of all all frames (W, R) such that R is an equivalence relation, i.e., R is reflexive, transitive, and symmetric.
Another related issue is the direct translation of a modal axiom schema
into a condition on Kripke frames: Correspondence theory [125, 126] studies
the class of frames which is ’defined’ by a given formula. We say that a
formula ϕ defines the class C of frames if F ∈ C iff F validates ϕ, for
every frame F . Actually, every axiom schema we have considered to enrich
the logic K defines a simple class of frame, independently of a deduction in
modal logic.
1
∀w ∈ W ∃w ∈ W such that wRw
18
Theorem 2 (Correspondence). Here are the class of frames which are defined by each of the previously considered axiom schemas.
(axiom T)
(axiom D)
(axiom 4)
(axiom B)
Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such that
R is reflexive.
Axiom schema ϕ ⇒ ♦ϕ defines the frames (W, R) such that
R is serial.
Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such
that R is transitive.
Axiom schema ϕ ⇒ ♦ϕ defines the frames (W, R) such that
R is symmetric.
Automatic translations of modal formulas into such conditions on frames
have been widely studied. In particular, Sahlqvist [114] exhibited a class of
formulas, called Sahlqvist formulas, which have nice correspondence properties. Indeed, although in general, every modal formula is equivalent to a
second-order condition on frames, a Sahlqvist formula ϕ have a first-order
equivalent F O(ϕ) (this first-order equivalent can be obtained in an effective
way). Moreover the logic K ⊕ ϕ is characterized by the frames which satisfy
F O(ϕ).
Definition 5 (Sahlqvist formulas). Let a positive (resp. negative) formula
of modal logic be one where all atomic propositions occur in the scope of an
even (resp. odd) number of negation signs only.
Let a Sahlqvist antecedent be a formula that is built up from atomic proposition prefixed by any finite number of necessity operators and negative formulas, using only ∧ and ∨, and the possibility operator ♦. For example,
♦p is a Sahlqvist antecedent, whereas ♦p and (p ∨ q) are not.
Then, a Sahlqvist formula is any formula that may be obtained by applying
conjunctions and necessity operators to implications of the form ϕ1 ⇒ ϕ2 ,
where ϕ1 is a Sahlqvist antecedent, and ϕ2 is a positive formula.
Theorem 3 (Sahlqvist theorem [114]). Let ϕ be a Sahlqvist formula. There
is a computable first order condition on frames F O(ϕ) such that
(1) ϕ defines the frames (W, R) which satisfy F O(ϕ),
(2) the logic K ⊕ ϕ is characterized by the frames which satisfy F O(ϕ).
Actually, item (2) is more general: it applies not only to K but also to
any canonical logic. The notion of canonicity of a logic will not be defined
here.
Remark 1. Axioms T, D, 4, and B are Sahlqvist formulas.
We now provide the results of decidability and complexity for the previously introduced logics. A logic L is said to be decidable if the satisfiability
problem for L is decidable. For proofs consult [81, 34].
2.2. DEONTIC LOGIC
19
Theorem 4 (Decidability). All the logics K, KD, KT, S4, and S5, are
decidable. The satisfiability problem for K, KD, KT, and S4 is PSPACEcomplete. The satisfiability problem for S5 is NP-complete.
2.2
Deontic logic
Instead of presenting an exhaustive state of the art in deontic logic, we discuss
Standard Deontic Logic (SDL) introduced by Von Wright [136], and some
direct extension. We will not deal with non-monotonic/defeasible logics [56,
105, 72], which are useful to model argumentation or legal reasoning.
2.2.1
Standard Deontic Logic SDL
One of the first logical systems which attempted to capture obligation was
published in 1951 by Von Wright [136], of which the modal Kripke-style
version is known as Standard Deontic Logic (SDL).
Definition 6 (SDL). Standard Deontic Logic SDL is the modal logic KD,
where the necessity operator, which expresses obligation, is denoted O instead
of , and the possibility operator, which expresses permission, is denoted by
P instead of ♦.
Axiom D expresses that every obligatory formula is permitted, i.e., not
forbidden. Another formulation of axiom D is that a formula cannot be both
obligatory and forbidden.
Definition 7 (SDL semantics). As stated in theorem 1, SDL can be defined
as the logic which is characterized by the class of all the serial frames: SDL =
Log({F / F is serial}).
A SDL-frame is then a Kripke frame F = (W, R) such that R is serial,
a SDL-model is a triple M = (W, R, V ) such that (W, R) is an SDL-frame
and V is a valuation on W .
Since the modal operators express obligation and permission instead of
necessity and possibility, we now consider that the accessibility relation R
gives ideal alternative worlds, i.e., worlds in which what is obligatory effectively occurs. The fact that R is serial means that in every world, there
exists at least one ideal alternative. If there were a world from which no
ideal world is accessible, then everything would be obligatory in this world.
2.2.2
Some theorems and paradoxes
Here are some theorems in SDL (see e.g. [95] for a more detailed discussion):
• O(ϕ1 ∧ ϕ2 ) ⇔ O(ϕ1 ) ∧ O(ϕ2 )
(distributivity of O over ∧)
20
• P (ϕ1 ∨ ϕ2 ) ⇔ P (ϕ1 ) ∨ P (ϕ2 )
(distributivity of P over ∨)
• P (ϕ1 ∧ ϕ2 ) ⇒ P (ϕ1 ) ∧ P (ϕ2 )
• O (ϕ1 ∨ ϕ2 ) ∧ O(¬ϕ1 ) ⇒ O (ϕ2 )
• O (ϕ1 ) ⇒ O(ϕ1 ∨ ϕ2 )
(Ross’s paradox)
Ross claims [111] that this theorem is not intuitive under a commonsense reading: being obliged to post a letter does not imply being
obliged to post it or to burn it. According to many deontic logicians, the paradox is due to an incorrect reading [68]. First, SDL
reasons about state propositions, and obligation to satisfy state formulas, whereas the letter example reasons about obligation to perform
some action. In order to distinguish these two kinds of obligations, the
denominations ’obligation to be’ and ’obligation to do’ are often used.
An obvious difference is that the latter implicitly refers to an agent,
whereas the former does not. If we read O(ϕ1 ) as ’it is obligatory to
satisfy the condition ϕ1 ’, then it makes perfect sense to say that it
entails that ’it is obligatory to satisfy the condition ϕ1 ∨ ϕ2 ’, because
this latter condition is a logical consequence of the former condition.
(Penitent’s paradox)
• O (¬ϕ1 ) ⇒ O¬(ϕ1 ∧ ϕ2 )
This theorem is obtained by substituting ¬ϕ1 and ¬ϕ2 for ϕ1 and
ϕ2 respectively in the latter theorem. It is considered as Penitent’s
paradox. If it is forbidden to do a crime, then it is forbidden to do a
crime and do a penitence. Again, if O(ϕ) is correctly interpreted as
’it is forbidden to satisfy the condition ϕ’, then this theorem poses no
problem.
One of the most serious paradoxes in SDL involves the notion of contraryto-duty (CTD) obligations. These have to do with the specification of norms
which apply in case some other norms have already been violated. The
best known example is given by Chisholm [37]. Although the four following
statements are consistent, their formulation in SDL is not.
1. it is obligatory that John goes to the assistance of his neighbors
2. if John does go then it is obligatory that he tells them he is coming
3. if John doesn’t go, then it is obligatory that he does not tell them he
is coming
4. John doesn’t go
Let ϕ1 express ’John goes to the assistance of his neighbors and ϕ2 express
’John tells them his coming’. The formalisation of (1) and (4) as O (ϕ1 ) and
¬ϕ1 respectively is straightforward. On the other hand, the formalisation of
2.2. DEONTIC LOGIC
21
conditional obligations (2) and (3) is unclear. Indeed, do we have to model
(2) as ϕ1 ⇒ O(ϕ2 ) or as O(ϕ1 ⇒ ϕ2 )? Both formulations seem reasonable,
but ϕ1 ⇒ O(ϕ2 ) is derivable from (4) (¬ϕ1 ), whereas all of (1)-(4) are
intuitively independent from each other. Similarly, among both formulations
of (3) ¬ϕ1 ⇒ O(¬ϕ2 ) and O(¬ϕ1 ⇒ ¬ϕ2 ), the latter is derivable from (1)
(O(ϕ1 )). So, the four sentences are traditionally expressed as follows:
1. O(ϕ1 )
2. O(ϕ1 ⇒ ϕ2 )
3. ¬ϕ1 ⇒ O(¬ϕ2 )
4. ¬ϕ1
In SDL, this set (1)-(4) is inconsistent, contrary to the intuition behind
the four initial sentences. In conclusion, SDL cannot handle this situation:
either the considered statements are logically dependent, or they are inconsistent.
Several analyses and solutions have been proposed to solve CTD paradoxes. Some solutions are based on a temporal reading of paradoxes [49,
129, 15, 27]. Temporal deontic logics will be dealt with in the next chapter.
Another direction is to handle defeasible reasoning with nonmonotonic
logics [112, 93]. Statement 1 is then considered as a defeasible rule, and rule
3 applies in exceptional circumstances (John does not go to the assistance of
his neighbours). If these exceptional circumstances hold, then rule 3 ’defeats’
rule 1. There is no conflict because rule 1 and rule 3 does not apply in the
circumstances.
Many arguments have been developed against the defeasible view of CTD
obligations (see, e.g., [104, 127]). Indeed, it fails to model that when the
secondary obligation applies (’it is obligatory that John does not tell he is
coming’), the primary obligation (’it is obligatory that John goes to the
assistance of his neighbours’) is violated. Some works [103, 104, 130, 127]
have followed another direction, based a on a dyadic obligation operator,
with a preference semantics.
2.2.3
Dyadic deontic logic based on a preference relation
In this section, we present Hansson’s Dyadic Standard Deontic Logic 3
(DSDL3) [62], the first logic to propose a semantics based on a preference
relation (denoted by ) for a dyadic obligation operator. This idea gave rise
to extensions of DSDL3 [104, 127] and other deontic systems [12, 71]. An
obligation to satisfy ϕ1 given ϕ2 is true, denoted by O(ϕ1 /ϕ2 ), holds either
if there is no world which satisfies ϕ2 , or if ϕ1 is satisfied by the best worlds
(maximal for ) among those which satisfy ϕ2 .
22
Definition 8 (Preference semantics). A model is a tuple M = (W, , V )
where
• W is a set of worlds
• ⊆ W × W is a transitive and complete (or total) binary relation,
viewed as a preference relation. w w is read as w is at least as
good as w.
– (transitivity)
w
∀w, w , w ∈ W if w w and w w then w – (completeness, or totality)
w
∀w, w ∈ W
w w
or
w • V : W → 2P is a valuation function on W
The formal semantics of a conditional obligation O(ϕ1 /ϕ2 ) is given as follows:
w |= O(ϕ1 /ϕ2 )
iff
or
∀w ∈ W w |= ¬ϕ2
∃w ∈ W such that w |= ϕ2 and
∀w ∈ W if w w then w |= ϕ2 ⇒ ϕ1
Notice that O(ϕ1 /ϕ2 ) is true in a world w iff it is true in every world.
The Chisholm scenario, now formulated as follows, is consistent.
1. O(ϕ1 )
2. O (ϕ2 /ϕ1 )
3. O (¬ϕ2 /¬ϕ1 )
4. ¬ϕ1
Notice, however, that from O(¬ϕ2 /¬ϕ1 ) and ¬ϕ1 , we cannot deduce
O(¬ϕ2 ), i.e., the derivation usually called ’deontic detachment’ does not
hold. This problem has been taken care of in some above-mentioned extensions, which are out of the scope of this thesis.
2.3
Temporal logic
Temporal logic corresponds to one of the most usual modal logics, and has
become essential in computer science for the specification of reactive systems.
Its modal operators may concern the future (it is always true that . . . , it will
eventually be true that . . . ) or the past (it has always been true that . . . ,
ϕ1 is true since ϕ2 was true). Because of two dyadic operators (until and
since), the language and the semantics does not fit exactly with the generic
2.3. TEMPORAL LOGIC
23
framework described in section 2.1. Another difference between temporal
logic and other modal logics is the presence of initial worlds.
Temporal logics are often classified according to whether time is assumed
to have a linear or a branching structure. Another classification is made between discrete and continuous models of time. We will introduce temporal
logic trough linear temporal logic with discrete time, known as Linear Temporal Logic (LT L). In section 2.3.2, we will present LT L semantics more
in details, and in section 2.3.4 we will introduce an axiomatization of LT L.
In section 2.3.5, we will present more shortly branching-time temporal logic,
and in section 2.3.6 we will be interested in timed logic.
2.3.1
Linear temporal logic
Linear Temporal Logic (LT L) studies temporal properties in the framework
of a linear and discrete time. Here are the main temporal operators of LT L.
Future operators
Xϕ
next ϕ
ϕ1 U ϕ2 ϕ1 until ϕ2
Past operators
X −1 ϕ
previous ϕ
ϕ1 S ϕ2 ϕ1 since ϕ2
Xϕ means that ϕ will hold in the next state, and X −1 ϕ means that there
is a previous state, and it satisfies ϕ. The same symmetry stands between
U and S: ϕ1 U ϕ2 means that ϕ2 will be true, eventually, at some moment i,
and ϕ1 is true from now until the moment before i, whereas ϕ1 Sϕ2 means
that ϕ2 was true, in the past, at some moment i, and ϕ1 has been true from
the moment after i until now.
The usual temporal operators G (always), G−1 (always in the past), F
(eventually), and F −1 (eventually in the past ) are defined as the following
abbreviations:
Future operators
Fϕ
Gϕ
def
= U ϕ
def
= ¬F ¬ϕ
Past operators
F −1 ϕ
def
G−1 ϕ
def
= Sϕ
= ¬F −1 ¬ϕ
def
We also define the weak previous operator as X −1 = ¬X −1 ¬. X −1 ϕ
means that there is no previous state (the current instant is 0), or ϕ was
true in the previous state.
To reason about deadlines, we will often index future operator F with
k, to express that a formula will be satisfied before k time steps:
ϕ
if k = 0
def
Fk ϕ =
ϕ ∨ XFk−1 ϕ if k > 0
24
Definition 9 (LT L-language). The language L(X, U, X −1 , S) of LT L with
all future and past operators is defined by the following syntax:
ϕ ::= P | ⊥ | ϕ ⇒ ϕ | X ϕ | ϕ U ϕ | X −1 ϕ | ϕ S ϕ
The language LLT L (E), where E ⊆ {X, U, X −1 , S}, corresponds to the
fragment of L(X, U, X −1 , S) which only contains the modal operators in E.
For instance, L(X, U ) corresponds to the pure future fragment of the language.
The logic LT L(E), where E ⊆ {X, U, X −1 , S}, is defined as the set of
valid formulas (in the semantic point of view) or theorems (in the syntactic
point of view) of L(E). The definitions of valid formulas and theorems of
L(X, U, X −1 , S) are given in sections 2.3.2 and 2.3.4 respectively.
Many variants and extensions of LT L, which are out of the scope of this
thesis, have been investigated (consult, e.g., [83, 44, 45]).
2.3.2
LT L semantics
Let us see more in detail the semantics of LT L, i.e., the structures needed
to define the truth of temporal formulas.
Definition 10 (LT L-model).
An LT L-model is a tuple M = (N, <, V ) where
• the set N of the natural numbers represents the set of the moments
• <⊆ N × N is the usual strict order on N; the immediate <-successor of
i ∈ N is denoted i + 1 as usual
• V : N → 2P is a valuation function which associates each instant with
a set of atomic propositions
In the remainder, we use all the usual orders , >, on N which can all be
defined from <.
Definition 11 (LT L satisfaction relation).
Given an LT L-model M = (N, <, V ), an instant i ∈ N, and a formula ϕ, we
define |= by induction on ϕ (we write V, i |= ϕ or i |= ϕ for short):
i |= p
i⊥
i |= ϕ1 ⇒ ϕ2
i |= Xϕ
i |= ϕ1 U ϕ2
iff
p ∈ V (i)
where p ∈ P
iff
iff
iff
i |= X −1 ϕ
i |= ϕ1 S ϕ2
iff
iff
if
i |= ϕ1
then
i |= ϕ2
i + 1 |= ϕ
∃i i
such that
i |= ϕ2
∀ i ∈ N if i i < i then
i > 0 and i − 1 |= ϕ
∃i i
such that
i |= ϕ2
∀ i ∈ N if i < i i then
and
i |= ϕ1
and
i |= ϕ1
2.3. TEMPORAL LOGIC
25
A formula ϕ is said to be satisfied by a model M (denoted by M |= ϕ) if
it is satisfied by its first state. A formula is said to be satisfiable if there is a
model which satisfies it. A formula is said to be valid if every model satisfies
it:
Notice that validity and satisfiability are evaluated at the initial instant.
This corresponds to the anchored version of LT L [91]. This approach is
commonly adopted in the model checking community [85, 39]. Another approach [59, 110] consists in considering that a formula is valid if it is true at
all instants of all models. Similarly, a formula is then considered to be satisfiable if it holds at some instant of some model. We will refer to this second
approach as the floating version of LT L. This second approach is closer to
other modal logics, and allows for instance more standard axiomatizations.
Notice that if we consider the pure-future fragment, both notions define the
same set of valid formulas.
Notice that the semantics of the non-primitive temporal operators X −1 ,
G, G−1 , F , F −1 , are as follows:
i |= X −1 ϕ
i |= G ϕ
i |= G−1 ϕ
i |= F ϕ
i |= F −1 ϕ
iff
iff
iff
iff
iff
i=0
∀i ∈ N
∀i ∈ N
∃i ∈ N
∃i ∈ N
or
if
if
such
such
(i > 0 and i − 1 |= ϕ)
i i
then
i |= ϕ
i i
then
i |= ϕ
that
i i
and
i |= ϕ
that
i i
and
i |= ϕ
Figure 2.2 illustrates an LT L-model which satisfies G p, F q, and p U q,
for instance.
{p}
{p}
{p}
{p, q}
Figure 2.2: model satisfying Gp
2.3.3
Characterization of properties
A distinction between safety and liveness properties is often adopted in the
specification of behavioural properties. These notions are introduced by
Lamport in [82]. Roughly speaking, a safety property expresses that ’something bad will not happen’, and a liveness property expresses that ’eventually, something good will happen’. Here, we consider the semantical view of a
property: a property is defined as a set of sequences instead of a formula. In
the semantics of LT L, a model (N, <, V ) is a sequence over alphabet 2P of
proposition sets. Thus, a LT L-formula can be viewed as the set of sequences
(or models) which satisfy it. On the other hand, a set of sequences over
26
alphabet 2P cannot necessarily be viewed as a formula, since LT L has only
the expressiveness of first order logic over (N, <) (cf theorem 6).
Safety properties have been widely studied since the eighties. Indeed,
Alpern and Schneider established a strong correspondence between finite
automata and safety properties. Abadi and Lamport generalized this correspondence to a particular class of infinite automata [1]. This correspondence
seems to be one of the main justifications for the interest of safety properties.
A first formal definition was given by Lamport in [82] and has been improved
in [3].
Here, we use the standard notations for sequences. If S is an alphabet,
the set of infinite (resp. finite) sequences over S is denoted by S ω (resp. S ∗ ).
If σ is a sequence over an alphabet S, and I ⊆ N is an interval, σI represents
the sequence (σ(i))i∈I . Notice that σI is infinite if and only if σ and I are
infinite. For instance, σi , represents the prefix of σ ending at index i, and
σ>i denotes the suffix of σ starting from index i + 1. If σ is a finite sequence,
and τ is a sequence, σ · τ is the concatenation of σ and τ .
Definition 12 (Safety property). A property Γ ⊆ S ω is a safety property iff
the following condition holds for every sequence σ
if
σ∈
/Γ
then
(∃i ∈ N ∀τ ∈ S ω
σi · τ ∈
/ Γ)
Every sequence which does not belong to property Γ can be characterized by
a ’bad’ prefix, i.e., a prefix such that all its continuations do not belong to Γ.
An LT L-formula ϕ is a safety formula iff the set of the sequences (or
models) which satisfy it is a safety property.
A liveness property expresses that ’eventually, something good will happen’. So, checking the violation of a liveness property implies to consider
some infinite sequence. Liveness properties were formally defined for the first
time in [3].
Definition 13 (Liveness property). A property Γ is a liveness property iff
{σi / σ ∈ Γ
and
i ∈ N} = S ∗
Every prefix can be extended so that it is in Γ.
An LT L-formula ϕ is a liveness formula iff the set of the sequences (or
models) which satisfy it is a liveness property.
An interesting result, called decomposition theorem, states that every
property is the conjunction of a safety property and a liveness property.
Abadi and Lamport proved this theorem in [1] using a topological characterization of safety and liveness properties. Given an alphabet S, the distance
between two sequences in S ω depends on the first index at which they differ
from each other: the greater this index is, the lower the distance.
0
if σ = σ dist(σ, σ ) =
1
min{k∈N / σ(k)=σ (k)} otherwise
2.3. TEMPORAL LOGIC
27
If we consider the topological space induced by this distance, safety properties and liveness properties correspond to closed sets and dense sets respectively. Since every set can be written as the intersection of a closed set and
a dense set, the decomposition theorem follows straightforwardly.
This topology will be used to express conditions on models in section 4.2.3.
Some works [119, 86] have studied the syntactical characterizations of
safety and liveness properties. Sistla exhibited in [119] the subset of the
positive2 LT L(X, U )-formulas built from operators ’next’ (X) and ’weak
until’ (W 3 ). Actually, this subset is contained in the set of safety formulas,
but there are safety formulas which are not in this subset: consider, e.g.,
F p ∧ ¬F p, which is a safety formula (equivalent to ⊥) and not in the given
subset.
2.3.4
LT L axiomatization
Several equivalent axiomatizations of LT L have been studied. We present
here the version published in [85], which is sound and complete with respect
to the above semantics: a formula ϕ is valid if and only if it is derivable in
this deductive system.
The axiom schemes are divided into three parts: the future axiom schemes
which involve only future operators, the past axiom schemes which involve
only past operators, and the mixed axiom scheme, which involves both future
and past operators.
Definition 14 (The future axiom schemes).
F1
F2
F3
F4
F5
F6
F7
F8
Gϕ ⇒ ϕ
G (X¬ϕ
⇔ ¬Xϕ)
G X(ϕ1 ⇒ ϕ2 ) ⇒ (Xϕ1 ⇒ Xϕ2 )
G G(ϕ1 ⇒ ϕ2 ) ⇒ (Gϕ1 ⇒ Gϕ2 )
Gϕ ⇒ XGϕ
(G(ϕ
⇒ Xϕ)) ⇒ G (ϕ ⇒ Gϕ)
G ϕ1 U ϕ2 ⇔ ϕ2 ∨ (ϕ
∧
X(ϕ
U
ϕ
))
1
1
2
G ϕ1 U ϕ2 ⇒ F ϕ2
Here is an intuitive view of the future axiom schemes.
• Axiom F1 states that if ϕ holds at all positions of a model, then in
particular it holds at the first position.
• Axiom F2 states that the next operator X is self-dual.
• Axiom F3 states that if in the next instant ϕ1 implies ϕ2 then if in the
next instant ϕ1 holds then so does ϕ2 .
2
3
negation can only be applied to atomic propositions
def
ϕ1 W ϕ2 = Gϕ1 ∨ ϕ1 U ϕ2
28
• Axiom F4 is the analogue of F2 for the G operator.
• Axiom F5 states that if ϕ is true at all future instants it must be true
at every next instant.
• Axiom F6 is a "computational induction" axiom; it states that if a
property is inherited over one step transition, it is invariant over any
suffix sequence whose first state satisfies it.
• Axiom F7 characterizes the until operator by distributing its effect into
what is implied for the present and what is implied for the next instant.
• Axiom F8 states that ϕ1 U ϕ2 implies that ϕ2 will eventually happen.
Definition 15 (The past axiom schemes).
P1
P2
P3
P4
P5
G X −1 ϕ ⇒ X −1 ϕ
G X −1 (ϕ1 ⇒ ϕ2 ) ⇒ (X −1 ϕ1 ⇒ X −1 ϕ2 )
Gϕ ⇒ GX −1 ϕ
G ϕ1 S ϕ2 ⇔ ϕ2 ∨ (ϕ1 ∧ X −1 (ϕ1 Sϕ2 ))
X −1 ⊥
Here is an intuitive view of the past axiom schemes.
• Axiom P1 establishes the connection between the weak-previous operator and the previous operator.
• The axioms P2, P3, P4 have similar descriptions as the axioms F3, F5,
F7.
• Axiom P5 does not resemble a corresponding future axiom. It states
that the first position of every sequence satisfies X −1 ⊥.
Definition 16 (The mixed axiom scheme).
M1
G ϕ ⇒ XX −1 ϕ
The mixed axiom scheme states that if ϕ is true at some instant, then going forwards and backwards leads to an instant (obviously the same instant)
which also satisfies ϕ.
Definition 17 (Inference rules). The three inference rules are Uniform Substitution, Modus Ponens, and G-necessitation.
• Uniform substitution
• Modus Ponens
• G-Necessitation for propositional tautologies: if ϕ is a substitution instance of a propositional tautology, then G ϕ is a theorem.
2.3. TEMPORAL LOGIC
29
Remark 2. The axiomatization of the floating version of LT L (e.g., in [58,
110]) slightly differs. For instance, the first G operator in the schemes
F2,F3,F4,F7,F8, P1,P2,P4,M1 is removed, and the P5 scheme, which states
that the first instant of every model satisfies X −1 ⊥, is replaced by F −1 X −1 ⊥,
which states that every instant of every model is preceded by an initial instant. Rule G-necessitation is no longer limited to instances of propositional
tautologies.
Theorem 5 (Soundness and completeness). This axiomatization is sound
and complete with respect to the LT L semantics defined in section 2.3.2.
Theorem 6 (Expressiveness [74, 58]). L(X, U ) and L(X, U, X −1 , S) have
the same expressiveness: for every L(X, U, X −1 , S)-formula ϕ, there is a
L(X, U )-formula ϕ such that for every LT L-valuation V , V, 0 |= ϕ iff
V, 0 |= ϕ . (The converse is straightforward.)
Actually, L(X, U ) has the same expressive power as first order language
over (N, =, <) with unary predicates, i.e., for every first order formula ϕ(x)
with one free variable x, there is a L(X, U )-formula ϕ such that for every
valuation V , V, 0 |=F O[<] ϕ(x)4 iff V, 0 |=LT L ϕ .
Although L(X, U ) and L(X, U, X −1 , S) have the same expressiveness,
i.e., every L(X, U, X −1 , S)-formula can be translated into a L(X, U, )-formula
which is initially equivalent, the translation is not efficient. In other words,
adding past operators makes formula shorter, which is interesting in the
specification process. Actually, it is shown in [83] that L(X, U, X −1 , S) is
exponentially more succinct than L(X, U ).
Theorem 7 (Decidability). LT L(X, U, X −1 , S) is decidable. The satisfiability problem for LT L(X, U, X −1 , S) and LT L(X, U ) is PSPACE-complete [118].
2.3.5
Branching-time temporal logic
Linear Temporal Logic can only specify properties along a run. Indeed, we
can express in LT L that a proposition will be true in the future, or that it
will never be true, but we cannot express that it can be true in the future. We
need to represent different alternative future states in the underlying model
in order to overcome this lack. Some temporal logics deal with a branchingtime model. One of the most famous is Computation Tree Logic (CT L) [38],
which has in particular the very attractive feature of having a polynomial
model checking problem (cf section 2.4). It has only future operators. For a
discussion about the expression of the past in a branching-time framework,
see e.g. [79, 110, 120, 84]. From the linear temporal operators X and U , we
get four branching-time temporal operators: EX, AX, E(·U ·), and A(·U ·):
4
as 0
unary predicates in ϕ are interpreted with V , and the free variable x is interpreted
30
• EX ϕ means that there is a next state which satisfies ϕ.
• E(ϕ1 U ϕ2 ) means that there is a possible future path which satisfies
ϕ2 at some instant i, and ϕ1 from now until the moment before i.
• A(ϕ1 U ϕ2 ) means that every possible future path satisfies ϕ2 at some
instant i and ϕ1 from now until the moment before i.
Definition 18 (CT L-syntax).
Given a set P of atomic propositions, the language of CT L is defined by the
following syntax:
ϕ ::= P | ⊥ | ϕ ⇒ ϕ | EX ϕ | E(ϕ U ϕ) | A(ϕ U ϕ)
We define the different usual abbreviations as follows:
def
AXϕ = ¬EX¬ϕ every next state satisfies ϕ
def
EF ϕ = E( U ϕ)
def
AGϕ = ¬EF (¬ϕ)
def
AF ϕ = A( U ϕ)
def
EGϕ = ¬AF (¬ϕ)
there is a path which satisfies ϕ at some instant.
every path satisfies ϕ at every instant.
in every path satisfies ϕ at some instant.
there is a path which satisfies ϕ at every instant.
Let us see the semantics of CT L (for an axiomatization of CT L, see for
instance [51]). The set N of the natural numbers is no longer appropriate
for representing the set of the moments. We thus consider temporal frames
(W, R) where W is a set of moments, or states, and the accessibility relation
R ⊆ W × W models the passing of time: (w, w ) ∈ R means that w is a
possible temporal successor of w.
Definition 19 (CT L-frame). A CT L-frame is a Kripke structure with initial
states F = (W, I, R), where (W, R) is a Kripke structure and I its set of
initial states (or worlds):
• W is a set of states, or worlds
• I ⊆ W is a set of initial states
• R ⊆ W × W is a serial accessibility relation on the states
A valuation for a frame F = (W, I, R) is a function V ∈ W → 2P which
associates each state with a set of atomic propositions. The pair (F, V ) is a
CT L-model.
A path σ in M is an infinite sequence σ = w0 w1 . . . such that
• every wi is a state of W
• ∀i (wi , wi+1 ) ∈ R
2.3. TEMPORAL LOGIC
31
The ith state of σ is denoted σi . The suffix of σ which starts from the ith
state is denoted by σ i . The set of the paths σ starting from a given state w,
i.e., such that σ0 = w, is denoted by P aths(w).
Definition 20 (CT L satisfaction relation). Given a CT L-model M =
(W, I, R, V ), a state w, and a formula ϕ, we define |= by induction on ϕ:
w |= p
w⊥
w |= ϕ1 ⇒ ϕ2
iff
p ∈ V (w)
iff
if
w |= EX(ϕ)
iff
∃w ∈ W such that (w, w ) ∈ R
w |= A(ϕ1 U ϕ2 )
iff
w |= E(ϕ1 U ϕ2 )
iff
and
∀σ ∈ P aths(w) ∃i ∈ N such that σi |= ϕ2
and
∀j ∈ N if 0 j < i then σj |= ϕ1
∃σ ∈ P aths(w) ∃i ∈ N
such that
σi |= ϕ2
∀j ∈ N
if
0j<i
then
σj |= ϕ1
where
w |= ϕ1
p∈P
w |= ϕ2
then
and
w |= ϕ
A formula is said to be satisfied by a model if it is satisfied by its initial
states:
M |= ϕ
iff
∀w ∈ I w |= ϕ
A formula is said to be valid if every model satisfies it:
|= ϕ
iff
for every model
M |= ϕ
M
w0
w1
w2
w3
{p}
{p}
{p}
{p, q}
Figure 2.3: CT L-model
Figure 2.3 represents a CT L-model with one initial state (w0 ). Here are
some CT L-formulas satisfied by this model.
• w0 |= E(p U q)
32
• w0 |= EX (EX q ∧ EX p)
• w0 |= AF p ∧ EF q
• w0 |= EG p
One of the main differences between CT L and LT L concerns their respective expressiveness. More precisely, there are properties that one can express
in CT L, but that cannot be expressed in LT L, and vice versa. Formally
speaking, the expressiveness of CT L and LT L is incomparable. However, if
we consider that LT L-formulas are implicitly in the scope of a universal path
quantifier, then the expressiveness of CT L and LT L are distinct (both languages contains formulas which cannot be expressed in the other language).
An extension of CT L, called CT L∗ [50], unifies both logics. The expressiveness of CT L∗ comprises that of both CT L and LT L. Indeed, a formula
can be composed of arbitrary combinations of temporal operators and path
quantifiers. In the definition of CT L∗ syntax, we distinguish between path
formulas, which can be any LT L formulas, and are true in a specific path,
and state formulas, which are propositional, or start with a path quantifier,
and are true in a specific state.
Definition 21 (CT L∗ -syntax). We define the state formulas by the following
syntax:
ϕstate ::= p | ⊥ | ϕstate ⇒ ϕstate | E ϕpath
where p ∈ P is an atomic proposition.
We define the path formulas by the following syntax:
ϕpath ::= ϕstate | Xϕpath | ϕpath U ϕpath
def
The path quantifier A can be defined as the dual of E: Aϕ = ¬E¬ϕ.
Definition 22 (CT L∗ satisfaction relation). A CT L∗ -model does not differ
from a CT L-model. A state formula ϕstate is interpreted in a state w (we
note w |= ϕstate ), whereas a path formula ϕpath is interpreted over a path σ
(we note σ |= ϕpath ).
State formulas
w |= p
w⊥
w |= ϕ1 ⇒ ϕ2
iff
p ∈ V (w)
iff
if
w |= E(ϕpath )
iff
∃σ ∈ P aths(w)
where
w |= ϕ1
p∈P
then
w |= ϕ2
σ |= ϕpath
2.3. TEMPORAL LOGIC
33
Path formulas
σ |= ϕstate
σ |= Xϕpath
σ |= ϕpath 1 U ϕpath 2
iff
σ0 |= ϕstate
iff
σ 1 |= ϕpath
iff
∃i ∈ N
such that
and ∀j ∈ N if 0 j < i then
σ i |= ϕpath 2
σ j |= ϕpath 1
CT L∗ has been hard to provide with usable reasoning systems: although
CT L∗ syntax and semantics was published in the 80’s [50], important results
concerning reasoning systems appeared at the beginning of the 2000s: a
combined rewrite and proof system in [102] and a complete Hilbert-style
axiomatization in [109] using a rather complex inference rule.
Theorem 8 (Decidability). CT L∗ is decidable [52] and the satisfiability
problem is 2EXPTIME-complete [51].
2.3.6
Timed logic
Timed logic extends temporal logic in order to express properties where durations are explicitly involved, such as deadline constraints (ϕ will hold before
five minutes). Such constraints are called timed or real-time constraints.
Several real-time logics have been developed both in branching time and in
linear time frameworks. Another distinction is between discrete and continuous time models. Verification techniques which use discrete time models
apply to a wider range of real-time properties, while continuous time models
are well adapted for composing systems. For a more detailed comparison,
see e.g. [66].
In this section, we focus on continuous semantics. We present the realtime extension Timed Linear Temporal Logic (T LT L) [9] of LT L and the
the real-time extension Timed Computation Tree Logic (T CT L) [5, 4] of
the branching time logic CT L. The semantics of T LT L is based on timed
sequences whereas the semantics of T CT L is based on timed automata.
It is clear that temporal models based on Kripke frames are useless in
a context of continuous time. Indeed, transitions from one state to another
are always made by one or more ‘jumps’, which gives to Kripke frames an
inherently discrete nature. Instead of considering such ’jumps’, we measure
the elapse of time through a set C of variables called clocks. Clock valuations
are functions from C to the set R+ of non-negative real numbers. For every
valuation v : C → R+ and d ∈ R+ , we use v+d to denote the time assignment
which maps each clock x ∈ C to v(x) + d. For every set r ⊆ C of clocks, we
write v[r := 0] for the valuation which maps each clock in r to 0, and each
clock x in C\r to v(x).
Definition 23 (Clock constraint). Given a set C ⊆ C of clocks, we define
the set B(C) of the clock constraints g on C inductively:
g ::= ⊥ | g ⇒ g | x ≺ c | x − y ≺ c
34
where x, y ∈ C are clocks, c ∈ N is a natural number, and ≺∈ {, <}.
Given a valuation v and a clock constraint g, we define the satisfaction
relation |= as follows:
v
v
v
v
⊥
|= g1 ⇒ g2
|= x ≺ c
|= x − y ≺ c
iff
iff
iff
if v |= g1 then
v(x) ≺ c
v(x) − v(y) ≺ c
v |= g2
In T LT L and T CT L, we introduce a reset operator x.ϕ which allows to
measure the time elapsed starting from the present state. Every occurrence
of x in ϕ is then bound. When a formula x.ϕ is interpreted in a state of
a timed system (timed sequence in the case of T LT L, and timed automata
in the case of T CT L) we require that x is never reset by the timed system.
Indeed, the formula x.F (ϕ ∧ x < 5) means that ϕ will be true before 5 time
units. If we interpret this formula in a timed sequence which reset x, the
meaning of ϕ is warped.
Timed Linear Temporal Logic (T LT L)
We present here the syntax and the semantics of T LT L [9].
Definition 24 (T LT L-syntax). Given a set P of atomic propositions, a set
C ⊆ C of clocks, the T LT L language is defined by the following syntax:
ϕ ::= p | g | ⊥ | ϕ ⇒ ϕ | ϕ U ϕ | x.ϕ
where p ∈ P is an atomic proposition, g ∈ B(C) is a clock constraint, and
x ∈ C is a clock.
Definition 25 (Timed sequence). Given a set Q of control states and a set
C ⊆ C of clocks, we define a timed sequence ρ on C as a (finite or infinite)
t0
t1
sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . such that
• every qi is a control state in Q, the pair (qi , vi ) is called a configuration
state
• every vi+1 : C → R+ is the clock valuation when entering the control
state qi+1 after having stayed in qi for ti time units. Only the clocks in
C can be reset: for each i and each clock x:
– if x ∈ C, then we require that either vi+1 (x) = 0 or vi+1 (x) =
vi (x) + ti
– if x ∈
/ C, then vi+1 (x) = vi (x) + ti
• at each step, if the control state is unchanged, then at least one clock
is reset: for each i, if qi+1 = qi then there exists x ∈ C such that
vi+1 (x) = 0
2.3. TEMPORAL LOGIC
35
• every time t ∈ R+ “belongs” to the timed sequence:
∀t ∈ R+ ∃k ∈ N such that Σ ti > t
i∈0..k
A sequence ρ actually defines an infinite and dense set of configuration
states. Indeed, between two ’steps’ qi and qi+1 , the system goes through
all the configuration states (qi , vi + t) such that t ti . If si denotes the
configuration state (qi , vi ) and t ∈ R+ is a time duration, then si + t denotes
t0
t1
the configuration state (qi , vi + t). So, for every timed sequence ρ = s s1 s2 . . ., we define
• the domain dom(ρ) of ρ as
def
dom(ρ) =
domi (ρ)
i∈N
def
where domi (ρ) = {(si + t, i) / t ti }
• and as the following complete ordering on dom(ρ):
∀i, j ∈ N ∀t, t ∈ R+
(si +t, i) (sj +t , j)
iff
i<j
or
(i = j and t t )
t0
Definition 26 (T LT L-semantics). Given a timed sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . on a clock set C, a pair (s, i) ∈ dom(ρ), a valuation V : Q → 2P ,
and a T LT L-formula ϕ, we define |= by induction on ϕ:
s, i, V
s, i, V
s, i, V
s, i, V
|= p
iff
|= g
iff
⊥
|= ϕ1 ⇒ ϕ1 iff
s, i, V |= ϕ1 U ϕ2
s, i, V |= x.ϕ
p ∈ V (q) where s = (q, v)
v |= g where s = (q, v)
s, i, V |= ϕ1
if
then
s, i, V |= ϕ2
∃(s , i ) ∈ dom(ρ) such that
(s, i) (s , i )
and
s , i , V |= ϕ2
and ∀(s , i ) ∈ dom(ρ) if (s, i) (s , i ) ≺ (s , i )
then s , i , V |= ϕ1 ∨ ϕ2
iff
(q, v[x := 0]), i, V |= ϕ where s = (q, v)
iff
Note that we require x not to be reset in ρ, i.e., x ∈ C \ C
t0
t0
A timed sequence ρ = s0 s1 . . . satisfies ϕ given a valuation V if its
first configuration state satisfies ϕ:
ρ |= ϕ
s0 , 0, V |= ϕ
Notice that another timed extension of LT L, called Metric Temporal
Logic (M T L) [8, 75] introduces timed operators by adding subscripts to the
until operator. pUI q, where I is an interval with integer end points (possibly
36
unbound), means that q will hold at some instant in the interval I, and p
holds from now until this instant. It is clear that such a formula can be
translated into the following
T LT L-formula
which is satisfied by the same
timed sequences: x. p U (q ∧ x ∈ I) , where x ∈ I can be expressed as a
clock constraint. For instance, the formula pU>3 q expresses that q will hold
at some instant greater than 3, and p holds from now until this instant. It
can be expressed in T LT L as x.(p U (q ∧ x > 3)). It has been shown in [24]
that T LT L is strictly more expressive than M T L.
While both T LT L ans M T L are undecidable, the restriction of M T L
where the until subscripts are not singular, called Metric Interval Temporal
Logic (M IT L [7]) is decidable.
Theorem 9. T LT L and M T L are undecidable [9]. M IT L is decidable, its
satisfiability problem is EXPSPACE-complete [7].
Timed Computation Tree Logic (T CT L)
We now present a real-time extension of the branching time logic CT L, called
T CT L [8]. We first define its syntax, and then its semantics which is based
on timed automata [6, 25].
Definition 27 (T CT L-syntax). Given a set P of atomic propositions, a set
C ⊆ C of clocks, the language of T CT L is defined by the following syntax:
ϕ ::= p | g | ⊥ | ϕ ⇒ ϕ | E(ϕ U ϕ) | A(ϕ U ϕ) | x.ϕ
where p ∈ P is an atomic proposition, g ∈ B(C) is a clock constraint, and
x ∈ C is a clock.
Definition 28 (Timed automata). A timed automaton on a set C ⊆ C of
clocks (which can be reset) is a tuple (Q, Q0 , −→, Inv, V, F ), where
• Q is a finite set of control states
• Q0 ⊆ Q is a set of initial state
• −→⊆ Q×B(C)×2C ×Q is a finite set of transitions: for (q, g, r, q ) ∈−→
g,r
(we will prefer the notation q −→ q , q is the starting state, g is the
guard, or enabling condition, r is the set of clocks to be reset by the
transition, and q is the destination state.
• Inv : Q → B(C) associates each state with a clock constraint, named
invariant
• V : Q → 2P associates each state with a set of atomic propositions
• F ⊆ Q is a set of accepting states
2.4. MODEL CHECKING
37
t0
t0
A timed sequence ρ = (q0 , v0 ) (q1 , v1 ) . . . on a clock set C is said to be
an accepting path (or simply a path) over the automaton A = (Q, Q0 , −→
, Inv, V ) (on the same set C of clocks) if
• for each i and each t ∈ R+ if t ti then vi + t |= Inv(qi )
g,r
• for each i there exists a transition qi −→ qi+1 such that vi + ti |= g
and vi + ti [r := 0] = vi+1
• if ρ is finite, then its last state qn is accepting, i.e., qn ∈ F
A configuration state s = (q, v) is said to be accessible in a timed automaton A if there exists a path ρ over A and an integer i such that (s, i) ∈ dom(ρ).
Definition 29 (T CT L-semantics). Given a timed automaton A, a configuration state s accessible in A, and a T CT L-formula ϕ, we define |= by
induction on ϕ:
s |= E(ϕ1 U ϕ2 ) iff there exists a path ρ over A starting from s such that
∃(s, i) ∈ dom(ρ) such that s |= ϕ2 and
∀(s , i ) ∈ dom(ρ) if (s, 0) (s , i ) ≺ (s, i) then s |= ϕ1 ∨ ϕ2
s |= A(ϕ1 U ϕ2 ) iff for every path ρ over A starting from s
∃(s, i) ∈ dom(ρ) such that s |= ϕ2 and
∀(s , i ) ∈ dom(ρ) if (s, 0) (s , i ) ≺ (s, i) then s |= ϕ1 ∨ ϕ2
s |= x.ϕ
iff s[x := 0] |= ϕ
We require, as for T LT L, that x is not reset by A, i.e., that x ∈ C \ C.
Theorem 10. T CT L is undecidable [8].
2.4
Model checking
Temporal logics have proved to be useful for specifying properties of reactive
systems. One of the main verification methods, called model checking is an
automatic technique for verifying finite state concurrent systems. The first
task is to convert a program into a Kripke model which formally describes
its behaviour. Then, the properties which must be satisfied by the system
are expressed in temporal logic.
Definition 30 (Model checking in the linear time case). For linear temporal
logics, we define the model checking as follows:
Given a model M (Kripke-model in a discrete time framework, timed automata in a continuous time framework) and a formula ϕ, does every M -path
σ (starting from an initial state) satisfy ϕ?
38
```
```
logic
```
`
`
decision problem
```
satisfiability
model checking
```
```
logic
```
```
decision problem
``
satisfiability
model checking
LT L
CT L
CT L∗
PSPACE-c
PSPACE-c
EXPTIME-c
PTIME-c
2EXPTIME-c
PSPACE-c
T LT L
M IT L
T CT L
undecidable
undecidable
EXPSPACE-c
EXPSPACE-c
undecidable
PSPACE-c
Figure 2.4: Complexity results for usual temporal logics
The standard technique for LT L model checking consists in translating
¬ϕ into a Büchi automaton A¬ϕ , and then checking that the product M ×
A¬ϕ has an empty language [61, 60].
Definition 31 (Model checking in the branching time case). For branching
time temporal logics such as CT L, CT L∗ and T CT L, the model checking is
specified as follows:
Given a model M (Kripke-model in a discrete time framework, timed automata in a continuous time framework) and a formula ϕ, is it the case that
every initial state satisfies ϕ ?
The standard technique for CT L model checking consists in labeling each
state with the set of satisfied subformulas, and checking that every initial
state is labeled by ϕ.
Theorem 11 (Model checking complexity). We have the following complexity results for temporal logics introduced in the previous sections.
• Model checking for LT L(X, U, X −1 , S) and LT L(X, U ) is PSPACEcomplete [118].
• Model checking for CT L is PTIME-complete [40].
• Model checking for CT L∗ is PSPACE-complete [40].
• Model checking for T CT L is PSPACE-complete [5, 4].
Figure 2.4 sums up complexity results for the different temporal logics
we have considered.
3
Combining temporal and deontic logics:
introduction
In natural language as well as in computer security, norms do not concern
a single moment. It seems more natural to speak of obligations which arise
and last for a certain period of time. For instance, consider an obligation to
submit a paper before a deadline, or a prohibition for some user to use some
resource between 1 pm and 3 pm.
In order to set up a formal framework to deal with these concepts, logicians have investigated relations between deontic and temporal modalities
from a philosophical point of view, since the 1980s [48, 49, 16, 71, 13]. However, the proposed formalisms have a rich but complex semantics, and the
temporal language is very different from actual standard temporal logics.
They also have the following drawback: every propositional formula which
is true in a given state is also obligatory in the same state. Moreover, decidability issues are not tackled, which makes it difficult to take these logics as
a basis for a formal method.
More recently, some works have investigated relations between time and
obligation from the point of view of computer science [46, 88, 41, 27]. In [88],
the framework of Deontic Interpreted Systems is presented, in which no
temporal-deontic interaction is considered. Notice that an interesting securityoriented case study is investigated with this logic [89]. In [46, 30, 27], the
authors study the representation of deadline obligations. They use a reductionist approach: they encode obligation inside a temporal framework. This
is less expressive than a combination, in which we can talk about both dimensions independently. In [41], the logic N OM AD is presented, which actually
corresponds to a generic combination called product between LT L(X, X −1 )
(enriched with an action language), and a deontic logic. Deadline obligations
are expressed with a dedicated operator. It can be viewed as a starting point
of the investigations of the next chapter (chapter 4).
In a temporal and deontic framework, it can also be interesting to rea39
40 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS
son about norm updates, in particular using non-monotonic/defeasible logics [105, 72, 56]. For instance, there may be an unexpected extension of the
deadline for the paper, or it may become permitted to use the resource at 2
pm in case the security policy has changed. In the remainder of the Ph.D.
thesis, we do not consider defeasible reasoning and stay in a framework where
norms do not change over time.
In this chapter, we review classical ways of combining modal logics in
the temporal-deontic case. Section 3.1 presents the simplest way to combine modal logics, called fusion, in which there is no interaction between
both dimensions. Section 3.2 introduces the deontic variant of some classical
temporal-epistemic interactions [53, 47, 131], considering both axiomatic and
semantic points of view. Section 3.3 presents the product of temporal and
deontic logics, which is a natural way to combine logics in order to ensure
these interactions, and will be taken as a starting point for the sequel of the
logical study.
3.1
Fusion of modal logics
The first (and simplest) way of combining two modal logics is called fusion [80]. Given two modal logics L1 and L2 , the language of their fusion
is the multi-modal language which contains every modal operator of both
logics1 . The fusion logic L1 ⊗ L2 is defined as the smallest modal logic which
contains all the theorems of L1 and L2 . In particular, if L1 is axiomatized by
a set Ax1 of axioms, and L2 by Ax2 , then the fusion L1 ⊗ L2 is axiomatized
by the union Ax1 ∪ Ax2 .
An attractive feature of fusions is that several properties of the component logics L1 and L2 are transferred to their fusion L1 ⊗ L2 . First there
exists an interesting semantic characterization of fusions.
Theorem 12. If L1 is characterized by a class C1 of frames, and L2 by a
class C2 , with C1 and C2 closed under the formation of isomorphic copies
and disjoint unions, then L1 ⊗ L2 is characterized by the class of the frames
(W, R1 , R2 ) such that (W, R1 ) ∈ C1 and (W, R2 ) ∈ C2 [76, 57, 80].
Another important transfer result concerns the decidability.
Theorem 13. If L1 and L2 are decidable modal logics, then L1 ⊗ L2 is also
decidable [134, 57].
Remark 3. There is no general transfer result concerning complexity.
In the remainder, we study the fusion of some temporal and deontic
logics. We consider a slightly different definition of the temporal logics LT L
1
Notice that we consider for each logic a multi-modal language with unary operators
k and/or operators U (until) and S (since)
3.1. FUSION OF MODAL LOGICS
41
and CT L. Indeed, in chapter 2, we defined temporal frames as Kripke frames
with initial states. In this context, a valid formula is defined as a formula
which is true in every initial state of every frame, and a satisfiable formula
is true in some initial state of some frame. This point of view is commonly
adopted in the model checking community [85, 39], and defines the anchored
version [91] of temporal logics. On the other hand, modal logicians consider
Kripke frames without initial states for other kind of modal logics (alethic,
epistemic, deontic, etc.). Then, a formula is said to be valid if it is true
in every state (or world) of every frame. This second point of view is also
adopted in some works on temporal logics [59, 110], and defines the floating
version of temporal logics. In order to have a homogeneous framework, we
will adopt floating definition of temporal logics in the proposed combinations.
3.1.1
Fusion of LT L and SDL
For instance, let us consider the fusion of the future fragment of LT L and
SDL, defined on the modal language with temporal operators X and U , and
deontic operator O.
Definition 32 (L(X, U, O ) language). Given a set P of atomic propositions,
the language L(X, U, O) of LT L(X, U ) ⊗ SDL is defined by the following
syntax:
ϕ ::= ⊥ | p | ϕ ⇒ ϕ | Xϕ | ϕ U ϕ | O ϕ
The axiomatization of LT L ⊗ SDL consists of the axiom schemes F1-F8
for the temporal operators X and U (cf section 2.3.4), the axiom schemes K
and D for the deontic operator O (cf section 2.1.1), and the inference rules
Uniform Substitution, Modus Ponens, G-Necessitation (where G is defined
in terms of U ), and O-Necessitation.
As we saw in section 2.3.2, LT L(X, U ) is characterized by the class of
the unique frame (N, <). Clearly, this singleton class is not closed under the
formation of isomorphic copies and disjoint unions. Therefore, we cannot
use the above-mentioned semantic characterization (theorem 12) for the fusion LT L ⊗ SDL. Indeed, let us consider a frame (N, <, R) where R is a
serial relation on N. Figure 3.1 illustrates such a frame, where the temporal
accessibility relation (of which < is the transitive closure) is represented by
solid arrows, and the deontic relation by dotted arrows. It is clear that such
frames validate for instance G(¬p) ⇒ O(F ¬p), which cannot be inferred
from the axiomatization of LT L ⊗ SDL which does not contain any interaction axiom schemes, i.e. axiom schemes in which both temporal and deontic
modalities are involved.
In order to avoid interactions between temporal and deontic relations
(due to the fact that < is a complete order on N), we have to relax constraints
temporal relation
deontic relation
Figure 3.1: Incorrect fusion frame
on <. A less natural class of frames which also characterizes LT L(X, U ) is
the class of the frames (N × W, ≺) such that:
1. W is a set
2. ≺⊆ (N × W ) × (N × W ) is defined by (i, w) ≺ (i , w ) iff w = w and
i < i .
Property 1. LT L(X, U ) is characterized by the class of the frames
(N × W, ≺) such that (1) and (2) are satisfied.
Proof. We show that this class of frames defines the same logic as (N, <).
Suppose that ϕ is satisfiable by a model based on (N, <). Then, ϕ is clearly
satisfiable by a model based on (N × {w0 }, ≺), where {w0 } is a singleton.
Suppose that ϕ is satisfiable by a model based on (N × W, ≺) for some
set W . Then, there is a valuation V and a state (i, w) ∈ N × W such that
i, w |= ϕ. According to the definition of ≺, we also have i |= ϕ in (N, <, V ),
where V is defined as ∀j ∈ N V (j) = V (j, w).
The latter class is closed under the formation of isomorphic copies and
disjoint unions. The semantic characterization (theorem 12) then applies,
and provides the following property.
Property 2. LT L ⊗ SDL is characterized by the class of the frames
(N × W, ≺, R) such that (N × W, ≺) satisfies (1) and (2), and R is a serial2 relation on N × W .
Figure 3.2 illustrates such a frame. For the sake of readability, the deontic
relation is partially pictured.
Theorem 14. LT L ⊗ SDL is decidable (consequence of theorem 13).
2
∀w ∈ N × W ∃w ∈ N × W such that wRw
3.1. FUSION OF MODAL LOGICS
43
temporal relation
deontic relation
Figure 3.2: LT L ⊗ SDL-frame
3.1.2
Fusion of CT L and SDL
Let us now consider the fusion CT L ⊗ SDL of branching time temporal
logic CT L and SDL. Unlike LT L ⊗ SDL, the semantic characterization
of fusions applies for CT L ⊗ SDL because both logics are characterized by
frames which are closed under the formation of disjoint unions.
Definition 33 (CT L ⊗ SDL language). Given a set P of atomic propositions, the language L(EX, AU, EU, O) of LT L ⊗ SDL is defined by the
following syntax:
ϕ ::= ⊥ | p | ϕ ⇒ ϕ | EXϕ | E(ϕ U ϕ) | A(ϕ U ϕ) | O ϕ
The following property states that the semantic characterization of fusions applies.
Property 3 (CT L ⊗ SDL-frame). CT L ⊗ SDL is characterized by the
frames (W, RX , RO ) such that
• W is a set of worlds
• RX ⊆ W × W is a serial (temporal) accessibility relation
• RO ⊆ W × W is a serial (deontic) accessibility relation
A CT L ⊗ SDL-model is a tuple (W, RX , RO , V ) where (W, RX , RO ) is a
frame and V ∈ W → 2P is a valuation function which associates each world
with a set of atomic propositions.
A path σ in M is an infinite sequence σ = w0 w1 . . . such that
• every wi is a state of W
• ∀i (wi , wi+1 ) ∈ RX
The ith state of σ is denoted σi . The set of paths σ starting from a given
state w, i.e., such that σ0 = w, is denoted by P aths(w).
The semantics of temporal operators is defined as in CT L, and the semantics of O is defined as in SDL by the relation RO .
Theorem 15. CT L ⊗ SDL is decidable (consequence of theorem 13).
3.2
Interaction properties
Fusion of temporal and deontic logics is an easy way to combine time and
obligation in a unique formalism. It allows to reason about obligations and
permissions in a temporal context under the assumption that no interaction
between both dimensions is needed. For instance, we can express that p is
obligatory today, and ¬p will be obligatory tomorrow. Actually, if we only
need to reason about evolution of immediate obligations, i.e., if temporal
operators are not in the scope of some deontic operator, then fusion of temporal and deontic logics is a very interesting framework. On the other hand,
if we need to reason about temporal obligations (it is obligatory to satisfy p
before 3 time units, it is obligatory to satisfy p today or q tomorrow) then
the absence of interaction between temporal and deontic dimensions becomes
questionable, in particular in our framework where norms are not explicitly
updated. It is indeed natural to consider that a temporal obligation which
holds today implies another obligation tomorrow. For instance, if “always p”
is obligatory in a world w, we cannot in a fusion deduce that “p”, or “always
p” will be obligatory in the future states. In other words, in a branching
time framework,
w O(AGp) ⇒ AG O(p)
In this section, we consider several interesting interaction axioms and
study the corresponding conditions on frames.
3.2.1
’Perfect recall’ property
A first interesting property says that if today, there is the obligation to
satisfy ϕ tomorrow, then tomorrow, there will be the obligation to satisfy
ϕ immediately. In a branching time setting, we will consider more precisely
the following property: if today, it is obligatory that every possible successor
satisfies ϕ, then in every possible successor, ϕ will be obligatory:
O(AXϕ) ⇒ AXO(ϕ)
(recall_branching)
We borrow the terminology ’perfect recall’ from epistemic logic [53] to name
this property. Indeed, this property ensures that obligations cannot be withdrawn (we would say ’forgotten’ for knowledge) when time passes. This
3.2. INTERACTION PROPERTIES
45
property corresponds to the following condition on frames:
if (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO
∀w1 , w2 , w4 ∈ W
(1)
then ∃w3 ∈ W such that (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX
Property 4. The ’perfect recall’ property (recall_branching) is valid in
a CT L ⊗ SDL-frame F = (W, I, RX , RO ) iff F satisfies condition (1).
w3
w4
RX
RO
RO
RX
w1
w2
Figure 3.3: ’perfect recall’ condition on a CT L ⊗ SDL-frame
Proof. Let F = (W, I, RX , RO ) be a CT L ⊗ SDL-frame.
’⇒’: We assume that F satisfies the ’perfect recall’ condition and prove
that for every formula ϕ, F validates O (AXϕ) ⇒ AXO(ϕ).
Let V be a valuation and w1 ∈ W a world such that w1 |= O (AXϕ).
Let w2 , w4 ∈ W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO . Then ,
according to the ’perfect recall’ condition on F , there is a world w3 such
that (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX . Since w1 |= O(AXϕ), then w4 |= ϕ.
So, w1 |= AXO(ϕ).
’⇐’: We prove that if F does not satisfy the ’perfect recall’ condition,
then F does not validate O (AXϕ) ⇒ AXO (ϕ).
If F does not satisfy the ’perfect recall’ condition, then there are w1 , w2 , w3 ∈
/
W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO and ∀w3 ∈ W (w1 , w3 ) ∈
/ RX . Let p ∈ P be an atomic proposition. Consider the valRO or (w3 , w4 ) ∈
uation function V : W → 2P defined by V (w4 ) = {p} and ∀w = w4 V (w) = ∅.
Then, w1 |= O(AX¬p). Indeed, for any world w such that (w1 , w) ∈ RO
and (w, w4 ) ∈ RX , w is distinct from w4 and thus w |= ¬p. Besides,
w1 |= AXO (ϕ) since w4 |= p.
In a linear time context, the ’perfect recall’ property is expressed as
follows:
O(Xϕ) ⇒ XO (ϕ)
(recall_linear)
The corresponding condition on frame is
if (w1 < w2 ) and (w2 , w4 ) ∈ R0
∀w1 , w2 , w4 ∈ W
(2)
then ∃w3 ∈ W such that (w1 , w3 ) ∈ RO and w3 < w4
3.2.2
’No learning’ property
We now consider the dual property which states that no new obligation
“appears” when time passes:
AX(Oϕ) ⇒ O (AXϕ)
(nolearn_branching)
In a branching time setting, this property expresses that if in every possible
successor state it will be obligatory to satisfy ϕ, then today it is already
obligatory to satisfy ϕ in every possible successor. We name this property
’no learning’ by analogy with epistemic logic.
Property 5. The ’no learning’ property (nolearn_branching) is valid in
a CT L ⊗ SDL-frame F = (W, I, RX , RO ) iff F satisfies condition (3).
if (w1 , w3 ) ∈ RO and (w3 , w4 ) ∈ RX
∀w1 , w3 , w4 ∈ W
(3)
then ∃w2 ∈ W such that (w1 , w2 ) ∈ RX and (w2 , w4 ) ∈ RO
The linear-time version of the ’no learning’ property is expressed as follows:
XO (ϕ) ⇒ O(Xϕ)
(nolearn_linear)
The corresponding condition on frames is
if (w1 < w3 ) ∈ RO and w3 < w4
∀w1 , w3 , w4 ∈ W
(4)
then ∃w2 ∈ W such that w1 < w2 and (w2 , w4 ) ∈ RO
3.2.3
’Confluence’ property
A more questionable property, considered as the existential version of the
’no learning’ property in a branching time setting (AX is replaced by EX),
states that if there is a successor state in which it is obligatory to satisfy
ϕ, then it is obligatory in the current state that there exists a successor
satisfying ϕ.
EXO (ϕ) ⇒ O(EXϕ)
(conf )
We name this property ’confluence’ property because of the corresponding condition on frames.
Property 6. The ’confluence’ property (conf ) is valid in a CT L ⊗ SDLframe F = (W, I, RX , RO ) iff F satisfies condition (5).
if (w1 , w2 ) ∈ RX and (w1 , w3 ) ∈ R0
∀w1 , w2 , w3 ∈ W
(5)
then ∃w4 ∈ W such that (w3 , w4 ) ∈ RX and (w2 , w4 ) ∈ RO
3.2. INTERACTION PROPERTIES
47
Notice that in a linear-time framework, the ’confluence’ property is equivalent to the ’no learning’ property.
Another point of view consists in associating ’perfect recall’ and ’confluence’ properties with particular refinement relations between the restriction
to the ideal states of a CT L ⊗ SDL and the whole Kripke frame. Let us formally define a refinement relation between an abstract system and a concrete
one.
Definition 34 (Refinement relation). Given two Kripke frames Sa = (Wa , Ra )
(abstract system) and Sc = (Wc , Rc ) (concrete system), and a relation R ⊆
Wc × Wa . The abstract system Sa is refined by R into the concrete system
Sc if
∀wa ∈ Wa if (wc , wa ) ∈ R ∧ (wc , wc ) ∈ Rc
∀wc , wc ∈ Wc
then ∃wa ∈ Wa such that (wc , wa ) ∈ R and (wa , wa ) ∈ Ra
In a CT L ⊗ SDL-frame F = (W, I, RX , RO ), let Wc and Wa be respectively the domain and the co-domain of RO . Wa is the set of the ideal worlds,
and we will see it as the set of the abstract worlds. Wc = W , since RO is
serial, it will be considered as the set of the concrete worlds. We note Ra
the restriction of RX to Wa and Rc = RX .
Given such a frame F , the following properties hold:
(i) F satisfies the ’confluence’ property iff (Wa , Ra ) is refined into
(Wc , Rc ) by RO
(ii) F satisfies the ’no learning’ property iff (Wa , Ra−1 ) is refined into
(Wc , Rc−1 ) by RO
3.2.4
Obligation and branching time
Depending on the model of time we consider (linear or branching-tree), obligatory formulas have a different kind. A linear-time formula describes a behaviour (or a set of behaviours) whereas a branching-time formula describes
a state (or a set of states) in a tree-like model. For instance, O(pU q) can
read as it is obligatory to have a behaviour which satisfies pU q, whereas
O(E(pU q)) can be read as it is obligatory to be in a state such that there
exists an outgoing path satisfying pU q. These are clearly distinct kinds of
obligations. In the literature, we only find the former kind of temporal obligations. However, the latter can have practical applications. For instance, it
can be interesting to specify that it is always obligatory to be in a state such
that it is possible to re-initialize the system. This property can be expressed
by the formula AG (O(EXreinit)). In the remainder of this Ph.D. thesis, we
only deal with the former kind of obligations, where the temporal formulas
which are in the field of a deontic operator are linear-time formulas.
3.3
Product
This section deals with the product of temporal and deontic logics. It provides a strong interaction between temporal and deontic dimensions. Product seems well suited to our framework without norm updates. For instance,
’no learning’, ’perfect recall’, and ’confluence’ properties all stand in a product logic. This strong interaction makes product more complex than fusion. For instance, decidability is much more difficult to establish, and the
complexity of the satisfiability problem is not elementary for the product
LT L K [57].
Section 3.3.1 introduces product of general modal logics. Section 3.3.2
studies product of linear temporal logic and standard deontic logic.
3.3.1
Product of modal logics
We
define
here the
two-dimensional
product
of
unimodal
logics [117, 57]. That is, we are dealing with product logics formulated
in the bimodal language ML2 . (We can easily generalize this definition to
two-dimensional product of multimodal logics.) Product logics are defined
in a semantic way. Thus, we have to begin with the definition of the product
of two 1-frames, that is two frames of 1 dimension.
Definition 35 (Product frame). Let F1 = (W1 , R1 ) and F2 = (W2 , R2 ) be
F2 as the 2-frame (W1 ×
two 1-frames. We define the product frame F1 W2 , Rh , Rv ), where ∀u1 , v1 ∈ W1 , u2 , v2 ∈ W2
(u1 , u2 )Rh (v1 , v2 )
(u1 , u2 )Rv (v1 , v2 )
iff
iff
u1 R1 v1 and u2 = v2
u2 R2 v2 and u1 = v1
W2
v2
R1, R2
u2
Rh, Rv
u1
v1
W1
Figure 3.4: Illustration of the product (W1 , R1 ) (W2 , R2 )
3.3. PRODUCT
49
The names Rh and Rv , for “horizontal” and “vertical”, are used to give
a geometrical point of view. Figure 3.4 shows an illustration of a product
(W2 , R2 ).
frame (W1 , R1 ) Given a set P of atomic propositions, a product model based on the prod (W2 , R2 ) is then a pair ((W1 , R1 ) (W2 , R2 ), V )
uct frame (W1 , R1 ) where V : W1 × W2 → 2P associates each product state with a set of atomic
propositions.
A product logic is then defined as the logic determined by a class of
product frames. More precisely, given two Kripke complete modal logics L1
and L2 , the product logic L1 L2 is defined as
def
L1 L2 = Log({F1 F2 / F1 ∈ F r(L1 ) and F2 ∈ F r(L2 )})
L2 is a two-modal
Note that if L1 and L2 are unimodal logics, then L1 logic. If the name of the modal necessity operators of L1 and L2 are both ,
then we call h and v the modal operators associated with the horizontal
relation and the vertical relation respectively. Similarly, we call ♦h and ♦v
the possibility operators.
To define the product of multimodal logics, we have to define the product
L2
of n-frames. If L1 and L2 are respectively in MLn and MLm , then L1 is in MLn+m .
The following properties which correspond to ’perfect recall’, ’no learning’, and ’confluence’ properties studied in section 3.2, are valid in every
product frame. In this generic framework, the ’perfect recall’ and ’no learning’ properties are considered as commutativity properties, and we name
them com1 and com2 respectively.
v h ϕ ⇒ h v ϕ
(com1)
h v ϕ ⇒ v h ϕ
(com2)
♦ h v ϕ ⇒ v ♦ h ϕ
(conf )
We have seen that these three interaction axioms are valid in every product frame. However, there is no general result concerning a complete axiomatization of products [80]. Indeed, these axioms are not enough to characterize
product frames in general although they are sufficient for the product of several standard modal logics. In [57], such logics are called ’product matching’:
L1 and L2 are called ’product matching’ if
L2 = (L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf
L1 In particular, if L1 and L2 are logics from the list (K, KD, KT, S4, S5), then
L2 = (L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf [80].
L1 Notice that we always have the following inclusion:
L2
(L1 ⊗ L2 ) ⊕ com1 ⊕ com2 ⊕ conf ⊆ L1 50 CHAPTER 3. COMBINING TEMPORAL AND DEONTIC LOGICS
Another important issue is decidabilty: the product of two decidable
logics is not necessarily decidable. For instance LT L(X, U ) LT L(X, U ) is
not decidable [57].
3.3.2
Product LT L SDL
Here, we focus on the product of Linear Temporal Logic (LT L) and Standard
Deontic Logic (SDL). If T = (N, <) is a linear temporal frame, and D =
(W, R), where R is serial, a deontic frame, then we denote (S, <t , Rd ) the
product frame T D (see section 3.3.1, definition 35). Figure 3.5 provides
an illustration. Each element of W represent a whole flow of time, and is
then called a history. Elements of S = N × W , i.e., moment/history pairs,
are called states.
W, R
w2
w1
R
Rd
w0
0
1
2
N, <
Figure 3.5: Illustration of the product (N, <) (W, R)
Given a set P of atomic propositions, a valuation V for T D is a function V : S → 2P that associates each state with a set of atomic propositions.
The pair (T D, V ) is then called a product model based on T D.
The language of the product logic LT L SDL is L(X, U, O ). Notice
L2 , we need subscripts to
that in the general definition of a product L1 distinguish the operators which come from L1 from those which come from
L2 (see section 3.3.1). Since temporal and deontic operators have different
names in the original language, we do not need subscripts here and keep
original names for product operators.
The semantics of obligation is defined as the vertical necessity operator
v , and the semantics of the temporal operators needs to be taken care of
because they differ from usual necessity operators.
We can now define the satisfaction relation for the deontic and temporal
product logic.
A formula ϕ of LT L SDL is interpreted on a state of a product model.
Because of the temporal operators, the generic possible worlds semantics
3.3. PRODUCT
51
given in chapter 2 does not match exactly.
Definition 36 (Satisfaction). Given a product model ((S, <t , Rd ), V ), a state
s = (i, w) ∈ S, and a formula ϕ, we can define the satisfaction relation |=
by induction on the structure of ϕ:
s |= Xϕ
s |= ϕ1 U ϕ2
where “ t ” is defined by
(i + 1, w) |= ϕ
where
s = (i, w)
∃s t s
such that
s |= ϕ2
and
∀s” ∈ S
if s t s <t s then s |= ϕ1
s t s iff s <t s or s = s
s |= Oϕ
∀s ∈ S
iff
iff
iff
if
sRd s
then
s |= ϕ
Let us discuss the interaction between the two dimensions (deontic and
temporal). For instance, there is no difference between “it is permitted that
ϕ holds tomorrow”, and “tomorrow, it will be permitted that ϕ holds”. This
corresponds to the validity of P (Xϕ) ⇔ XP ϕ. Indeed, let s = (i, w) ∈ W be
a state. Suppose that s |= P (Xϕ). Then there is a state s = (i, w ) such that
sRd s and s |= Xϕ. So (i+1, w ) |= ϕ. And thus (i+1, w) |= P ϕ. So we can
deduce s |= XP ϕ. In the same way, we can show that |= XP ϕ ⇒ PXϕ.
Then,
|= P Xϕ ⇔ XP ϕ
In fact, this formula is equivalent to the conjunction of the ’perfect recall’
and ’no learning’ properties:
|= OXϕ ⇔ XO ϕ
Notice that the confluence property is equivalent to the ’no learning’ property
in the linear-time framework.
The above commutativity properties are typical for product logics. In
our context of temporal and deontic product, they reflect the fact the deontic realm is not updated, as we said in the introduction. So, if it is obligatory
to go to Paris tomorrow, then tomorrow it will be obligatory to go to Paris
immediately, and vice versa. An important question is the following “are
these two properties (’perfect recall’ and ’no learning’) enough to characterize LT L SDL? ”. To the best of our knowledge, there is no result for
LT L(X, U ). However, we have that LT L(X, X −1 ) and KD are productmatching.
SDL = (LT L(X, X −1 ) ⊗ SDL) ⊕ com1 ⊕
Property 7. LT L(X, X −1 ) com2 ⊕ conf
Proof. The result can be deduced from the axiomatization of
N OM AD [41], which has a richer language, but similar axiomatization and
semantics.
Let us consider decidability results for LT L SDL. A standard way to
demonstrate decidability is to show that the considered logic has the finite
model property. In our case, the logic LT L(X, U ) SDL lacks the finite
model property but remains decidable.
Property 8. LT L(X, U ) SDL has not the finite model property.
Proof. Let us exhibit a formula in L(X, U ) which may be satisfiable only
for infinite product frames. Consider the following statement “p is always
permitted, and p ought to happen at most once”. It corresponds to the formula
def
ϕ = GP p ∧ O(AtMostOne(p)), where p ∈ P is an atomic proposition,
and AtMostOne(p) is the abbreviation of G(p ⇒ XG¬p), which means p
happens at most once. Then there is no finite frame (N × W, <t , Rd ) on
which ϕ is satisfiable. Indeed a model of ϕ necessarily contains a infinite
number of ’alternatives’, i.e., W is necessarily infinite. Indeed, let (i, w) a
state which satisfies ϕ. Then every (i + k, w) satisfies P p. So, for each of
these future states, there is an ideal alternative state (i + k, w ) satisfying p.
The subformula AtM ostOne(p) ensures that each such ideal state is different
from the others. It follows that there are as many alternatives w as points
in the future.
Property 9. LT L(X, U ) SDL is decidable.
Proof. The proof directly follows from the decidability of LT L(X, U ) K [57] and the existence of a translation T such that ϕ is valid for LT L(X, U ) def
SDL if and only if T (ϕ) is valid for LT L(X, U ) K (with T (ψ) =
(T (ψ)) ∧ ♦)
4
Propagation property
This chapter deals with a family of interaction properties which corresponds
to a strong intuition: if a future-directed obligation is not fulfilled, then it is
propagated to the next moment.
Section 4.1 studies obligations with deadline, which are especially concerned with propagation. We propose different semantic definition for an
operator dedicated to deadline obligations, in the framework of the product
LT L SDL.
In section 4.2, we study a more general form of propagation property and
propose a framework for validating it. Starting from LT L SDL, we change
the semantics of obligation in order to validate the propagation property. We
come to a problem in section 4.2.2, which has to do with the violation of
propositional formulas. We then consider the problem from a different point
of view in section 4.2.3, and look for a necessary and sufficient condition for
an arbitrary temporal deontic model to validate the propagation property. It
turns out that when an ’immediate obligation’ is violated at some moment,
undesirable properties necessarily occur from that instant on. We then refine
our semantics in section 4.2.4 with a preference-based deontic relation, so
that the propagation property is only satisfied in the states that do not
violate any immediate violations.
4.1
Deadline obligation
Obligations with deadline constitute one of the most natural ways to reason
about temporal and deontic notions. They involve a strong interaction between both dimensions: if I have to go to Paris before Sunday, and I do not
go to Paris today, then it seems natural to deduce that tomorrow I will have
to go to Paris. These interactions have been studied in different frameworks.
In [30, 27], Broersen et al. use a reductionist approach: the goal is to model
obligations with deadline in CT L, or AT L, using a violation constant, and
53
CHAPTER 4. PROPAGATION PROPERTY
54
an ideality constant. [43] studies deadline obligations, where the deadline is
a formula instead of a concrete duration. This can be considered as a more
abstract point of view. Cuppens et al. also study deadline obligations in
N OM AD [41]. Their logic is close to a product and can be considered as a
starting point of our work. Nevertheless, the deontic dimension is not tackled
similarly. There is a distinction between two kinds of obligations: contextual
obligations, which are defined in terms of a necessity modality and do not
interact with ’what happens’, and effective obligations, which can interact
with the temporal dimension.
In this section, we propose different definitions for obligation with deadline, and for each of them, we study the properties presented in the following subsection. We work in the framework of product LT L SDL, i.e.,
we consider the satisfaction relation, the validity, and the satisfiability of
LT L SDL.
4.1.1
Studied properties
In this section, the obligation to satisfy ϕ before k time units, where k ∈ N,
is denoted by Ok (ϕ). We propose different definitions for Ok , and study the
following properties for each definition:
• monotonicity properties
– with respect to the deadline
if it is obligatory to satisfy ϕ before a deadline k, is it obligatory
to satisfy ϕ before a greater deadline k ?
?
with k k
|= Ok (ϕ) ⇒ Ok (ϕ)
– with respect to the obligatory formula
If ϕ1 implies ϕ2 , is it the case that Ok (ϕ1 ) implies Ok (ϕ2 )?
if
|= ϕ1 ⇒ ϕ2
then
?
|= Ok (ϕ1 ) ⇒ Ok (ϕ2 )
Notice that the two following properties, sometimes also named
monotonicity properties, are equivalent to the latter property:
?
|= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 ) and
?
|= Ok (ϕ1 ) ⇒ Ok (ϕ1 ∨ ϕ2 )
• ’perfect recall’ for Ok
If it is obligatory to satisfy Xϕ before k then in the next state, will it
be obligatory to satisfy ϕ before k?
?
|= Ok (Xϕ) ⇒ XOk (ϕ)
4.1. DEADLINE OBLIGATION
55
Notice that the original ’perfect recall’ property (O (Xϕ) ⇒ XO(ϕ))
only concerns the operator O. In this section which deals with deadline
obligation, we use the denomination ’perfect recall’ property for this Ok
property. A similar clarification stands for the ’no learning’ property.
• ’no learning property’ for Ok
If in the next state it will be obligatory to satisfy ϕ before k then in the
current state, is it obligatory to satisfy Xϕ before k?
?
|= XOk (ϕ) ⇒ Ok (Xϕ)
• propagation property
If it is obligatory to satisfy ϕ before k, and ϕ is not satisfied now, or ϕ
is prohibited now, then in the next state, will it be obligatory to satisfy
ϕ before k − 1?
?
|= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ)
This property is essential for an obligation with deadline, and more
generally, it is a key property of the interaction between the deontic
and the temporal dimensions. A more general form of propagation
property will be dealt with in the next section.
In the present form, the property expresses that an obligation with
deadline is propagated while it is not fulfilled. Let us justify the
formalization of ’not fulfilled’ by ¬ϕ ∨ O(¬ϕ), i.e., the formalization of ’fulfilled’ by ϕ ∧ ¬O(¬ϕ). Consider it is obligatory to satisfy ϕ before k, and it is forbidden to satisfy it at some moments
between i and i + k, where i is the current moment. For instance,
O10 (ϕ) ∧ O(¬Xϕ) ∧ O(¬XXϕ) means that it is obligatory to satisfy
ϕ before i + 10, but it is forbidden to satisfy it at i + 1, and at i + 2.
Then, fulfilling the obligation naturally corresponds to satisfying ϕ at
any moment between i and i + 10, except i + 1 and i + 2, i.e., any moment where ϕ is permitted. In other words, we consider that fulfilling
def
ϕ means satisfying ϕ ∧ P(ϕ) (let us remind that P (ϕ) = ¬O(¬ϕ)).
• D-like axiom
Is it unsatisfiable that ϕ and ¬ϕ are both obligatory (in the sense of
O0 )?
?
|= ¬ (O0 (ϕ) ∧ O0 (¬ϕ))
• interaction between Ok1 and Fk2 1
Is there a distinction between the obligation to satisfy Fk2 ϕ before k1
1
Fk ϕ means ’ϕ will be satisfied before k time units’, cf. section 2.3.1
56
and the obligation to satisfy ϕ before k1 + k2 ?
?
|= Ok1 (Fk2 (ϕ)) ⇔ Ok1 +k2 (ϕ)
At first sight, all these properties are desirable. Actually, we will see
that different readings of Ok are possible, and some of these properties may
be desirable according to one reading and undesirable according to another.
Besides, we argue against the ’no learning’ property independently of Ok ’s
reading.
Indeed, let us consider more closely the relation between the ’no learning’
property and the propagation property. The propagation property specifies
that obligations in the current state together with propositions in the current
state, imply some obligations in the next state. On the other hand, the ’no
learning’ property expresses that every obligation in the next state already
holds in the current state. So the obligations in the next state which are
deduced from the propagation property are already true in the current state
according to the ’no learning’ property. This is not intuitive. Indeed, let us
consider the following situation:
• it is obligatory to satisfy p before tomorrow, but it is not obligatory to
satisfy p tomorrow. This is expressed by the formula O1 (p) ∧ ¬O(Xp).
Intuitively, this should be satisfiable (what is obligatory is to satisfy p
today or tomorrow, not to satisfy p tomorrow).
• p is not satisfied now: ¬p. The deadline obligation is not fulfilled today
and it propagates. Thus, tomorrow, it will be obligatory to satisfy p.
Thus, the conjunction O1 (p) ∧ ¬O (Xp) ∧ ¬p seems perfectly satisfiable, and
yet it is not the case with our definition of Ok . Indeed, from the propagation
property we deduce XO0 (p), and from the ’no learning’ property, we deduce
O0 (Xp), which is in contradiction with ¬O(Xp).
4.1.2
A first attempt for defining deadline obligation
The natural way to specify an obligation Ok (ϕ) to satisfy ϕ before k time
def
units is: Ok (ϕ) = O(Fk ϕ)
Property 10 (Properties of Ok ).
• The properties of monotonicity (with respect to the deadline and with
respect to the obligatory formula) hold.
• ’Perfect recall’ and ’no learning’ properties for Ok hold.
|= Ok (Xϕ) ⇔ XOk (ϕ)
57
These are consequences of the original ’perfect recall’ and ’no learning’
properties for the operator O.
• The pure-deontic part of the propagation property holds:
|= Ok (ϕ) ∧ O(¬ϕ) ⇒ XOk−1 (ϕ)
But the other part, which involves an interaction between what happens
and what is obligatory, does not hold:
Ok (ϕ) ∧ ¬ϕ ⇒ XOk−1 (ϕ)
Indeed, a state (i, w) satisfies Ok ϕ if all the ideal states of (i, w) satisfy
ϕ before k time units. But one of these ideal states may satisfy ϕ now,
and ¬ϕ thereafter. In this case, the obligation does not hold in one
time unit, even if ϕ has not been satisfied.
• Axiom D for O0 is valid since O0 (ϕ) = O(ϕ).
|= ¬(O0 (ϕ) ∧ O0 (¬ϕ))
• The interaction between Ok1 and Fk2 validates the following property
|= Ok1 (Fk2 (ϕ)) ⇔ Ok1 +k2 (ϕ)
This property follows from |= Fk1 Fk2 (ϕ) ⇔ Fk1 +k2 (ϕ).
4.1.3
Validation of the propagation property
Now we consider another definition so that the ’complete’ propagation property holds. Based on the idea developed in [43], we consider that the obligation with deadline Ok (ϕ) is true if O(Fk ϕ) remains true (with k decremented at each time step) while ϕ is not satisfied or ϕ is prohibited, until
the deadline is reached.
Definition 37 (Obligation with deadline).
O(ϕ)
if k = 0
def
Ok (ϕ) =
O(Fk ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ X Ok−1 (ϕ))
otherwise
• Monotonicity properties (with respect to the deadline and with respect
to the obligatory formula) are valid.
• ’Perfect recall’ and ’no learning’ properties are valid:
|= Ok (Xϕ) ⇔ XOk (ϕ)
58
• The propagation property is valid:
|= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ)
• Axiom D for O0 is valid because O0 (ϕ) = O(ϕ).
|= ¬(O0 (ϕ) ∧ O0 (¬ϕ))
• There is no interaction between Ok1 and Fk2 :
Ok1 (Fk2 ϕ) ⇒ Ok1 +k2 (ϕ)
Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 ϕ)
Proofs of these properties are given in the appendix.
This definition validates most of the properties that we have specified
as desirable, at a first sight. However, as argued in section 4.1.1, the ’no
learning’ property is not desirable. Moreover, properties which relate Ok and
Fk do not hold. The next proposition for Ok overcomes these problems.
4.1.4
New operator Ok
Another point of view consists in considering that O(Fk ϕ) still makes sense,
and corresponds to the starting point of an obligation to satisfy ϕ before k.
Let us remember that the latter definition of Ok imposes that O(Fk ϕ)
remains true while the deadline obligation propagates. On the other hand,
we now consider the following definition. Ok (ϕ) holds from the moment
at which the obligation is posted, i.e., when O(Fk ϕ) is true, and Ok (ϕ)
remains true (with k decremented at each time step) while ϕ is not satisfied
and the deadline is not reached.
So, the moment where an obligation with deadline is posted plays an
important role. We then define an operator Ok (ϕ, k ) which means that “k
time units ago, an obligation to satisfy ϕ before k + k was posted, and the
obligation has not been fulfilled yet”. The corresponding semantic characterization is then as follows.
(i, w) |= Ok (ϕ, k ) iff
(i − k , w) |= OFk+k ϕ
and (i − k , w) O Fk+k −1 ϕ
and ∀j ∈ N if i − k j < i then (j,w) |= ¬ϕ ∨ O(¬ϕ)
The first line of the semantic characterization expresses that k’ time units
ago, an obligation O(Fk+k ϕ) was true. The second line means that k time
units ago, there was no obligation to satisfy ϕ before a shorter deadline. Thus
k is the shortest deadline before which there is an obligation to satisfy ϕ.
We need this ’minimality’ criterion because of the past moment k . Indeed,
it is clear in the following example.
Consider an instant i > 0, and suppose that
59
(1) at i − 1, O(ϕ) ∧ ¬ϕ holds.
(2) at i, O(¬ϕ ∧ ¬Xϕ) holds.
Intuitively, there is no conflict between (1) and (2). Yet, from (1) we deduce
that O(F2 ϕ) ∧ ¬ϕ holds at i − 1. Thus, without the second line of the
definition, we can deduce that O2 (ϕ, 0) and O1 (ϕ, 1) holds respectively at
instants i − 1 and i. So, at i, there is an obligation to satisfy ϕ before 1 time
unit. This intuitively conflicts with the prohibition (2) to satisfy ϕ at i and
at i + 1.
So, in the definition, we only consider at the past moment k the minimal
deadline k + k for which there is O(Fk+k ϕ).
In fact, the meaning of Ok (ϕ, k ) is “k time units ago, there was an
obligation to satisfy ϕ before k+k , but not before k+k −1, and the obligation
has not been fulfilled yet”.
The third line of the semantic characterization means that the obligation
has not been fulfilled yet.
This semantic definition is equivalent to the following definition in the
logic LT L SDL:
Definition 38.
def
Ok (ϕ, k ) = X −k O(Fk+k ϕ) ∧ ¬O(Fk+k −1 ϕ) ∧ G<k (¬ϕ ∨ O(¬ϕ)
if k = 0
def
.
where G<k ϕ =
ϕ ∧ XG<k−1 ϕ otherwise
Notice that contrary to the previous definitions, we need a past operator
to define Ok .
The definition of the obligation with deadline is then straightforward.
Definition 39 (Obligation with deadline). Given a product model ((S, <t
, Rd ), V ), a state (i, w) ∈ S, a natural number k ∈ N, and a formula ϕ of
LT L SDL, we define the truth relation for Ok (ϕ) as follows
i, w |= Ok (ϕ)
iff
∃k ∈ N
such that
i, w |= Ok (ϕ, k )
Notice that Ok is not defined in our logical language because of the existential quantifier, and we do not have a decidability result concerning our logic
enriched with Ok .
Figure 4.1 illustrates this definition. In the fist state, an obligation to
satisfy p before 2 time units is posted, since O (F2 p) is true and O(F1 p)
is false. So O2 (p) holds in the first state. Since p is not satisfied in this
first state, the deadline obligation is propagated: O1 (p) is true in the next
state. Since it is prohibited to satisfy p in the second state (O (¬p) holds),
the deadline obligation is propagated again: O0 (p) holds in the third state.
60
p
p
p
O(F2(p)
O2(p)
p
O(¬p)
O1(p)
O0(p)
Figure 4.1: Deadline obligation
Notice that in this example, the obligation with deadline is violated because
p does not hold in the third state, and the prohibition in the second state is
also violated, because p is true in this state. Actually, we can express, from
the behaviour of the ideal histories, the following rules: it is obligatory to
satisfy p either in the first or in the third state, and it is prohibited to satisfy
p in the second state. In this example, the current history does not comply
with any rule.
Now we study the properties which are satisfied by this new operator.
• Because of the ’minimality’ criterion, the monotonicity property with
respect to the deadline is not valid. Indeed, Ok (ϕ) means that it is
obligatory to satisfy ϕ before k, and not obligatory to satisfy ϕ before
a shorter deadline.
• The monotonicity property with respect to the obligatory formula does
not hold either. This is problematic, and will be discussed at the end
of this section.
• The ’no learning’ property does not hold, which is a positive result.
XOk (ϕ) ⇒ Ok (Xϕ)
• The ’perfect recall’ property is valid.
61
• The propagation property is valid.
|= Ok (ϕ) ∧ (¬ϕ ∨ O(¬ϕ)) ⇒ XOk−1 (ϕ)
• Axiom D for O0 is valid:
|= ¬(O0 (ϕ) ∧ O0 (¬ϕ))
• Ok1 and Fk2 interact as follows:
If it is obligatory to satisfy ϕ before k1 + k2 , then it is obligatory to
satisfy Fk2 ϕ before k1 .
|= Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 ϕ)
On the other hand, the converse property is not valid.
Ok1 (Fk2 ϕ) ⇒ Ok1 +k2 (ϕ)
Given a state (i, w) the first two lines of the semantic definition of
Ok1 (Fk2 ϕ) and Ok1 (Fk2 ϕ) are equal, because Fk1 Fk2 . Indeed,
according to our definition, Ok1 (Fk2 ϕ) implies that Fk2 ϕ has not
been fulfilled since the obligation were posted, whereas Ok1 +k2 (ϕ) only
implies that ϕ has not been fulfilled since the obligation were posted,
which is a weaker condition.
Proofs are given in the appendix.
Let us further investigate the properties of Ok . The following question
arises from the ’minimality’ criterion: although the deadline k is ’minimal’
in Ok , i.e., Ok (ϕ) does not imply necessarily Ok (ϕ), for k k, is it possible
anyway to have Ok1 (ϕ) and Ok2 (ϕ), for k1 = k2 in the same state? The
answer is positive. Indeed, it may be the case that
• k1 time units ago, an obligation to satisfy ϕ before k1 + k1 was posted,
i.e., Ok1 (ϕ, k1 ) is satisfied
• and k2 time units ago, an obligation to satisfy ϕ before k2 + k2 was
posted, i.e., Ok2 (ϕ, k2 ) is satisfied
Figure 4.2 illustrates such a situation. If we consider the instant 2, we have:
• an obligation to satisfy p before 2 time units was posted two time units
ago
• an obligation to satisfy p before 3 time units was posted one time unit
ago
• p has not been satisfied yet
62
p
p
p
p
0
O(F2(p)
1
2
O0(p)
3
4
O(F3(p) O2(p)
Figure 4.2: Obligation to satisfy p before two distinct deadlines
Thus, instant 2 satisfies O0 (ϕ) and O2 (ϕ).
Another question concerns the monotonicity property with respect to
the obligatory formula. In order to validate it, a solution could be to change
again the semantic definition of our operator as follows:
Definition 40 (Monotonous obligation with deadline).
|= ψ ⇒ ϕ
(i, w) |= Okm (ϕ) iff ∃ψ ∈ LLT L
SDL
and
(i, w) |= Ok (ψ)
So, this operator has the monotonicity property.
|= Okm (ϕ1 ∧ ϕ2 ) ⇒ Okm (ϕ1 ) ∧ Okm (ϕ1 )
It also has the following properties we have studied for Ok :
• propagation property
m
(ϕ)
|= Okm (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1
• interaction between Ok1 and Fk2
|= Ok1 +k2 (ϕ) ⇒ Ok1 (Fk2 (ϕ)
But this monotonous operator lacks the ’perfect recall’ property and
axiom D:
• Okm (Xϕ) ⇒ XOkm (ϕ)
4.2. GENERAL PROPAGATION PROPERTY
63
• ¬(O0m (ϕ) ∧ O0m (¬ϕ))
Thus, although the two definitions we have proposed for a deadline obligation operator in a product setting are interesting in many points, we have
not obtained a fully satisfactory solution. Rather than defining an operator
dedicated to deadline obligations, the next section proposes another semantics for the (general) obligation in a temporal framework which takes into
account interactions and validate a generalized propagation property.
4.2
General propagation property
We want to consider a propagation property as general as possible. For
instance we want to capture the obligation with deadline, or the obligation
to meet something eventually (without deadline). The obligation to satisfy
ϕ now, or ψ next seems to be the most general kind of obligation for which
we want to study the propagation. Indeed, the obligation with deadline
O(Fk (ϕ)) (with k > 0) can be re-written O(ϕ ∨ XFk−1 (ϕ)), and the
obligation to satisfy ϕ eventually O(F ϕ) can be re-written O(ϕ ∨ XF (ϕ)).
Starting from the product LT L SDL of temporal and deontic logics,
we propose a logical framework which guarantees this propagation property.
4.2.1
Propagation property and product
As a first attempt for formalizing a propagation property to be added to the
product logic, we consider:
O(ϕ ∨ Xψ) ∧ ¬ϕ ⇒ XO(ψ)
(4.1)
If it is obligatory to meet ϕ now, or ψ next, and ϕ is not satisfied now, then
it will be obligatory next to meet ψ.
Let us first discuss the nature of the formula ϕ. Intuitively, ϕ only
concerns the present. Indeed, the propagation property expresses that what
will be obligatory at the next step may depend on what happens now (ϕ not
being true). So it is natural to consider that ϕ is a propositional formula.
Otherwise, if ϕ contained future operators, what will be obligatory at the
next step would depend on something which has not happened yet.
Let us now refine the formalization of the propagation property. We
do not want that from the propagation property and the properties of the
temporal deontic logic it follows that Oϕ∧¬ϕ ⇒ XO (ψ). Yet this property
does follow from 4.1 in combination with (a temporal variant of) weakening
of obligations: Oϕ ⇒ O(ϕ∨Xψ). To solve this problem, we re-formalize the
propagation property, in order to prevent that in combination with temporal
weakening it can be used to derive this unwanted property. To achieve this,
we restrict the propagation property (4.1) to the case where O (ϕ) is false2 ,
2
Another strategy might be to attack the temporal weakening property directly.
64
and we thus arrive at the following property instead of (4.1):
O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XO (ψ)
(4.2)
for any propositional formula ϕ, and any temporal formula ψ
Similarly, we may explicitly exclude that O (Xψ) holds in the premise of
the property. So we may formulate the propagation formula as follows:
O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬OXψ ∧ ¬ϕ ⇒ XO (ψ)
(4.3)
for any propositional formula ϕ, and any temporal formula ψ
However, the conjunction of the ’perfect recall’ property for temporal formulas (O(Xϕ) ⇒ XO (ϕ) for any temporal formula ϕ) and property (4.3) is
equivalent to property (4.2). Indeed, property (4.2) obviously implies property (4.3) and the ’perfect recall’ property (with ⊥ for ϕ in property (4.2)).
On the other hand, suppose that property (4.3) and the ’perfect recall’ property hold. Also suppose that O(ϕ∨Xψ)∧¬O ϕ∧¬ϕ holds, for a propositional
formula ϕ, and a formula ψ. If ¬O(Xψ), then, from property (4.3) we can
deduce XO (ψ). Otherwise, from the ’perfect recall’ property, we also deduce
XO(ψ). So, property (4.2) holds.
So, in the product setting, since, the ’perfect recall’ property is valid,
properties (4.2) and (4.3) are equivalent. But, now we have to conclude that
the propagation property is not compatible with a genuine product: we can
consistently add property (4.2) to the product logic, but we will never have
a case where XO (ψ) is really a consequence of O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ
being true. In fact, a product model satisfies property (4.3) only if it does
not satisfy the hypothesis O(ϕ∨ Xψ)∧ ¬O (ϕ)∧ ¬O(Xψ)∧ ¬ϕ. (Indeed, if a
product model satisfied the hypothesis O (ϕ∨ Xψ)∧ ¬O (ϕ)∧ ¬O (Xψ)∧ ¬ϕ,
in some state s, for some ϕ and ψ, then, from the ’no learning’ property, we
could deduce ¬XO(ψ) in s.) This corresponds to a product model where
all the ideal states of a given state have the same valuation, which is clearly
not interesting to work with.
We then propose to drop the ‘no learning’ property XO ϕ ⇒ OXϕ.
So, we will no longer have a genuine product. But this is in accordance
with intuitions. Indeed, looking at the propagation property, it may be the
case that obligation O(ψ) holds in the next state while it does not hold
in the current state (even if O(ϕ ∨ Xψ) holds in the current state). The
above discussion shows that this is incompatible with a product; we have
to allow some dynamics in the deontic dimensions because obligations may
be inherited from earlier states. We do however preserve the ‘perfect recall’
property O Xϕ ⇒ XO ϕ that expresses that no obligations are ‘forgotten’
over time. So, in the remainder, we will study property (4.2), which is
shorter.
4.2.2
65
Semantics based on the restriction of the ideal states
In this section, our goal is to define a semantics that satisfies the propagation
property and the perfect recall property. To account for propagation, in the
semantics we have to introduce a stronger interaction between what happens
and what is obligatory, i.e., between what is true in the current state and
what is true in the (next) ideal states. If we want to satisfy the perfect recall
property, the set of ideal histories in the next state is a subset of the set of the
ideal histories in the current state. The principle of propagation then should
point us to what subset to take. Our idea is that for ideal histories at a next
moment we should only take into account the histories that share the same
past as the current history until the present moment. The reason for this is
that we assume obligations do not apply to the past, but only to the present
and the future. Then, clearly, we do not want to consider a past which is
different from the ‘current’ past, as ideal. We thus only assess ideality for
the histories that share their past with the current history. The collective
past of the set of histories thus obtained then represents what actually has
happened. And what actually has happened, is going to influence what is
obliged currently, according to the preservation property we aim at.
Let us define the predicate SamePast(s, s ) which says that the states s
and s of a temporal deontic product model share the same past :
SamePast((i, w), (i , w ))
def
=
i = i ∧ ∀j < i V (j, w) = V (j, w )
This can also be formulated as follows
SamePast((i, w), (i , w ))
def
=
i = i ∧ V (w)<i = V (w )<i
When interpreting an obligation in a state s, we only consider the states s
which satisfy sRd s and SamePast(s, s ).
Definition 41 (Semantics of the obligation (2)). Given a product model
(S, <t , Rd ), a state s, and a formula ϕ, we now consider the following semantics for obligation:
s |= Oϕ
iff
∀s ∈ S
if
SamePast(s, s ) and sRd s
then
s |= ϕ
Remark 4 (Ideal state, ideal history). For any instant i ∈ N, histories
w, w ,
if SamePast((i, w), (i, w )) and (i, w)Rd (i, w ), then, we say that
• (i, w ) is an ideal state for (i, w)
• w is an ideal history for (i, w)
With this new semantics, the deontic realm is described by fewer and
fewer histories (which means that more and more formulas are obligatory)
66
when time passes. This is conform to the fact that we keep O(Xϕ) ⇒
XO (ϕ), and avoid XO(ϕ) ⇒ O(Xϕ); no obligations are forgotten, but
some obligations may appear (in particular when they are propagated from
a more general obligation in the previous state).
w3
w2
w1
w0
{q}
{}
{p, q}
{}
{}
{q}
{}
{p}
{p}
{p}
{p}
{p}
{q}
{q}
{}
{q}
{}
{p}
0
1
2
{p}
{}
3
4
Figure 4.3: Semantics of obligation
Propagation of obligations Let us illustrate, by the way of an example,
how an obligation may propagate. Consider the product model illustrated
in Figure 4.3, where, in state (0, w0 ), histories w1 , w2 , and w3 , are ideal.
Then, we have for instance 0, w0 |= O(p ∨ XXp) ∧ ¬p. Since w0 does not
satisfy p at instant 0, the history w1 which satisfies p at instant 0 is not
ideal anymore at the next instant. So, only w2 and w3 (which satisfy XXp
at instant 0) remain ideal at instant 1. Thus, the propagation applies, and
we have 0, w0 |= XO (Xp). Let us now state the propagation property and
propose a proof in the general case where ϕ is a propositional formula and
ψ can be any formula.
Property 13 (Propagation property). Let M be a temporal deontic product
model. Then it satisfies the propagation property (4.2) for the obligation
operator of definition 41:
M |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ ⇒ XO(ψ)
for ϕ propositional formula, and ψ any temporal formula.
Proof. Let M = ((S, <t , Rd ), V ) be a temporal deontic model, and s =
(i, w) ∈ S a state such that s |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ. Every s which
is ideal in s, i.e., such that SamePast(s, s ) and sRd s , satisfies ϕ ∨ Xψ, and
it is not the case that every such s satisfies ϕ.
If some of these states s = (i, w ) have the same valuation as s, then
they satisfy ¬ϕ (since ϕ is propositional, and s |= ¬ϕ), and ϕ ∨ Xψ. So,
67
they satisfy Xψ. Thus, every state (i + 1, w ) which is ideal in (i + 1, w)
satisfies ψ, i.e., (i + 1, w) |= Oψ.
Otherwise (if none of the states s have the same valuation as s), there
is no ideal state having the same past as (i + 1, w). So, every formula is
obligatory in (i + 1, w). In particular, (i + 1, w) |= Oψ.
Notice that we have proved the propagation property for any formula ψ
although we are only interested in temporal formulas ψ.
So we have that some of the obligations that may appear at a next state
are due to the propagation property. In fact, the following property claims
that the propagation property completely characterizes the new obligations
that appear.
New obligations We consider that an obligation O(ψ) is new if it holds in
a state (i + 1, w) whereas it was not obligatory to satisfy Xψ in the previous
state (i, w), i.e. if i, w |= XO(ψ) ∧ ¬O(Xψ).
Property 14 (Characterization of new obligations). We suppose that the
set P of atomic propositions is finite. For any formula ψ, if in a state s both
the formulas XO(ψ) and ¬O(Xψ) hold, then there exists a propositional
formula ϕ such that
s |= O(ϕ ∨ Xψ) ∧ ¬ϕ
So, if, in the next state, there will be an obligation to satisfy ψ and if this
obligation is new (i.e., now, there is no obligation to meet ψ next), then it
is due to a current obligation to satisfy ϕ ∨ Xψ where ϕ is propositional and
not fulfilled.
Proof. Let ψ a formula and s a state such that s |= XO(ψ) ∧ ¬O(Xψ). Let
E the set of the ideal states of s which do not satisfy Xψ:
def
E = {s ∈ S / sRd s and SamePast(s, s ) and s |= ¬Xψ}
We now define the set V (E) of all the valuations of states in E. This set is
def
finite (even if E is infinite) because it belongs to 22 . V (E) = {V (s) / s ∈
E}. Then we define the propositional formula
P
def
ϕ =
(
v∈V (E) p∈v
p ∧
¬p)
p∈v
/
Then every ideal state of s either satisfies Xψ or is in E and satisfies ϕ.
So s |= O(ϕ ∨ Xψ).
Moreover, since s |= XO (ψ), the states in E - which do not satisfy Xψ
- become not ideal at the next step. So they do not share the same atomic
propositions with s. Thus s |= ¬ϕ.
68
Axiom D Unfortunately, not everything is fine. In particular, the deontically ideal histories may shrink to the empty set when time passes, as we
saw in the proof of property 13. This conflicts with our desire to stay in accordance with SDL where obligations are always consistent: ¬O⊥. Another
formulation is axiom D: Oϕ ⇒ Pϕ. Then, if from a state s, there is no
ideal state with the same past, these properties cannot be satisfied, and every
formula is obligatory in s, including ⊥. In particular this occurs if there is
a violation of a proposition p in a state s = (i, w), i.e., if s |= O (p) ∧ ¬p. In
this case no ideal state is associated with (i + 1, w).
Property 15. With this semantics of obligation, axiom D is not valid:
¬O(⊥)
and
Oϕ ⇒ Pϕ
for any formula ϕ
As a solution to this problem, we might consider to add a constraint on
the models expressing that from every state there exists an ideal state with
the same past.
Definition 42 (Ideal existence constraint on models). Let M = ((Sd , <d
, Rd ), V ) be a temporal deontic product model. We say that M satisfies the
ideal existence constraint if
∀s ∈ S
∃s ∈ S
such that
sRd s and SamePast(s, s )
This constraint now guarantees validity of axiom D.
Property 16 (Axiom D). Let M be a temporal deontic product model that
satisfies the ideal existence constraint. Then
M |= ¬O⊥
or equivalently
M |= Oϕ ⇒ Pϕ
for any formula ϕ.
However, again we have to face a problem: the ideal existence constraint
interacts with the identical past criterion in an undesirable way. In particular, the above-mentioned situation where an obligation Op is violated in the
current state (i, w) (i.e., i, w |= O(p) ∧ ¬p) is no longer possible. Indeed, in
this situation, let us recall that no ideal state is associated with (i + 1, w),
which directly conflicts with the ideal existence constraint. So, if in our
logic, we impose both properties (axiom D and the propagation property),
we actually get that obligations can never be violated.
Property 17 (No violation). Let M be a model satisfying the ideal existence
constraint and ϕ a formula. Then M |= ¬(O(ϕ) ∧ ¬ϕ).
The conclusion has to be that we still have to refine the semantics: the
violation of obligations should be possible, without losing the interaction
between what happens and the deontic realm. We will propose a solution
based on a preference deontic relation in section 4.2.4.
4.2.3
69
Correspondence between the propagation property and
a condition on models
We have proposed a semantics which ensures the propagation property (4.2),
and guarantees that every new obligation that appears in some state is ’due’
to the propagation of an obligation in the previous state. We have also
expressed a sufficient condition on models for validating axiom D. Another
possibility would be to follow the approach of the correspondence theory [125,
126] : the question would be to determine the class of the LT L⊗SDL-models
which satisfy property (4.2). Notice that, because of the restriction on ϕ
and ψ in property (4.2), to propositional formulas and temporal formulas
respectively, we cannot determine the class of frames which characterize our
property, as usually done in the correspondence theory. In fact, we need
valuations and thus, we reason about models instead of frames.
General temporal and deontic framework
We first exhibit a class of frames which characterizes the fusion LT L ⊗ SDL.
We consider a sub-class C1 of the class given in chapter 3, section 3.1.1,
in order to stay closer to the notation of product frames. Indeed, it is
then easier to establish the link with the semantics proposed in the previous
section. This sub-class C1 still defines the same set of valid formulas, so it
also characterizes LT L ⊗ SDL.
Definition 43 (Class C1 of frames). We consider frames (N × W, <t , Rd )
where
• N × W is the set of states. W represents a set of histories, and time
is represented by N.
• <t ⊆ (N × W ) × (N × W ) is defined from the usual strict order on N, as
for the product LT L SDL, and from which we define the semantics
of temporal operators, as usual. It is straightforward to show that <t
satisfies the three conditions given in section 3.1.1, page 42.
• Rd ⊆ (N × W ) × (N × W ) is a serial relation on (N × W ), and allows to
define the semantics of obligation as usual. Without loss of generality,
we assume that Rd only associates states which belong to the same
instant: if (i, w)Rd (i , w ) then i = i 3 .
Given a frame F in C1 , a valuation F is a function V : N × W → 2P
which associates each state with a set of atomic propositions. A model based
on F is a pair (F, V ), where V is a valuation for F .
3
Indeed, if a model based on (W, <t , Rd ) satisfies a formula ϕ, then we can build a
model based on (Z × W, <t , Rd ) which also satisfies ϕ, such that Rd only associates states
which belong to the same instant.
70
The definition of the satisfaction relation between a state (i, w) and a
formula, denoted by |= 4.2.3 in remark 5 below, is defined straightforwardly:
the satisfaction of temporal operators is defined with <t , and the satisfaction
of obligation is defined with Rd .
Remark 5. Notice that the semantics we have defined in section 4.2.2 (we
denote the satisfaction relation by |= 4.2.2 ) can be defined in the framework
of the present section (with satisfaction relation denoted by |=4.2.3 ):
iff
i, w |=4.2.2 ϕ
i, w |=4.2.3 ϕ
in the product model (N × W, <t , Rd , V )
in the model (N × W, <t , Rd ∩ SamePast, V )
(W, R), and
where (N × W, <t , Rd , V ) is based on a product frame (N, <) satisfies the ideal existence constraint (cf definition 42) which ensures that
(Rd ∩ SamePast) is serial.
We are going to state a necessary condition on the one hand, and a sufficient condition on the other hand, on a C1 -model for satisfying the propagation property. Then, we will state a necessary and sufficient condition for
satisfying the propagation property for safety formulas. Before stating these
conditions, let us define some notations on sequences.
• Given a temporal deontic model (N × W, <t , Rd , V ), and a history
w ∈ W , we denote (w) the infinite sequence (V (0, w), V (1, w), . . .) of all
the valuations along history w. If I is an infinite (resp. finite) interval,
(w)I represents the infinite (resp. finite) sequence (V (i, w))i∈I . For
instance, (w)]i,j] , with i < j, represents the finite sequence (V (i +
1, w), V (i + 2, w), . . . , V (j, w)); the infinite sequence (w)i denotes the
suffix of (w) starting from index i.
• Idi,w is the set of the sequences of valuations of the histories which are
ideal from (i, w):
def
Idi,w = {(w )i / (i, w)Rd (i, w )}
• Ai,w (resp. Bi,w ) is the set of the sequences of valuations of the histories
which are ideal and have (resp. have not) the same valuation as w at
i:
def
Ai,w = {(w )i ∈ Idi,w / V (i, w) = V (i, w )}
def
Bi,w = Idi,w − Ai,w
• In the space of infinite sequences, we use the topology induced by the
distance defined in chapter 2, section 2.3.3. Let us remind some basic
properties. If two sequences x, y have the same elements until index k,
def
then their distance is d(x, y) = 1/k. A sequence x is in the closure of
71
a set E of sequences if ∀k ∈ N ∃y ∈ E such that x and y have the same
elements until index k. (Since we consider a metric space, the closure
of E also equals the set of the limits of sequences in E.) Given a set
E of sequences, the closure of E is denoted by E.
Necessary condition
Property 18 (Necessary condition). If a model (F, V ), where F = (N ×
W, <t , Rd ) is in C1 , satisfies the propagation property (4.2) then Rd satisfies
one of the three following conditions: for every i ∈ N, w, w ∈ W such that
w ∈ Idi+1,w
(a) either (w )i is in the closure of Ai,w
(w )i ∈ Ai,w
(b) or Ai,w is empty and a strong constraint on (w )i applies
Ai,w = ∅
and
∀cl ∈ Idi,w
/≡i
(w )i ∈ cl
where the equivalence relation ≡i on Idi,w is defined as follows (Idi,w
is then the quotient set): w ≡i w” iff V (i, w ) = V (i, w”).
/≡i
(c) or all the states which are ideal in (i, w) have the same valuation at i,
and (w )i is in the closure of Idi,w
Idi,w
/≡i
is a singleton
and
(w )i ∈ Idi,w
Proof. Suppose that a model M = (N × W, <t , Rd , V ) in C1 satisfies the
propagation property (4.2), and that w ∈ Idi+1,w , for some i ∈ N and
w ∈ W . We consider three cases.
First case: suppose that Ai,w = ∅ and that Idi,w /≡i is not a singleton
(i.e., there are two ideal states which have a different valuation at i). We
show that condition (a) holds. Indeed, suppose that it is not the case. Then
/ Ai,w,k where Ai,w,k is the
there is an instant i + k such that (w )[i+1..i+k] ∈
def
set of the valuations of any history in Ai,w between i + 1 and i + k: Ai,w,k =
{(w )[i+1..i+k] / (w )i ∈ Ai,w }. For each seq ∈ Ai,w,k , we define the formula
def
p ∧
¬p) ∧ . . . ∧ X k−1 (
p ∧
¬p), where
ψseq = (
seq(i) is
p∈seq(1)
p∈seq(1)
/
th
the i element of seq.
def
can define the formula ψ =
p∈seq(k)
/
p∈seq(k)
P
Since Ai,w,k is finite (contained in 2k∗2 ), we
ψseq . Since Idi,w /≡i is not a singleton,
seq∈Ai,w,k
def
Bi,w is not empty. So, we can define ϕ =
v∈V (Bi,w ) p∈v
p ∧
p∈v
/
¬p, where
V (Bi,w ) is the set of all the valuations of the states in Bi,w . Since all histories
72
in Ai,w satisfy Xψ at i, and all histories in Bi,w satisfy ϕ at i, we can deduce
that i, w |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ. So, i + 1, w |= O (ψ), and then
/
i + 1, w |= ψ, which is in contradiction with the fact that (w )[i+1..i+k] ∈
Ai,w,k . Thus, if Ai,w = ∅ and Idi,w /≡i is not a singleton, then condition (a)
holds.
Second case: suppose that Ai,w = ∅ and Idi,w /≡i is a not singleton. Let
cl ∈ Idi,w /≡i be an equivalence class. We show that (w )i ∈ cl. Suppose
that it is not the case. There is an instant i + k such that the valuation
of w differs from any w” in cl at least in one instant between i + 1 and
i + k. We build ψ as in the case (a), with cl instead of Ai,w . We define
def
( p ∧
¬p). Therefore, i, w |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ).
ϕ =
v∈V (Idi,w \cl)
p∈v
p∈v
/
Moreover, i, w |= ¬ϕ since none of the ideal states have the same valuation
as (i, w) (Ai,w = ∅). So, i + 1, w |= ψ, and this is in contradiction with
/ cl. So, if Ai,w = ∅ and Idi,w /≡i is not a singleton,
the fact that (w )i ∈
then condition (b) holds. Therefore, we can deduce that if Idi,w /≡i is a not
singleton, then either (a) holds or (b) holds.
Third case: now, we have to prove that if Idi,w /≡i is a singleton, then
(w )i ∈ Idi,w . Actually, we can prove (w )i ∈ Idi,w without any hypothesis. We only need the ’perfect recall’ property for temporal formulas
(O (Xψ) ⇒ XO(ψ) for any temporal formula ψ) which is a consequence of
the propagation property. The construction of ψ during the proof follows
the same idea as in the previous proof.
Thus, we have a precise characterization of the histories that are candidate to be ideal in a given state (i + 1, w): they have to satisfy one of
the three conditions (a), (b), and (c), which concern valuations at future
instants. Condition (a) expresses that a candidate is arbitrary close (if we
only look at the future) to a history which is ideal in (i, w), and which has
the same valuation as w at i. We can consider that conditions (b) and (c)
apply in ’degenerate cases’.
Condition (b) applies if there is no state which is ideal in (i, w) and has the
same valuation as w at i. It states that a candidate is arbitrary close to some
history in every equivalence class of Idi,w , according to equivalence relation
≡i . A candidate to be ideal in (i + 1, w) can be viewed as a candidate to be
a permitted behaviour in (i + 1, w). Therefore, (b) is a very strong constraint
on the number of different behaviours which can be permitted in (i + 1, w).
Condition (c) applies if all the ideal states in (i, w) have the same valuation. In this context, two contradictory propositional formulas cannot be
permitted in (i, w). Another undesirable property is that in (i, w), every
permitted propositional formula is also obligatory. Besides, if i, w |= O(ϕ ∨
Xψ) ∧ ¬O(ϕ) for some propositional formula ϕ and some temporal formula
ψ, then ϕ is necessarily equivalent to ⊥. So, in a such a state (i, w), the
propagation property is necessarily reduced to the ’perfect recall’ property.
73
So condition (c) applies in a context which imposes very strong constraints,
and it states that a candidate is arbitrary close to some history which is ideal
in (i, w).
From this characterization, we can deduce that the problem we had with
’propositional violations’ in the semantics of section 4.2.2 was inevitable. Let
us remind that we have exhibited in section 4.2.2 a class of models which
validate the propagation property and axiom D, but ’propositional violations’
are not satisfiable in this class of models.
On the other hand, let M be an arbitrary temporal deontic model which
validates the propagation property (and axiom D), and (i, w) a state in M
which satisfies some ’propositional violation’, such as, for instance, O(p)∧¬p,
for p ∈ P atomic proposition. We can easily deduce that Ai,w = ∅. Therefore,
it follows from property 18 that one of the ’degenerate conditions’ (b) and
(c) holds.
Remark 6. Form these considerations we can deduce that if we consider
the class of models exhibited in section 4.2.2 in the framework of the present
section, as suggested by remark 5, then for every state (i, w), and every
history w ∈ Idi+1,w , condition (a) holds.
Sufficient condition
In this section, we present a sufficient condition to satisfy the propagation
property. Actually, a ’suppression’ of the closure operators in conditions (a),
(b), and (c) provides a sufficient condition.
Property 19 (Sufficient condition). Given a model (F, V ), where F = (N ×
W, <t , Rd ) is in C1 ,
• if for every i ∈ N, w, w ∈ W such that w ∈ Idi+1,w , either (a ), or
(b ), or (c ) holds
• then (F, V ) satisfies the propagation property (4.2).
(a ) w has the ’same future’ as some history w” in Ai,w
(w )i ∈ Ai,w
(b ) or Ai,w is empty, and a strong constraint on the valuation of w applies
(for the future instants)
Ai,w = ∅
and
∀cl ∈ Idi,w
/≡i
(w )i ∈ cl
(c ) or all the states which are ideal in (i, w) have the same valuation as
each other, and w has the ’same future’ as some history w” which is
ideal at i
Idi,w
/≡i
is a singleton
and
(w )i ∈ Idi,w
74
Proof. Let (N × W, <t , Rd , V ) be a model in C1 , i ∈ N a nonnegative integer,
and w, w ∈ W two histories. Suppose that (i, w) satisfies O(ϕ ∨ Xψ) ∧
¬O(ϕ) ∧ ¬ϕ, for a given propositional formula ϕ and a temporal formula ψ.
Let w ∈ Idi,w be an ideal history. We have to prove that i + 1, w |= ψ in
each one of the cases (a ), (b ), and (c ).
Suppose that (a ) holds. Since every history in Ai,w satisfies ψ at i + 1,
then w also satisfies ψ at i + 1. The proof in the cases (b ) and (c ) is left to
the reader. (Notice that in the case (c ), the propositional formula ϕ of the
propagation property is necessarily ⊥.)
Necessary and sufficient condition
Now, we propose a restriction of propagation property (4.2) so that the
necessary condition provided in property 18 becomes also sufficient.
Definition 44 (Propagation property for safety formulas).
O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XO(ψ)
(4.4)
for any propositional formula ϕ, and any safety formula ψ
Property 20. A model (F, V ), where F = (N × W, <t , Rd ) is in C1 , satisfies
the propagation property (4.4) if and only if for every i ∈ N, w, w ∈ W such
that w ∈ Idi,w , one among the three conditions (a), (b), and (c), defined in
property 18, is satisfied.
Proof. Let (N × W, <t , Rd , V ) be a model in C1 , i ∈ N a nonnegative integer,
and w, w ∈ W two histories. Suppose that (i, w) satisfies O(ϕ ∨ Xψ) ∧
¬O(ϕ) ∧ ¬ϕ, for a given propositional formula ϕ and a temporal safety
formula ψ. Let w ∈ Idi,w be an ideal history. We have to prove that
i + 1, w |= ψ in each one of the cases (a), (b), and (c).
Suppose that (a) holds. Since every history in Ai,w satisfies ψ at i + 1,
and ψ is a safety formula, then every history in Ai,w also satisfies ψ at i + 1.
So, (i + 1, w ) satisfies ψ. The proof is similar for cases (b) and (c).
4.2.4
Semantics with levels of deontic ideality
In this section, we refine the semantics given in section 4.2.2 in order to
validate axiom D without losing the ability to deal with ‘contrary to duty’
(CTD) situations. In states where there is a violation, something happens
that is contrary to what is obligatory for that state. It should not be the
case that such situations cause the deontic realm to collapse. So when there
is a violation, it should still be possible to point out what is obligatory and
what is not, despite of the violation in the present state.
We look for a solution to the problem by switching to levels of ideality.
Rather than an accessibility relation which gives the ideal states, we consider
75
a preference relation d , where s d s means that the state s is “at least as
good as” the state s. This allows us to have several “levels of ideality”. The
ideal states will be the best states among those which share the same past as
the current state. The idea is now that if a state (i, w) violates an obligation
of a propositional formula then the ideal states of (i + 1, w) are states which
were not ideal for (i, w): the deontic realm thus switches to a lower level of
ideality. This contrasts with the setting of the previous section, where in
this case there would be no ideal states left.
Definition 45 (Temporal deontic frame and model). A temporal deontic
frame
(S, <t , d ) is defined as the product (N, <) × (W, ) of a temporal frame
(N, <) and a deontic frame (W, ), where , considered as a preference relation, is a total quasi-order (total and transitive relation) on W .
A temporal deontic model is defined as a product model based on a temporal deontic frame.
For the temporal and boolean operators the satisfaction relation is defined as above. For the obligation operator it is defined as follows.
Definition 46 (Semantics of the obligation (3)). Given a temporal deontic
model
((S, <t , d ), V ), and a state s ∈ S, ϕ is obligatory if there is a state with the
same past as s such that every “better” state with the same past satisfies ϕ.
s |= Oϕ
iff
∃s ∈ S such that SamePast(s, s ) and
∀s ∈ S if (SamePast(s, s ) ∧ s d s ) then
s |= ϕ
Remark 7. If every set of histories has at least one maximum element for
the quasi-order (i.e., the relation , defined by w w iff w w, is a
well-quasi-order), then we can define the set of the best states among those
having the same past:
def
BestSamePast(s) = {s ∈ S / SamePast(s, s ) and
∀s ∈ S if SamePast(s, s ) then s d s }
In this case, the semantic definition of O(ϕ) becomes more simple:
s |= Oϕ
iff
∀s ∈ BestSamePast(s)
s |= ϕ
In a state s, the states in BestSamePast(s) are called the ideal states. In the
remainder, during informal discussions, we will implicitly suppose that is
a well-quasi-order so that reasoning about ideal states makes sense.
For the newly defined models (definition 45) with levels of ideality, there
is no need for a constraint to guarantee the validity of axiom D.
76
Property 21 (Axiom D). Axiom D is valid for this semantics of obligation:
|= ¬O(⊥)
and
|= O(ϕ) ⇒ P(ϕ)
for any formula ϕ
The proof is obvious.
So axiom D is valid and violations can be satisfied.
However, there is still a phenomenon that has to be considered more
closely. When an obligation of a proposition p is violated in a state (i, w),
then the ideal histories at the step i + 1 are completely disjoint from the
ideal histories at the step i. This is easy to see: if (i, w) |= ¬p ∧ Op, then
all the ideal states of (i, w) satisfy p. On the other hand, the ideal states of
(i + 1, w) have the same past as (i + 1, w), and thus they are states (i + 1, w )
such that (i, w ) does not satisfy p. So none of the ideal histories of (i, w) are
ideal for (i + 1, w) and vice versa. The problem is now that in such states,
the propagation property is not guaranteed anymore because of the change
to a completely different set of lower level ideal histories.
Actually, the condition that makes the set of ideal histories change between (i, w) and (i + 1, w) is a little more general than suggested by the
example with the violation of an atomic proposition. More generally, the
condition concerns the violation of an obligation for any propositional formula which can be seen as an immediate obligation, that is, any propositional
formula concerning the present moment. So, if such an obligation is violated,
the current ideal histories will not be considered as ideal in the future. The
current norms become obsolete, and we switch to the norms of a lower level.
If not, we have a strong link between what is obligatory now and next, and
the propagation property holds.
To characterize these two kinds of states, we define the condition
IdealPropagate(s) on a state s which expresses that for every state with
the same past as s, there is better state which still has the same past at the
next step. This condition ensures that some of the current ideal histories are
still ideal at the next step.
Given a temporal deontic model ((S, <t , d ), V ) and a state s ∈ S,
def
IdealPropagate(s) = ∀s ∈ S if SamePast(s, s ) then
∃s ∈ S such that SamePast(s, s ) and V (s) = V (s ) and
s d s
Remark 8. If (W, ) is a well-quasi-order, then IdealPropagate(s) is defined in a more simple way:
IdealPropagate(s)
def
=
∃s ∈ BestSamePast(s)
such that
V (s) = V (s )
Property 22. We suppose that the set P of atomic propositions is finite.
Given a temporal deontic model ((S, <t , d ), V ) and a state s ∈ S, the condition IdealPropagate(s) holds iff there is no violation of a propositional
formula in s, that is, iff for any propositional formula ϕ, s |= ¬(O(ϕ) ∧ ¬ϕ).
77
Proof. We first prove that if IdealPropagate(s) does not hold, then there is
some propositional formula ϕ such that s |= O(ϕ) ∧ ¬ϕ. We then prove the
other direction.
’⇐’ : Suppose that IdealPropagate(s) does not hold, i.e.,
∃s ∈ S
such that
SamePast(s, s ) and
∀s d s if SamePast(s, s ) then V (s) = V (s )
Then, we consider such a state s and define the set V AL(s ) of all the
valuations of the states which are at least as good as s and share the same
past.
def
V AL(s ) = {V (s”) / s d s” and SamePast(s , s”)}
V AL(s ) is finite since it is included in the set 22 . Let us consider the
propositional formula ϕ defined as follows:
P
def
ϕ =
v∈V
AL(s )
(
p∈v
p ∧
¬p)
p∈v
/
Since every such state s has a valuation which is distinct from the valuation of s, then s |= ¬ϕ. Besides, from the definition of obligation we have
that s |= O (ϕ). Thus, s |= O(ϕ) ∧ ¬ϕ.
’⇒’ : Let us suppose now that there exists some propositional formula ϕ
such that s |= O (ϕ) ∧ ¬ϕ. Then,
∃s ∈ S
such that
SamePast(s, s ) and
∀s d s if SamePast(s, s ) then s |= ϕ
Every such s has a valuation which differs from the valuation of s, i.e.,
V (s ) = V (s), since s |= ¬ϕ and s |= ϕ. Therefore, IdealPropagate(s) does
not hold.
In a state s that satisfies IdealPropagate(s), the deontic realm that will
be considered next is a subset of the current deontic realm. So we still have,
as in section 4.2.2, that no obligations are forgotten, but some may appear.
If IdealPropagate(s), then s |= O(Xϕ) ⇒ XO(ϕ), but XO(ϕ) ⇒ O(Xϕ)
does not hold necessarily.
Let us illustrate this preference semantics with the example on Figure 4.4.
For the sake of simplicity, the preference relation between histories is modeled by the fact each history is associated with an integer which represents
the level of ideality of this history. w5 , w4 , and w3 , are the best histories
(level 10). The level of w1 and w2 is 5, and w0 has the worst level: 2. The
quasi-order on histories which is implicitly defined by these levels is a wellquasi-order, so every set of histories has a set of maximum elements, and
78
w5, 10
w4, 10
w3, 10
w2, 5
w1, 5
w0, 2
{p}
{p, q}
{p, q}
{}
{p}
{}
{p}
{p, q}
{}
{}
{p}
{}
{q}
{}
{p, q}
{}
{p}
{}
{p}
{p, q}
{p}
{}
{p}
{p}
{p}
{p, q}
{p}
{}
{p, q}
{q}
{p}
{p, q}
{p}
{}
{p}
0
1
2
3
4
{p}
5
Figure 4.4: Preference semantics
the set of the ideal histories can be defined in each state. For the successive states of w0 , the ideal states are surrounded in Figure 4.4. From state
(0, w0 ), the ideal states are w3 , w4 , and w5 . While one of these histories
has the same valuation as w0 everything works as in the semantics of section 4.2.2. At instant 2, every ideal history has a valuation which differs
from the valuation of w0 . Therefore, IdealPropagate(2, w0 ) does not hold
(the obligatory formula p ⇔ q is violated). So, at the next instant, the set
of the ideal histories switch to the lower level of ideality. In this example, in
every state of w0 except (2, w0 ), IdealPropagate is satisfied.
Property 23 (Propagation). A state which does not satisfy any violation of
a propositional formula satisfies the propagation property.
If IdealPropagate(s) then
s |= O(ϕ ∨ Xψ) ∧ ¬Oϕ ∧ ¬ϕ ⇒ XOψ
for ϕ propositional formula, and ψ any formula.
Proof. The proof is similar to the proof of property 13 in section 4.2.2, except
that we have not the case where every formula is obligatory in the temporal
successor of s.
We still have, as in section 4.2.2, property 14, a more precise characterization.
Property 24 (Characterization of new obligations). We suppose that the
set P of atomic propositions is finite. For any formula ψ, if in a state s,
79
which satisfies IdealPropagate(s), both the formulas XO(ψ) and ¬O(Xψ)
hold, then there exists a propositional formula ϕ such that
s |= O(ϕ ∨ Xψ) ∧ ¬O(ϕ) ∧ ¬ϕ
When an obligation appears, it is necessarily due to the propagation of some
more general obligation in the previous state. So the propagation property
completely characterizes the new obligations that appear.
Proof. The proof follows the same idea as the proof of property 14 in section
4.2.2.
As said in the introduction of section 4.2, as a consequence of the general
propagation property, if a state s satisfies IdealPropagate(s), then it satisfies
the following property of propagation for an obligation with deadline, since
Fk ϕ ⇔ ϕ ∨ XFk−1 ϕ, for k > 0:
s |= O (Fk ϕ) ∧ ¬O(ϕ) ∧ ¬ϕ ⇒ XO(Fk−1 ϕ)
for any deadline k > 0, and ϕ propositional formula. This property expresses
that if it is obligatory to satisfy ϕ before a deadline k (and it is not obligatory
to satisfy it now) then, if ϕ is not true now, the obligation is propagated.
In a state which does not satisfy IdealPropagate, that is, a state which
violates an obligation of some propositional formula, the deontic realm of the
next state switches to a lower level. We consider that when a state violates
the present rules, then they become obsolete. In such a state, O (Xϕ) ⇒
XO(ϕ) is not guaranteed, and neither is any link between what is satisfied
in the current state, and what is obligatory next.
4.2.5
Branching time structures
Many proposals to combine temporal and deontic concepts use a branching
time structure, where the ideal alternatives are subsets of the possible future
worlds [71, 16, 13, 43]. It is also possible to consider a preference relation
instead of an ideality relation. For the sake of simplicity, in this section,
we will only consider ideality relations. In this section, we investigate the
relation between this branching time point of view and our product-based
point of view.
Our identical past criterion (given through the predicate SamePast) may
be viewed as an encoding of such a branching time structure in our product
framework. Figure 4.5 illustrates a natural translation of a product model
(without deontic relation) into a branching time model. Notice that we need
to add a starting state which belongs to every history in order to ensure that
the obtained model is a tree. Nevertheless, the translation of the ideality
relation is not straightforward. Indeed, in our product view, ideal histories
80
w3
w2
w1
w0
{p}
{p}
{q}
{q}
{}
{q}
{}
{p, q}
{}
{}
{q}
{}
{p}
{p}
{}
{q}
{}
{p}
{p}
{p}
0
1
2
3
4
{p}
{p}
{q}
{q}
{}
{q}
{}
{p, q}
{}
{}
{p}
{p}
{}
Figure 4.5: Tree-like representation of a product structure
are taken among histories that have the same past as the current history until
the current instant. So, in the branching time view, we have the following
statement:
(a) in a given state s, ideal histories are part of the histories which go
through the predecessor of s
In order to illustrate (a), let us come back to the product view of the example,
and consider history w0 . Suppose that initially, i.e., in (0, w0 ), histories w1 ,
w2 , and w3 are ideal. Then, the identical past criterion imposes that
• at instant 1 and 2, only w1 and w2 remain ideal
• at instant 3 and 4, only w1 remain ideal
In the branching time view, it is easy to see that the corresponding ideality relation, which associates a instant/history pair with a set of ideal
instant/history pairs, verify statement (a) in the successive states of w0 .
This differs from the standard way to model ideal histories in a branching
time setting. Indeed, in a given state s, usual approaches, as, e.g., in [13, 16],
consider that ideal histories are part of the histories that go through s, i.e.,
the histories which can still happen in s. (A path formula is then obligatory if
every ideal history satisfies it.) In such a framework, an atomic proposition
p cannot be true in the current state s, and, at the same time, false in
some ideal history. Indeed, the present state of every ideal history is s.
These approaches thus have problems modelling immediate obligations. For
example, O(p) ∧ ¬p, where p is an atomic proposition, is not satisfiable in
such logics.
{p}
w3
w2
w1
w0
5
Decision procedure and axiomatization
This chapter deals with a decision procedure and an axiomatization of our
logic. Different quantifiers are hidden in the semantic definition of obligation. This makes it difficult to establish logical results. So, we propose
to decompose the modality O into more primitive normal operators. Two
accessibility relations are involved: the relation ’at least as good as’, which
models preference between histories, and the relation ’has the same past as’
which will be denoted by SamePast. Indeed, let us remember that the semantics of obligation is defined as follows: O(ϕ) is satisfied in state s if :
there is a state s with the same past as s such that every state with the same
past, which is at least as good as s , satisfies ϕ.
s |= Oϕ
iff
∃s ∈ S such that SamePast(s, s ) and
∀s ∈ S if (SamePast(s, s ) ∧ s d s ) then s |= ϕ
In order to define O in terms of more primitive modal operators, it is
natural to introduce a modal operator [SP ] which corresponds to the relation
’has the same past’, and another operator [SP ∩ ] which corresponds to the
intersection of both semantic relations. The obligation operator O will be
defined in terms of the primitive operators [SP ] and [SP ∩ ].
Let us define the obtained language.
Definition 47 (Language with primitive operators). Given a set P of atomic
propositions, the language obtained after the decomposition of obligation into
more primitive operators is defined by the following syntax:
ϕ ::= | p | ¬ϕ | ϕ ∨ ϕ | Xϕ | ϕU ϕ | [SP ]ϕ | [SP ∩ ]ϕ
where is a logical constant (’true’), and p ∈ P is an atomic proposition.
We define the following usual abbreviations:
def
def
< SP > ϕ = ¬[SP ]¬ϕ
< SP ∩ > ϕ = ¬[SP ∩ ]¬ϕ
81
CHAPTER 5. DECISION PROCEDURE AND AXIOMATIZATION
82
• [SP ]ϕ means in every state that has the same past as the current state,
ϕ holds.
• [SP ∩ ] means in every state that has the same past and is at least as
good as (or preferred to) the current state, ϕ holds.
Let us formally define the semantics of these new operators.
Definition 48 (Semantics of the primitive operators). Given a product
model
(S, <t , d , V ), a state s ∈ S, and a formula ϕ, we define the semantics
of the primitive operators as follows:
s |= [SP ]ϕ
iff ∀s ∈ S
s |= [SP ∩ ]ϕ iff ∀s ∈ S
if SamePast(s, s ) then s |= ϕ
if s s and SamePast(s, s )
then s |= ϕ
A formula is satisfiable if there is a state which satisfies it. A formula is
valid if every state satisfies it.
Definition 49 (Obligation). We define the obligation operator as follows:
def
O(ϕ) = < SP > [SP ∩ ]ϕ
Notice that the semantic characterization of O coincides with the abovementioned semantic definition of obligation.
In section 5.1, we give a tableaux-like decision procedure for a fragment
of our language. In section 5.2, we give an axiomatization of this fragment.
5.1
Tableaux decision procedure for satisfiability
As a first remark, our logic lacks the finite model property. Indeed, it can
easily be shown that the following formula has only infinite models, i.e.,
models ((N, <) (W, ), V ) where W is an infinite set of histories:
[SP ]AtM ostOnce(p) ∧ G < SP > p
where AtM ostOnce(p) stands for G(p ⇒ XG¬p). To establish the decidability of this logic would require complex techniques, such as quasi-model
method [135, 57]. In this section, we show the decidability of the until-free
fragment of the logic, using a tableaux-like decision procedure.
We describe a tableaux method with explicit accessibility relations. We
use the notation of prefixed formulas i, w : ϕ, where the prefix i, w intuitively
represents a state that satisfies the formula ϕ. i is a non-negative integer,
and w is a history. Contrary to usual prefixed tableaux [55, 92], we do not
encode accessibility relation into the node names. We represent explicitly the
5.1. TABLEAUX DECISION PROCEDURE FOR SATISFIABILITY 83
three distinct accessibility relations (’temporal successor’, ’at least as good
as’, and ’same past’). We suppose that the set P of atomic propositions is
finite.
A tableau T is a structure we keep as close to a model as possible. It
consists of a set of histories W , a set of moments M ⊆ N, a labelling function
L which associates each moment/history pair with a set of formulas, a quasiordering R on W , and a set of equivalence relations (RSP i )i∈M on W .
Intuitively, (w, w ) ∈ R means that history w is at least as good as w;
(w, w ) ∈ RSP i means that histories w and w have the same past until i
(they satisfy the same propositions until the moment before i). Tableaux
rules specify how, and under which conditions, T is updated.
Let us describe, in the next section, the tableau data structure and update
operations.
5.1.1
Tableau data structure and update operations
A tableau for a formula φ is a tuple T = (W, M, v0 , L, R, (RSP i )i∈M ) where
• W is a set of histories
• M ⊆ N is a set of moments; a node of the tableau is then a moment/history pair (i, w) ∈ M × W
• v0 ∈ M × W is the root
• L : M × W → 2sub(φ) is a label function which associates each node
with a set of sub-formulas of φ. In the remainder, we write i, w : ϕ for
ϕ ∈ L(i, w). The label of the root contains φ: φ ∈ L(v0 ).
• R ⊆ W × W is a reflexive and transitive relation on W
• RSP i ⊆ W × W for each i ∈ M , is an equivalence relation on W . The
following property between the different RSP i is satisfied:
(∗) ∀w, w ∈ W ∀i ∈ M
(w, w ) ∈ RSP i ⇒ ∀j ∈ M j < i ⇒ (w, w ) ∈ RSP j
We now give the procedural semantics of our tableau operations add_f orm,
new_world, new_instant, and add_pair, which update a data structure T .
• add_f orm(i, w, ϕ) adds the formula ϕ to the label L(i, w).
• add_pair(R ; (w, w )), for R = R or R = RSP i , adds pair (w, w ) to
relation R, and updates R with its reflexive and transitive closure in
case R = R, with its reflexive, transitive, and symmetric closure in
case R = RSP i . Moreover, if R = RSP i , then for every j ∈ M such
that j < i, RSP j is updated so that constraint (∗) is satisfied.
84
• new_history adds a new history to W and returns the corresponding
name.
• add_inst(i) adds instant i to the set M if i ∈
/ M.
We can combine these atomic actions with the two following combinators:
the sequential operator ’;’ and the nondeterministic choice operator ’[]’.
5.1.2
Tableaux rules
In this section, we present our tableaux rules.
• double negation rule
i,w:¬¬ϕ
add_f orm(i,w,ϕ) ¬¬
• rule α (resp. β) is the usual rule for conjunction (resp. disjunction).
i, w : ¬(ϕ1 ∨ ϕ2 )
α
add_f orm(i, w, ¬ϕ1 ); add_f orm(i, w, ¬ϕ2 )
i, w : ϕ1 ∨ ϕ2
β
add_f orm(i, w, ϕ1 ) [] add_f orm(i, w, ϕ2 )
This presentation of rule β corresponds to a depth-first computation,
as in [54], whereas other presentations (equivalent to ours) compute
both possibilities in parallel (width-first computation).
• rules X and ¬X extend the label of the successor node as follows:
i, w : Xϕ
X
add_inst(i + 1) ; add_f orm(i + 1, w, ϕ)
i, w : ¬Xϕ
¬X
add_inst(i + 1) ; add_f orm(i + 1, w, ¬ϕ)
• rules Π add a new history if a node is labelled by a ’diamond’ formula
of the form ¬[SP ]ϕ or of the form ¬[SP ∩ ]ϕ.
w
i, w : ¬[SP ]ϕ
ΠSP
:= new_history ; add_f orm(i, w , ¬ϕ) : add_pair(RSP i , (w, w ))
i, w : ¬[SP ∩ ]ϕ
ΠSP ∩
w := new_history
; add_f orm(i, w , ¬ϕ) ;
add_pair(R , (w, w )) ; add_pair(RSP i , (w, w ))
• rules K adds formula ϕ to a node i, w if node (i, w) is labeled by a
’box’ formula of the form [SP ]ϕ, or of the form [SP ∩ ]ϕ, and w is
an accessible history from w.
i, w : [SP ]ϕ and (w, w ) ∈ RSP i
add_f orm(i, w , ϕ)
KSP
i, w : [SP ∩ ]ϕ and (w, w ) ∈ RSP i and (w, w ) ∈ R
add_f orm(i, w , ϕ)
KSP ∩
• rule update_SP applies if two states which share the same past until
moment i still satisfy the same propositions at i. Besides, for each
atomic proposition, either this proposition or its negation has to be
satisfied in both states (i.e., the states have to be saturated). Then
RSP i+1 is updated so that w and w are considered as having the same
past until i + 1.
(w, w ) ∈ RSP i and ∀p ∈ P (i, w : p and i, w : p) or (i, w : ¬p and i, w : ¬p)
update_SP
add_pair(RSP i+1 ; (w, w ))
• rule Saturation aims at saturating the states in atomic propositions
so that rule update_SP can be applied.
p∈P
and i ∈ M and w ∈ W
saturation
add_f orm(i, w, p ∨ ¬p)
• rule −totality aims at guaranteeing the totality of R.
/ R and (w , w) ∈
/ R
(w, w ) ∈
−totality
add_pair(R, (w, w )) [] add_pair(R, (w , w))
Definition 50 (Closed tableau). A tableau is said to be closed if
• ϕ and ¬ϕ label some node i, w,
• or
∃w, w ∈ W
i, w : p
∃i ∈ M
and
∃p ∈ P such that
i, w : ¬p
and
(w, w ) ∈ RSP i+1
Definition 51 (Completed and open tableau). A tableau T is completed if
for every rule r
• either r is not enabled, i.e., the premise of r is not satisfied
• or r is enabled, and the application of the consequent of r has no effect
We consider that add_inst(i) has no effect if i ∈ M , add_f orm(i, w, ϕ)
has no effect if ϕ ∈ L(i, w), and add_pair(R, (w, w )) has no effect if (w, w ) ∈
R, with R = R or R = RSP i .
A tableau is open if it is completed and not closed.
86
5.1.3
Soundness and completeness
Theorem 16 (Soundness). If a formula ϕ is satisfiable then there is an open
tableau whose root is labeled by ϕ.
Definition 52 (Tableaux interpretation).
ˆ V)
(Ŵ , ),
Let T = (W, M, v0 , L, R, (RSP i )i∈M ) be a tableau and ((N, <) ˆ
be a model. An interpretation of T in ((N, <) (Ŵ , ), V ) is a mapping
ι from W to Ŵ such that for every w1 , w2 in W , and every nonnegative
integer i:
ˆ
• (w1 , w2 ) ∈ R implies ι(w1 )ι(w
2 ), and
• (w1 , w2 ) ∈ RSP i implies ∀j < i V (j, ι(w1 )) = V (j, ι(w2 ))
Definition 53 (Satisfiable tableau). A tableau T for a formula φ is satisfiable if there is a model ((N, <) (W, ), V ) and a tableau interpretation ι of
ˆ
T in ((N, <) (Ŵ , ), V ) such that for every node (i, w) and every formula
ϕ ∈ L(i, w), we have i, ι(w) |= ϕ.
Lemma 1. Let T be a satisfiable tableau. The tableau T (or one of the
two tableaux T , T ”, in case the nondeterministic choice operator is used)
obtained by the application of some rule is also satisfiable.
ˆ V̂ ) and a
Proof. Let T be a satisfiable tableau. There is a model (Ŵ , ,
tableau interpretation ι such that for every node (i, w) and every formula
ϕ ∈ L(i, w), we have i, ι(w) |= ϕ. We have to consider each rule and prove
that the application of this rule preserves the tableau satisfiability.
• ¬¬, α, β, X, ¬X, saturation, −totality: the proof is left to the reader.
• rule KSP (the proof for KSP ∩ is similar). Suppose that i, w : [SP ]ϕ.
Then rule KSP adds ϕ to any node (i, w ) such that (w, w ) ∈ RSP i .
By hypothesis, i, ι(w) |= [SP ]ϕ, and, since (w, w ) ∈ RSP i , we have
SameP ast(i, ι(w), ι(w )). Thus, i, ι(w ) |= ϕ, and so T is still satisfiable.
• rule ΠSP (the proof for ΠSP ∩ is similar):
Suppose that i, w : ¬[SP ]ϕ. Then the application of ΠSP creates a new
history w , labels it with ¬ϕ, and adds (w, w ) to RSP i . We have to
extend the mapping ι so that it associates a history with the new prefix
w . By hypothesis, i, ι(w) |= ¬[SP ]ϕ. Then there is some ŵ ∈ Ŵ such
that SameP ast(i, ι(w), ŵ ) and i, ŵ |= ¬ϕ. Then we define ι by:
ι(s) =
ŵ
ι(s)
if s = w
else
ι is a tableau interpretation, and T is satisfiable.
• rule update_SP :
Let i, w and i, w be two nodes of T such that (w, w ) ∈ RSP i and
∀p ∈ P (i, w : p and i, w : p) or (i, w : ¬p and i, w : ¬p). Then
the pair (w, w ) is added to RSP i+1 . We must show that ∀j < i +
1 V̂ (j, ι(w)) = V̂ (j, ι(w )). Since ι is a T -interpretation, then ∀j <
i V̂ (j, ι(w)) = V̂ (j, ι(w )). Besides, ∀p ∈ P (i, w : p and i, w :
p) or (i, w : ¬p and i, w : ¬p). So ∀p ∈ P i, ι(w) |= p iff i, ι(w ) |= p.
So V̂ (i, ι(w)) = V̂ (i, ι(w )).
Proof of the soundness theorem (16).
Suppose ϕ is a satisfiable formula. then there is a model (W, , V ), a nonnegative integer i ∈ N and a history w ∈ W such that i, w |= ϕ. Then the
tableau whose only node (i, w) is labelled by ϕ, and whose relations (RSP i )
and R are reduced to singleton {(w, w)}, is satisfiable (with the identity
function as a tableau interpretation). Then, by lemma 1, the application of
any rule provides a satisfiable tableau. Since a closed tableau is obviously
unsatisfiable, we can generate a (possibly infinite) open tableau whose root
is labelled by ϕ.
Theorem 17 (Completeness). If there is an open tableau whose root (i, w)
is labeled by ϕ, then ϕ is satisfiable.
Proof. Let T = (W, M, v0 , L, R, (RSP i )i∈M ) be an open tableau whose root
ˆ V ) from T such that
(Ŵ , ),
v0 is labeled by φ. We build a model ((N, <) for every w ∈ W and i ∈ M , i, w : ϕ iff i, ŵ |= ϕ. We define
def
Ŵ = W
and
ˆ def
= R
We can now define the valuation V as follows, for any i ∈ N, w ∈ Ŵ :
def
• if i ∈ M then V (i, w) = {p ∈ P / (i, w : p)}
def
• if i ∈
/ M then V (i, w) = ∅
We now prove by induction on the structure of ϕ that for every i ∈ M ,
ˆ V )). Cases ϕ1 ∨ ϕ2 ,
w ∈ W , if i, w : ϕ then i, w |= ϕ (in the model (Ŵ , ,
¬(ϕ1 ∨ ϕ2 ), Xϕ, ¬Xϕ, are obvious.
• Suppose i, w :< SP > ϕ. Rule ΠSP ensures the existence of a node
i, w labeled by ϕ such that (w, w ) in RSP i . Then, since T is open,
∀p ∈ P, ∀j < i, j, w : p iff j, w : p. So, ∀j < i V (j, w) = V (j, w ),
and i, w |= ϕ (by induction hypothesis). So i, w |=< SP > ϕ.
The proof for < SP ∩ > ϕ is similar.
88
• Suppose i, w : [SP ]ϕ.
i, V (j, w) = V (j, w ).
By rule KSP , we have
i, w |= ϕ, and thus i, w
Let w ∈ Ŵ be a history such that ∀j <
Thanks to rule update_SP , (w, w ) ∈ RSP i .
that i, w : ϕ. By the induction hypothesis,
|= [SP ]ϕ.
The proof for [SP ∩ ]ϕ is similar.
5.1.4
Termination
We now define a terminating strategy which is still sound and complete.
Termination is based on loop detection. Although it is clear that the number
of created instants is bounded by the modal depth of ϕ with respect to X,
the tableau construction may create an infinite number of histories. We
have to block the creation of new histories when a loop is detected. Since we
have two modal operators that can create new histories, we define looping
histories with respect to each one.
• a history w is looping with respect to < SP > if
– rule ΠSP is applicable in (i, w), for some i ∈ M
– w has been created by rule ΠSP at instant i and there exists an
older history w such that (w , w) ∈ RSP i and L(i, w) ⊆ L(i, w )
(such a history w is denoted by loopSP (w))
• a history w is looping with respect to < SP ∩ > if
– rule ΠSP ∩ is applicable in (i, w), for some i ∈ M
– w has been created by rule ΠSP ∩ at instant i and there exists
an older history w such that (w , w) ∈ RSP i , (w , w) ∈ R and
L(i, w) ⊆ L(i, w ) (such a history w is denoted by loopSP ∩(w))
Definition 54 (Strategy). Let us consider the algorithm which consists in
applying successively the following steps while the tableau is not closed, starting from the tableau such that W = {w}, M = {0}, v0 = (0, w), L(v0 ) = {φ},
R = {(w, w)}, and RSP 0 = {(w, w)}.
• Application of classical rules ¬¬, α, β as much as possible.
• Loop detection step for < SP >: mark every looping history with
respect to < SP >.
• Loop detection step for < SP ∩ >: mark every looping history with
respect to < SP ∩ >.
• Application of rules ΠSP and ΠSP ∩ on every state on which they
have not already been applied, and which is not marked with respect to
< SP > and < SP ∩ >, respectively.
• Application of rule saturation and then rule update_SP as much as
possible.
• Application of rule −totality on every pair (w, w ) on which it has
not been applied.
• Application of rules X, ¬X, KSP , and KSP ∩ as much as possible.
Property 25 (Termination). The strategy given above terminates.
Proof. First, remark that
(1) M is finite (bounded by the modal depth of the initial formula φ with
respect to X)
(2) there are finitely many sets of sub-formulas of the initial formula φ
We show that there cannot be an infinite sequence of histories (w0 , w1 , w2 , . . .)
such that each wk+1 is created by the application of rule ΠSP or ΠSP ∩ to
some point of the history wk . Indeed, suppose it is the case.
Suppose that there are infinitely many applications of rule ΠSP . Since
there are finitely many sub-formulas of φ, there is a formula ¬[SP ]ϕ which
triggers rule ΠSP infinitely often. Suppose that ΠSP is triggered infinitely
often by ¬[SP ]ϕ at instant 0. Then, ¬[SP ]ϕ appears necessarily in the
scope of [SP ] or [SP ∩ ] in L(0, wk ) for some wk in the sequence, and we
can prove that there exists k from which ¬[SP ]ϕ labels every history of the
sequence (∀k” > k ¬[SP ]ϕ ∈ L(0, wk” )). So, there is an application of ΠSP
which creates a history wk0 (at instant 0) such that
• ¬[SP ]ϕ ∈ L(0, wk0 )
• ∃k < k0 such that L(0, wk0 ) ⊆ L(0, wk ) (because of remark (2)) and
(wk , wk0 ) ∈ SP0
Therefore, wk0 is looping with respect to ΠSP , and our strategy cannot
generate such an infinite sequence. We then prove that ΠSP cannot be
triggered infinitely often at instant 1, 2, . . . , and max(M ). (Existence of
max(M ) follows from remark (1).)
The same reasoning shows that there cannot be infinitely many applications of ΠSP ∩.
Property 26. The strategy given above is sound and complete.
Proof. The soundness of the strategy obviously follows from the soundness
of the tableaux system (theorem 16).
On the other hand, in order to prove the completeness of the strategy,
the completeness proof of theorem 17 has to be adapted. Suppose that
90
T = (W, M, v0 , L, R, (RSP i )i∈M ) is an open tableau resulting from our
ˆ V ) where Ŵ contains every history which
strategy. We build a model (Ŵ , ,
is not marked as a looping history (at the last iteration of the strategy).
Every pair (w, wloop ) in R, where wloop is a looping history with respect
to < SP > (resp. < SP ∩ >), is replaced by the pair (w, loopSP (wloop ))
ˆ We then have to prove that i, w : ϕ implies
(resp. loopSP ∩(wloop )) in .
i, w |= ϕ by induction on the structure of ϕ, for every non-looping history w.
The proof for cases ϕ1 ∨ ϕ2 , ¬(ϕ1 ∨ ϕ2 ), Xϕ, ¬Xϕ, [SP ]ϕ, and [SP ∩ ]ϕ is
similar to the proof of theorem 17. Suppose that i, w :< SP > ϕ. Rule ΠSP
ensures the existence of a node i, w labeled by ϕ such that (w, w ) ∈ RSP i .
If w is not looping, then we can conclude i, w |= ϕ as in the proof of
theorem 17. If w is looping with respect to < SP >, then we can prove
that i, loopSP (w ) |= ϕ. Notice that w cannot be looping with respect to
< SP ∩ > since we suppose it has been created by application of rule ΠSP
in node i, w. The proof for case < SP ∩ > is similar.
5.2
Axiomatization
In this section, we present an axiomatization of our logic. For technical reasons, we enrich our language with three modal operators: X −1 , [], and
[]. X −1 is needed for the axiomatization of [SP ], and [] and [] are
needed for the axiomatization of [SP ∩ ]. Our axiomatic system is complete with respect to a semantics which slightly differs from the one given
in the introduction of this chapter. Firstly, time is modeled by the set Z
of integers instead of the set N of non-negative integers. Second, we drop
the constraint of totality of the quasi-ordering . We call Lmin the logic
defined by this semantics, and whose language contains the modal operators
X, X −1 , [SP ], [SP ∩ ], [], [].
The predicate SamePast is defined as follows in the context where time
is modeled by Z:
def
SameP ast((i, w), (i , w )) = i = i and ∀j ∈ Z if j < i then V (j, w) = V (j, w )
Let us give the semantics of these new operators.
i, w |= X −1 ϕ
i, w |= []ϕ
i, w |= []ϕ
iff
iff
iff
i − 1, w |= ϕ
∀w ∈ W if w w
∀w ∈ W if w w
then i, w |= ϕ
then i, w |= ϕ
A formula is satisfiable if there is a state (i, w) ∈ Z × W which satisfies
it. A formula is valid if every state satisfies it.
In this section we will propose an axiomatic system for Lmin . For all fordef
def
mulas ϕ, we define X 0 ϕ = ϕ, for each positive integer i, X i ϕ = X i−1 Xϕ,
def
and for each negative integer i, X i ϕ = X i+1 X −1 ϕ.
5.2. AXIOMATIZATION
5.2.1
91
Admissible forms
For the definition of the special rules of inference, we will need expressions of
a special form, called admissible forms, denoted by capital Latin letters A,
B, etc. They are necessary to prove lemma 2 (items 1 and 2) in section 5.2.4.
More precisely, if a formula φ matches the premise of a rule, we will need to
apply this rule to Lφ and ϕ ⇒ φ, for L ∈ {X, X −1 , [SP ], [SP ∩ ], [], []},
and ϕ an arbitrary formula. This will allow to prove that if a set x of formulas
is closed under inference rules, then {Lφ / φ ∈ x} and {ϕ ⇒ φ / φ ∈ x} are
also closed under inference rules.
Let the language of Lmin be extended with a new atomic proposition .
Admissible forms are defined by the following syntax (ϕ denotes an arbitrary
Lmin -formula):
A ::= | (ϕ ⇒ A) | XA | X −1 A | [SP ]A | []A | []A | [SP ∩ ]A
Note that in each admissible form, has a unique occurrence. Let A be
an admissible form and ϕ be a formula. The result of the replacement of the
unique occurrence of in its place in A with φ will be denoted by A(φ).
5.2.2
Axiomatization
Our axiomatic system for Lmin is based on the following set of axioms and
rules of inference:
Axioms
(A0) Classical tautologies
(K) For all L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]},
L(ϕ1 ⇒ ϕ2 ) ⇒ (Lϕ1 ⇒ Lϕ2 ).
(A1)
¬Xϕ ⇔ X¬ϕ, ϕ ⇒ XX −1 ϕ.
(A2)
¬X −1 ϕ ⇔ X −1 ¬ϕ, ϕ ⇒ X −1 Xϕ.
(A3)
[SP ]ϕ ⇒ ϕ, [SP ]ϕ ⇒ [SP ][SP ]ϕ, ϕ ⇒ [SP ]SP ϕ.
(A4)
[]ϕ ⇒ ϕ, []ϕ ⇒ [][]ϕ, ϕ ⇒ []ϕ.
(A5)
[]ϕ ⇒ ϕ, []ϕ ⇒ [][]ϕ, ϕ ⇒ []ϕ.
(A6) if i < j then for all p ∈ P , the following formulas are axioms:
X i p ⇒ X j [SP ]X i−j p, X i ¬p ⇒ X j [SP ]X i−j ¬p.
(A7)
X[]ϕ ⇔ []Xϕ, X −1 []ϕ ⇔ []X −1 ϕ.
(A8)
X[]ϕ ⇔ []Xϕ, X −1 []ϕ ⇔ []X −1 ϕ.
92
(A9)
[SP ]ϕ ∨ []ϕ ⇒ [SP ∩ ]ϕ.
Rules of inference
Modus ponens: From ϕ1 and ϕ1 ⇒ ϕ2 infer ϕ2 .
necessitation: For all L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]},
from ϕ infer Lϕ.
[SP ] special rule: If ∈ {[], []} and i < 0, then
from {A(¬(ϕ ∨ X i p) ∨ X i p) : p ∈ P } infer A(¬[SP ]ϕ).
[SP ∩ ] special rule:
From {A(SP (ϕ ∧ p) ∨ (ϕ ∧ ¬p)) : p ∈ P } infer A(SP ∩ ϕ).
Special rules are needed because of two non-standard aspects of our logic:
• the semantic relation associated with [SP ] refers to the valuation of a
given model
• operator [SP ∩ ] corresponds to the intersection of two semantic relations
Their origin is more technical that intuitive: they have been exhibited so
that the truth lemma (lemma 4) can be proved for formulas of the form [SP ]ϕ
and [SP ∩ ]ϕ. Special rule [SP ∩ ] follows the idea already developed
in [124, 18] to give a complete axiomatization for the intersection of some
semantic relations. Although intersection is not modally definable in ordinary quantifier-free modal languages, it becomes definable in languages with
propositional quantifiers. Indeed, the following quantified axiom modally
defines semantic intersection.
< R1 ∩ R2 > ϕ ⇔ ∀p (< R1 > (ϕ ∧ p)∨ < R2 > (ϕ ∧ ¬p)))
Rule [SP ∩ ] ’simulates’ right to left direction while axiom (A9) corresponds
to the left to right direction.
A formula ϕ is a theorem of Lmin if it belongs to the least set of formulas
containing all axioms and closed under the rules of inference.
5.2.3
Soundness and completeness
Theorem 18. (Soundness of Lmin ) Let ϕ be a formula. If ϕ is a theorem
of Lmin then ϕ is valid in every model.
5.2. AXIOMATIZATION
93
Proof. By induction on the length of a deduction of ϕ in Lmin , we show that
ϕ is valid in every model. We only develop the special rule cases .
We treat the case where admissible form is .
[SP ] special rule: Let ∈ {[], []}∗ and i<0. Let ϕ be a formula
such that ∀p ∈ P (ϕ ∨ X i p) ⇒ X i p is a valid. We show that ¬[SP ]ϕ is
valid. Suppose that it is not the case: there is a model ((Z, <) (W, ), V ), and a state j, w ∈ Z × W such that j, w |= [SP ]ϕ. Let p be an
atomic proposition which does not appear in ϕ. Let V a valuation such
that V −1 (p) = {(j + i, w ) / ¬SamePast((j, w), (j, w ))}. Considering the
model ((Z, <) (W, ), V ), we have j, w |= (ϕ ∨ X i p). Indeed, let w a
history accessible from w by the composition of relations corresponding to
. Either (j, w ) has the same past as (j, w) and j, w |= ϕ, or (j, w ) has not
the same past as (j, w), and j, w |= X i p. Thus, we deduce that j, w |= X i p.
This is in contradiction with the definition of V since (j, w) has the same
past has itself.
[SP ∩ ] special rule: Suppose that there is a model M = ((Z, <) (W, ), V ), and a state (i, w) in M such that i, w |= [SP ∩ ]ϕ. We have to
show that ∃p ∈ P and ∃M , (i , w ) such that i , w |= [SP ](ϕ∨p)∧[](ϕ∨¬p).
Consider an atom p which does not appear in ϕ. Let us define a valuation
V such that V −1 (p) = {(i, w ) / SamePast((i, w), (i, w )) and ¬(w w )},
(W, ), V ),
and V −1 (q) = V −1 (q)∀q = p. Then, in the model ((Z, <) i, w |= [SP ](ϕ ∨ p) ∧ [](ϕ ∨ ¬p).
Theorem 19. (Completeness of Lmin ) Let ϕ be a formula. If ϕ is valid
in every model then ϕ is a theorem of Lmin .
The completeness of Lmin is more difficult to establish than its soundness
and we defer proving that Lmin is complete with respect to the class of all
models till section 5.2.5.
5.2.4
Theories
In this section we introduce the notions of theories and maximal theories,
the latter having a key role in the proof of the completeness theorem. A set
x of formulas is called a theory if it satisfies the following conditions:
(th 1) x contains the set of all theorems of Lmin .
(th 2) x is closed under modus ponens.
(th 3) x is closed under the [SP ] special rule.
(th 4) x is closed under the [SP ∩ ] special rule.
94
Obviously the smallest theory is the set T Hmin of all theorems and the
greatest theory is the set of all formulas. The later theory is called trivial
theory. A theory x is called consistent if ⊥ ∈
/ x, otherwise it is called
inconsistent. It is a well-known fact that a theory x is consistent iff it is
not trivial and that x is inconsistent if it contains a formula ϕ together with
its negation ¬ϕ. A theory x is called a maximal theory if it is consistent
and for any formula ϕ: ϕ ∈ x or ¬ϕ ∈ x. A set Σ of formulas is called
consistent if it is contained in a consistent theory. It can be shown that a
single formula ϕ is consistent (considered as a singleton {ϕ}), iff it is not
equivalent to ⊥. In the literature (see, e.g., [23]) instead of maximal theory,
the notion of a maximal consistent set is used, where consistency is defined
without using the notion of theory. It can be proved that each maximal
theory is a maximal consistent set in the classical sense, and each maximal
consistent set which is closed under the special rules for [SP ] and [SP ∩ ] is
a maximal theory. We will use the following properties of maximal theories
without explicit reference (x is a maximal theory):
• ∈x
• ¬ϕ ∈ x iff ϕ ∈
/ x,
• ϕ1 ∨ ϕ2 ∈ x iff ϕ1 ∈ x or ϕ2 ∈ x,
• ϕ1 ∧ ϕ2 ∈ x iff ϕ1 ∈ x and ϕ2 ∈ x.
Let x be a set of formulas. If L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]} then
define Lx = {ϕ : Lϕ ∈ x}. If ϕ is a formula then define x + ϕ = {ϕ :
ϕ ⇒ ϕ ∈ x}. For all sets x of formulas, we define X 0 x = x,for each
def
def
positive integer i, X i ϕ = X i−1 Xϕ, and for each negative integer i, X i ϕ =
X i+1 X −1 ϕ. In the next lemma we summarize some properties of theories.
Lemma 2. Let x be a theory. The following statements hold.
1. Lx is a theory too.
2. x + ϕ is the smallest theory containing x and ϕ.
3. x + ϕ is inconsistent iff ¬ϕ ∈ x.
4. If x is consistent and ¬A(¬[SP ]ϕ) ∈ x then for all ∈ {[], []} , and
for all i < 0, there exists p ∈ P such that x + ¬A(¬(ϕ ∨ X i p) ∨ X i p)
is consistent.
5. If x is consistent and ¬A(SP ∩ ϕ) ∈ x then there exists p ∈ P such
that x + ¬A(SP (ϕ ∧ p) ∨ (ϕ ∧ ¬p)) is consistent.
5.2. AXIOMATIZATION
95
Proof. We show statements 1 and 4.
Statement 1. Let ϕ be a theorem. Then by the necessitation rules, Lϕ
is a theorem too. Hence, Lϕ ∈ x, so ϕ ∈ Lx. Thus, Lx contains the set of
all theorems.
Let ϕ1 ∈ Lx and ϕ1 ⇒ ϕ2 ∈ Lx. Then Lϕ1 ∈ x and L(ϕ1 ⇒ ϕ2 ) ∈ x. By
the axiom (K), L(ϕ1 ⇒ ϕ2 ) ⇒ (Lϕ1 ⇒ Lϕ2 ) ∈ x. Applying modus ponens
twice, we obtain that Lϕ2 ∈ x, so ϕ2 ∈ Lx. Thus Lx is closed under modus
ponens.
To show that Lx is closed under the [SP ] special rule, let ∈ {[], []} and
i < 0. Suppose that we have A(¬(ϕ∨X i p)∨X i p) ∈ Lx. Then, for all p ∈ P ,
we obtain LA(¬(ϕ ∨ X i p) ∨ X i p) ∈ x. Notice that LA(¬(ϕ ∨ X i p) ∨ X i p)
is an admissible form. Since x is closed under the [SP ] special rule, we obtain
LA(¬[SP ]ϕ) ∈ x. Hence, A(¬[SP ]ϕ) ∈ Lx. Thus, Lx is closed under the
[SP ] special rule.
Similarly, one can prove that Lx is closed under the [SP ∩ ] special rule.
Statement 4. Suppose that ¬A(¬[SP ]ϕ) ∈ x. Since x is consistent,
then A(¬[SP ]ϕ) ∈
/ x. Thus, since x is closed under the [SP ] special rule,
then for all ∈ {[], []}∗ and for all i < 0, there exists p ∈ P such that
/ x. (Otherwise, A(¬[SP ]ϕ) would necessarily be
A(¬(ϕ ∨ X i p) ∨ X i p) ∈
in x.) Since x is a theory, ¬A(¬(ϕ ∨ X i p) ∧ ¬X i p) ∈ x. From statement
3, we deduce that x + ¬A(¬(ϕ ∨ X i p) ∨ X i p) is consistent.
The proof of statement 5 is similar.
Now we are ready for the main lemma in this section:
Lemma 3 (Lindenbaum’s lemma). Each consistent theory can be extended
to a maximal theory.
Proof. Suppose x is a consistent theory and let ϕ0 , ϕ1 , . . . be an enumeration
of all formulas. We define an increasing sequence of consistent theories x0 ,
x1 , . . . by induction as follows. Let x0 = x and suppose that for some integer
n, the consistent theory xn has already been defined. For the definition of
xn+1 we consider two cases.
Case 1: xn + ϕn is consistent. Then define xn+1 = xn + ϕn .
Case 2: xn + ϕn is not consistent. Then ¬ϕn ∈ x. In this case we consider
two sub-cases:
Sub-case 2.1: ϕn is neither in the form of a conclusion of the [SP ] special
rule nor in the form of a conclusion of the [SP ∩ ] special rule. Then let
xn+1 = xn .
Sub-case 2.2: ϕn is in the form of a conclusion of the [SP ] special rule or in
the form of a conclusion of the [SP ∩ ] special rule. We only consider the
case where ϕn is in the form of a conclusion of the [SP ∩ ] special rule, i.e.
ϕn is in the following form A(SP ∩ ϕ) where A is an admissible form.
Therefore, there are finitely many such representations for ϕn : Ai (SP ∩ 96
ϕi ) for i = 1, . . . , k. We define inductively an increasing sequence of consistent theories xin for i = 0, . . . , k, as follows. Let x0n = xn . Suppose xin
is defined and consistent. Then it contains ¬ϕn = ¬Ai (SP ∩ ϕi ) and,
by the properties of theories mentioned above, there exists a propositional
variable pi ∈ P such that xin + ¬Ai (SP (ϕi ∧ p)∨ (ϕi ∧ ¬p)) is consistent.
We define xi+1
as follows: xi+1
= xin + ¬Ai (SP (ϕi ∧ p) ∨ (ϕi ∧ ¬p)).
n
n
.
Now, we put xn+1 = xkn
Finally, we define y = ∞
i=0 xi . It is straightforward to demonstrate that y
is a maximal theory which extends x.
5.2.5
Canonical model construction
The canonical model of Lmin is the structure Mc = ((N, <) (Wc , c ), Vc )
defined as follows:
• Wc is the set of all maximal theories,
• c is the binary relation on Wc defined by x c y iff []x ⊆ y,
• Vc is the function which associates each pair (i, x) ∈ Z × Wc with the
set Vc (i, x) = {p : X i p ∈ x} of atomic propositions.
To prove the completeness of our axiomatic system, it suffices to demonstrate
the following lemma.
Lemma 4 (Truth lemma). Let ϕ be a formula. For all integers i ∈ Z and
for all maximal theories x ∈ Wc , Mc , (i, x) |= ϕ iff X i ϕ ∈ x.
Proof. The proof is done by induction on the complexity of ϕ. We only
consider the cases ϕ = Lφ for L ∈ {X, X −1 , [SP ], [], [], [SP ∩ ]}.
Case ϕ = Xφ. Assume Mc , (i, x) |= Xφ. Consequently, Mc , (i + 1, x) |= φ.
By induction hypothesis, X i+1 φ ∈ x. Hence, X i Xφ ∈ x. Reciprocally,
assume X i Xφ ∈ x. Therefore, X i+1 φ ∈ x and, by induction hypothesis,
Mc , (i + 1, x) |= φ. Thus, Mc , (i, x) |= Xφ.
Case ϕ = X −1 φ. Similar to the previous case.
Case ϕ = [SP ]φ. Assume Mc , (i, x) |= [SP ]φ. For the sake of the contradiction, assume X i [SP ]φ ∈ x. Consequently, [SP ]φ ∈ X i x and φ ∈ [SP ]X i x.
Hence, the theory [SP ]X i x + ¬φ is consistent. By Lindenbaum’s lemma,
there exists a maximal theory y such that [SP ]X i x + ¬φ ⊆ y. Remark that
[SP ]X i x ⊆ y and ¬φ ∈ y. Let z = X −i y. Remark that X i z = y. Since
¬φ ∈ y, then X −i X i ¬φ ∈ y and X i ¬φ ∈ z. Therefore, X i φ ∈ z and, by
induction hypothesis, Mc , (i, z) |= φ. Since Mc , (i, x) |= [SP ]φ, then x and
z do not have the same past with respect to i. Thus, there exists an integer
j ∈ Z such that i > j and for some atomic proposition p, either X j p ∈ x
and X j p ∈ z or X j p ∈ x and X j p ∈ z. Without loss of generality, let us
suppose that X j p ∈ x and X j p ∈ z. Remark that [SP ]X i x ⊆ X i z. Since
5.2. AXIOMATIZATION
97
X j p ∈ z, then X j−i p ∈ X i z. Since [SP ]X i x ⊆ X i z, then [SP ]X j−i p ∈ X i x.
Consequently, we have X j p ∈ x and X i [SP ]X j−i p ∈ x: a contradiction with
i > j and axiom (A6). Reciprocally, assume that X i [SP ]φ ∈ x and let us
show that Mc , (i, x) |= [SP ]φ. For the sake of the contradiction, assume
that Mc , (i, x) |= [SP ]φ. Consequently, there exists y ∈ Wc such that x and
y have the same past with respect to i and Mc , (i, y) |= φ. By induction
hypothesis, X i φ ∈ y and φ ∈ X i y. Since X i [SP ]φ ∈ x, then ¬[SP ]φ ∈ X i x.
Let ∈ {[], []} be such that x ⊆ y and j ∈ Z be such that i > j. Remark that j −i < 0. Since X i x is a theory, then X i x is closed under the [SP ]
special rule. Since ¬[SP ]φ ∈ X i x, then there exists an atomic proposition p
such that ¬(φ ∨ X j−i p) ∨ X j−i p ∈ X i x. Therefore, X i (φ ∨ X j−i p) ∈ x
and X j ¬p ∈ x. Thus, (X i φ ∨ X j p) ∈ x. Since x ⊆ y, then X i φ ∈ y
or X j p ∈ y. If X i φ ∈ y then φ ∈ X i y: a contradiction. If X j p ∈ y then
X j p ∈ x, seeing that x and y have the same past with respect to i and i > j.
This contradicts the fact that X j ¬p ∈ x.
Case ϕ = [SP ∩ ]φ. Similar to the previous case (use the special rule for
[SP ∩ ] and the axiom (A9) instead of the special rule for [SP ] and the
axiom (A6).
Case ϕ = []φ. Assume Mc , (i, x) |= []φ. For the sake of the contradiction, assume X i []φ ∈ x. Consequently, []φ ∈ X i x and φ ∈ []X i x.
Hence, the theory []X i x + ¬φ is consistent. By Lindenbaum’s lemma,
there exists a maximal theory y such that []X i x + ¬φ ⊆ y. Remark that
[]X i x ⊆ y and ¬φ ∈ y. Let z = X −i y. Remark that X i z = y. Since
¬φ ∈ y, then X −i X i ¬φ ∈ y and X i ¬φ ∈ z. Therefore, X i φ ∈ z and, by
induction hypothesis, Mc , (i, z) |= φ. Since Mc , (i, x) |= []φ, then x c z.
Thus, there exists a formula ψ such that []ψ ∈ x and ψ ∈ z. Hence,
X −i ψ ∈ y, X −i ψ ∈ []X i x + ¬φ, X −i ψ ∈ []X i x and X i []X −i ψ ∈ x.
Thus, []X i X −i ψ ∈ x and []ψ ∈ x: a contradiction. Reciprocally, assume
that X i []φ ∈ x and let us show that Mc , (i, x) |= []φ. For the sake of
the contradiction, assume that Mc , (i, x) |= []φ. Consequently, there exists
y ∈ Wc such that x c y and Mc , (i, y) |= φ. By induction hypothesis,
X i φ ∈ y. Since x c y, then []x ⊆ y. Consequently, X i φ ∈ []x and
[]X i φ ∈ x. Hence, X i []φ ∈ x: a contradiction.
Case ϕ = []φ. Similar to the previous case.
Now, we are ready for proving the main theorem of this section.
Proof of theorem 19. Let ϕ be a formula. Assume ϕ is not a theorem of
Lmin . Consequently, T Hmin + ¬ϕ is a consistent theory. By Lindenbaum’s
lemma, there exists a maximal theory x such that T Hmin + ¬ϕ ⊆ x. Hence,
¬ϕ ∈ x, ϕ ∈ x and X 0 ϕ ∈ x. By the lemma 4, Mc , (0, x) |= ϕ. Thus, ϕ is
not valid.
98
6
Computer security application:
coherence, compatibility, and compliance
In this chapter, we investigate an application of the proposed logic to the
specification and the verification of security properties. We want to consider
independently a (formal model of a) system, a (formal specification of a)
policy, and then to determine whether the system is compliant with the
policy. The first way to deal with this problematics is to consider the system
as a set of possible behaviours, the policy as a set of authorized/correct
behaviours, and then to check whether the system is included in the policy.
Two main approaches deal with this: on-the-fly methods and static methods. The former consists in representing the policy by a security automaton [116] and to run the system in tandem with a simulation of the security
automaton. Each step of the system generates an input symbol sent to the
security automaton. If the security automaton is able to perform a transition
on this input symbol, then the system is allowed to perform the step, else,
the system is terminated. Ligatti et al. proposed in [87] an extension of security automata called edit automata, which are not only able to terminate
the system, but also to suppress or add actions so that the policy is satisfied.
Static methods consist in using model-checking techniques [39]. If the
policy is modeled by a temporal formula and the system by an automaton, then we can check that the system enforces the policy. If it is not the
case, some works study the synthesis of a controller so that the synchronized
product [14] of the initial system and the controller meets the policy, considered here as the system specification. Thus the role of the controller is
to guide the system so that the specification is satisfied. Notice that in the
first approach, the policy is viewed as an automaton, whereas in the second
approach it is viewed as a formula.
Using a combination of deontic and temporal logic allows a richer analysis. Indeed, we are then able to express and reason about obligations, permissions, violations, and sanctions in the policy.
99
100
CHAPTER 6. COMPUTER SECURITY APPLICATION
The first section of this chapter deals with the temporal formalism used
to specify a system. Section 2 formally defines the compatibility (which is a
weak version of compliance) of a system with a policy. Section 3 focuses on
some interesting restrictions for which checking compatibility is decidable.
Section 4 refines the definition of compatibility with five different diagnostic
cases, which allow to define the notion of compliance. An algorithm is then
provided to establish the diagnostic.
6.1
Specification of the system
In this section, we define the model used to describe a system. We firstly
discuss the representation of actions, and secondly we present Labeled Kripke
Structures and State/Event LT L.
6.1.1
Events or actions?
The notion of event is close to an action in dynamic logic [63]. But an
event is atomic, and has no duration. Actions can be composed with several
combinators: sequence, choice, iteration. Some propositions to combine dynamic and temporal logics [65] strengthen the temporal operator U (until).
ϕ1 U α ϕ2 means that ϕ1 U ϕ2 is satisfied along some path which corresponds
to the execution of action α. The expressive power of the obtained logic
called DLT L is then increased to ω-regular language, i.e., the same expressiveness as the Monadic Second Order Theory of ω-sequences S1S. On the
other hand, the specification of properties can be less intuitive, if we explicitly reason about action occurrences. For instance, consider the sentence “If
useri uses the resource, he will release it”. usei is a proposition, and releasei
an event (or an atomic action in dynamic logic). In a state/event logic, we
express it naturally: usei ⇒ F releasei
But in a dynamic temporal logic, we cannot put actions and propositions
at the same level. We have to use specific operators to introduce actions:
usei ⇒ U Σ∗;releasei where Σ represents any atomic action.
Moreover, in many cases the composition of events, can be expressed
without using the combinators of dynamic logic. For instance, the formula
e1 ∧ Xe2 expresses that the event e1 happens, followed by e2 , which corresponds to the action e1 ; e2 in a dynamic logic. The formula e1 U e2 means that
there is an arbitrary number of executions of e1 , followed by an execution of
e2 , and corresponds to the execution of the composed action e1 ∗ ; e2 .
Besides, the semantics of events is much simpler, and there exists efficient
tools for state/event logics [36, 35]. In the remainder of the thesis, we will use
a state/event based formalism called Labeled Kripke Structures [36] (LKS)
to model a system.
6.1. SPECIFICATION OF THE SYSTEM
6.1.2
101
Labeled Kripke Structures
Original LKSs correspond to usual finite automata with labels on both states
and transitions. They are used as models of the state/event extension of
LT L. It allows us to reason on both propositions and events.
Such an automaton over the sets (P, E) of propositions and events is
defined as a tuple (S, S0 , Δ, V ) where
• S is the set of states,
• S0 ⊆ S is the set of initial states,
• Δ ⊆ S × (2E \ {∅}) × S is a transition relation, where (s, E, s ) ∈ Δ if
there is a transition from s to s labelled by E, which means that all
the events in E occur simultaneously during this transition,
• V : S → 2P is the valuation function which associates each state with
a set of atomic propositions.
Notice that this definition of transitions slightly differs from [36], where
two given states cannot be related by several distinct transitions. A state s
may have several successors by E because several distinct outgoing transitions may be labeled by E.
{e1, e2}
s1
s2
{p}
{q}
{e2}
{e3}
Figure 6.1: Labeled Kripke Structure
Figure 6.1 shows an illustration of an LKS where the atomic propositions
are p and q, the events are e1 , e2 , and e3 , and the initial state is s1 .
Definition 55 (Syntax of State/Event Linear Temporal Logic (SE-LT L)).
Given a set P of atomic propositions, and a set E of events, the language
LSEL−T L of SE-LT L is defined as follows
ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ
where p ∈ P is an atomic proposition, and e ∈ E is an event.
Given an LKS A = (S, S0 , Δ, V ), an SE-LT L formula is interpreted on
a state/event trace σ = (s0 , E0 , s1 , E1 , . . .), which is an alternating sequence
102
of states and event sets such that s0 ∈ S0 , and ∀i ∈ N (si , Ei , si+1 ) ∈ Δ.
We note σi (resp. σ i ) the ith state (resp. event set) of σ. A trace is either
infinite, or ends with a state which has no successor by Δ. We say that such
a state/event sequence σ is a trace of A, or is a accepted by A.
Definition 56 (State/Event semantics). Given an LKS A = (S, S0 , Δ, V )
over the sets (P, E) of propositions and events, and a state/event trace σ, we
define the satisfaction relation |= for propositions and events as follows:
σ, i |=SE−LT L p
σ, i |=SE−LT L e
iff
iff
p ∈ V (σi )
e ∈ σi
where p ∈ P
where e ∈ E
The satisfaction relation for constant ⊥, operators ⇒, X, and U , are defined
as in LT L.
A trace σ satisfies ϕ iff its first state satisfies it :
σ |=SE−LT L ϕ
iff
σ, 0 |=SE−LT L ϕ
An LKS satisfies ϕ iff all its traces satisfy it.
For instance, considering the LKS illustrated by Figure 6.1, the following
holds:
(s1 , {e1 , e2 }, s2 , {e3 }, s2 , {e2 }, . . .) |=SE−LT L p ∧ e1 ∧ e2 ∧ Xe3
Actually, SE-LT L does not increase the expressive power of LT L. Indeed, an SE-LT L formula can be considered as an LT L formula with P ∪ E
as the set of atomic propositions, i.e., events are considered as propositions.
Given a state/event trace σ, with a state valuation V : S → 2P , we can
easily define an LT L valuation σ ∗ : N → 2P ∪E such that σ, i |=SE−LT L ϕ iff
σ ∗ , i |=LT L ϕ:
def
∀i ∈ N σ ∗ (i) = V (σi ) ∪ σ i
Moreover, there is a translation T which associates each LKS A with a
usual Kripke structure T (A) that satisfies the same formulas:
A |=SE−LT L ϕ iff T (A) |=LT L ϕ
However, in [36], an experimental study shows that the state/event formalism
makes the specification of a system more concise, and thus easier. It is
also shown that state/event formulation yields significant gains in time (and
memory) during verification.
6.2
Deontic extension and compatibility
In this section, we present how to adapt the semantics of the temporal and
deontic combinations studied in chapter 4 to the state/event case so that we
can formally define the compatibility of a system with respect to a security
policy. The internal consistency of a policy is defined as the satisfiability of
the corresponding formula.
6.2. DEONTIC EXTENSION AND COMPATIBILITY
6.2.1
103
Deontic extension
We do not resume the discussion about the different possible semantics. We
leave the deontic relation R as generic as possible, so that it can represent
either an ideality relation or a preference relation, depending on the choice we
make for the semantics of obligation. The resulting logic is a conservative
extension of both SDL and SE-LT L, called State/Event Deontic Linear
Temporal Logic (SED-LT L).
Definition 57 (Syntax of LSED−LT L ). Given a set P of atomic propositions
and a set E of events, the state/event temporal deontic language is defined
by the following syntax:
ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ | O ϕ
where p ∈ P is an atomic proposition, and e ∈ E is an event.
Definition 58 (Temporal and deontic model). Given a set P of atomic
propositions and a set E of events, a state/event temporal and deontic model
is a tuple M = (W, R, V ), where
• W is a set of state/event sequences.
• R ⊆ (N × W ) × (N × W ) is an accessibility relation from which the
semantics of obligation is defined. It can represent either an ideality
relation or a preference relation.
• V is a valuation function which associates each state in a state/event
sequence with a set of atomic propositions.
Given a model (W, R, V ), a state/event trace σ ∈ W , and a nonnegative
integer i ∈ N, the satisfaction relation M, σ, i |=SED−LT L ϕ is defined by
structural induction on ϕ. For atomic propositions, events, constant ⊥, operators ⇒, X, and U , the satisfaction relation is defined as for SE-LT L.
For operator O, different definitions (based on relation R) are possible.
From such a state/event temporal deontic model, we can easily construct
a temporal deontic model ((N, <) (W , R ), V ) as defined in chapter 4,
where P ∪ E is considered as the set of atomic propositions.
6.2.2
Compatibility
In this section we define the notion of compatibility of a system with respect
to a policy. Roughly speaking, a system is said to be compatible with a
policy if there is no contradiction when the system ’takes into account’ the
norms specified by the policy. For instance, suppose that a policy specifies
that when condition c1 is met, then it is obligatory to satisfy p, and when
condition c2 is true, p is prohibited. Such a policy can be expressed by the
104
following formula G(c1 ⇒ O(p) ∧ c2 ⇒ O(¬p)). Consider a system which
satisfies c1 ∧ c2 in some state. According to the policy, p is both obligatory
and forbidden, which is not coherent.
Let us consider another example where a contradiction arises from the
’combination’ of a system and its policy. Let us suppose that the policy
specifies that when condition c is true, it is obligatory to satisfy p, and if an
obligation to satisfy p is violated, then q will happen next:
G c ⇒ O(p) ∧ (O(p) ∧ ¬p) ⇒ Xq
q can be considered as a strong sanction: any system which is compatible
with this policy satisfies q after having violated an obligation to satisfy p. A
system which satisfies c ∧ ¬p in a state, and ¬q in one of its successors, is
not compatible with this policy.
Definition 59 (Compatibility). Let σ be a state/event sequence and ϕpol
a formula in LSED−LT L which specifies the security policy. σ is compatible
with ϕpol if there is a ’deontic extension’ of σ which satisfies ϕpol :
σ |=compat ϕpol
iff there exists M = (W, R, V )
such that M, σ, 0 |=SED−LT L ϕpol
and
σ∈W
An LKS A is compatible with ϕpol iff all its state/event traces are compatible
with ϕpol :
A |=compat ϕpol
iff
for every trace σ of A
σ |=compat ϕpol
It can be interesting to reason about the ’combination’ of the system and
the policy in order to express, for instance, that in the current state of the
system’s execution, it is obligatory to satisfy p, according to a given policy.
Definition 60 (Combination of a system and its policy). Let σ be a state/event
trace, ϕpol a formula in LSED−LT L which specifies the security policy, and ϕ
a formula in LSED−LT L. ϕ is explicitly obligatory (resp. permitted) in σ, i
considering policy ϕpol , if every ’deontic extension’ of σ which satisfies ϕpol ,
also satisfies O(ϕ) (resp. P(ϕ)) at i. We use the notation σ, i |=pol Oexp (ϕ)
(resp. σ, i |=pol Pexp (ϕ)).
σ, i |=pol Oexp (ϕ)
iff
σ, i |=pol Pexp (ϕ)
iff
for every M = (W, R, V )
if σ ∈ W and M, σ, 0 |=SED−LT L ϕpol
then M, σ, i |=SED−LT L O(ϕ)
for every M = (W, R, V )
if σ ∈ W and M, σ, 0 |=SED−LT L ϕpol
then M, σ, i |=SED−LT L P(ϕ)
Notice that P exp (ϕ) is not equivalent to ¬O exp (¬ϕ). Indeed, ¬P exp (ϕ) ∧
¬O exp (¬ϕ) is satisfiable: it can be the case that a formula ϕ is neither (explicitly) permitted nor (explicitly) forbidden.
6.2. DEONTIC EXTENSION AND COMPATIBILITY
6.2.3
105
Illustration
Let us illustrate these notions with the following example. We consider a
bank policy concerning customer behaviours. The sets P and E of atomic
propositions and events are
P = {positive} and
E = {credit, debit, pay_charges, go_to_jail}
positive is true when the balance is positive. credit (resp. debit) labels any
transition that credits (resp. debits) the account. pay_charges models the
payment of charges by the customer, and go_to_jail is an event by which
the customer has no longer an access to his/her account.
We consider the conjunction of the following rules as the policy ϕpol :
• If the
balance is negative, then
it is obligatory to credit the account.
G ¬positive ⇒ O(credit)
(1)
• If an obligation to credit the account is violated, then tomorrow it will
be obligatory to pay charges before two days.
(2)
G O(credit) ∧ ¬credit ⇒ XO(F2 pay_charges)
• If an obligation to pay the charges is violated, the customer is going to
jail tomorrow.
G O(pay_charges) ∧ ¬pay_charges ⇒ X go_to_jail
(3)
Notice that rules (2) and (3) specify a sanction in case an obligation is
violated. Rule (2) specifies a new obligation, and rule (3) expresses that
event go_to_jail is going to occur. The former sanction can be considered
as a weak sanction because it may be violated, while the latter is a strong
sanction: we cannot reason about the violation of this sanction, and a behaviour can be compatible with the policy only if it performs this sanction.
These notions of weak and strong sanctions will be further discussed in the
restricted context of section 6.4.
The LKS illustrated by Figure 6.2 represents the behaviour of a bank
customer. Consider the following trace σ of this bank customer behaviour.
σ = (s1 , {debit}, s2 , {credit}, s2 , {debit}, s3 , {credit, pay_charges}, . . .). In
the second state of σ, the balance is negative (σ, 1 |= ¬positive). So, every
’deontic extension’ of σ that satisfies ϕpol also satisfies O(credit) in the
second state. Therefore, there is an explicit obligation to credit the account:
σ, 1 |=pol O exp (credit). In the third state, the balance is still negative, so it
is still explicitly obligatory to credit the account (σ, 2 |=pol O exp (credit)).
Yet, no credit operation occurs (σ, 2 |= ¬credit). Thus, in the fourth state,
there is an explicit obligation to pay some charges before two time units
(σ, 4 |=pol O exp (F2 pay_charges)).
106
debit
debit
credit
s1
credit
{ }
credit,
pay charges
s2
credit
debit
{}
credit,
pay charges
s3
{}
Figure 6.2: Bank customer
6.3
Decidable fragment
In this section, we consider the fragment SED-LT L− of our logic such that
checking whether an LKS A is compatible with its policy ϕpol (formulated
in this fragment) is decidable, and checking the internal consistency of a
policy is decidable. Decision procedures are decomposed as follows. Firstly,
we consider deontic subformulas of ϕpol as special atoms in order to apply
usual translation of an LT L formula into an ’equivalent’ Büchi automaton
Apol [60]. Secondly, in every transition of the obtained Büchi automaton, we
suppress the transitions which contain deontic inconsistencies. We are then
able
• to check internal consistency of ϕpol , i.e., satisfiability in SED-LT L− ,
by an emptiness test on Apol
• to check whether A is compatible with ϕpol by a language inclusion
test between A and Apol .
6.3.1
Preliminaries
In this section we define the fragment language, and recall the definition of
Büchi automata.
Fragment language
In SED-LT L− , the scope of deontic operators is restricted to propositional
formulas. The language LSED−LT L− is defined by the following syntax:
ϕ ::= p | e | ⊥ | ϕ ⇒ ϕ | Xϕ | ϕU ϕ | O ϕprop
6.3. DECIDABLE FRAGMENT
107
where p ∈ P is an atomic proposition, e ∈ E is an event, and ϕprop is a
propositional formula over P ∪ E:
ϕprop ::= p | e | ⊥ | ϕprop ⇒ ϕprop
Given a formula ϕpol in LSED−LT L− , let DSF (ϕpol ) be the set of the
deontic subformulas of ϕpol , i.e., the subformulas of the form O(ϕprop ):
def
def
DSF (ϕ1 ⇒ ϕ2 ) = DSF (ϕ1 ) ∪ DSF (ϕ2 ) DSF (Xϕ) = DSF (ϕ)
def
def
DSF (ϕ1 U ϕ2 ) = DSF (ϕ1 ) ∪ DSF (ϕ2 ) DSF (O ϕprop ) = {O ϕprop }
DSF (p) = ∅ DSF (e) = ∅ DSF (⊥) = ∅
When there is no ambiguity, we use the notation DSF instead of DSF (ϕpol )
for ease of reading.
Büchi automata
Büchi automata [19, 122] are finite state automata which accept infinite sequences. They have been proved to be equivalent to Monadic Second Order
theory (M SO) over infinite sequences, also known as Second Order Theory with one Successor (S1S). The decidability of emptiness checking (i.e.,
whether there exists an infinite sequence accepted by a given automaton)
thus provides the decidability of S1S, which contains LT L. Efficient translations of LT L formulas into Büchi automata have been investigated (see,
e.g., [133, 61, 70, 60]) in order to provide a decision procedure for satisfiability
and model checking problems.
Let us recall the definition of Büchi automata.
Definition 61 (Büchi automata). A Büchi automaton is a tuple
A = (S, S0 , L, Δ, F ), where
• S is a set of states
• S0 ⊆ S is a set of initial states
• L is a set of labels
• Δ ⊆ S × L × S is a transition function
• F is a set of final states
A run ρ of A on a given input σ ∈ Lω is an infinite sequence in S ω such
that ρ0 ∈ S0 and ∀i ∈ N (ρi , σi , ρi+1 ) ∈ Δ. An infinite sequence σ ∈ Lω is
accepted by A if there is a run ρ of A on σ such that some final state s ∈ F
occurs infinitely often in ρ.
The set of the infinite sequences accepted by A is called the language of
A, denoted by L(A).
108
In the case of the translation of a temporal formula ϕ into a Büchi automaton Aϕ , the set of labels is 2P (where P is the set of atomic propositions
in ϕ). However, for the sake of conciseness, the following representation of
transitions is often adopted. All the transitions between two given states s1
and s2 are represented by one ’condensed’ transition labeled by a propositional formula ϕprop . It means that for every proposition set li which satisfies
ϕprop , there is a transition from s1 to s2 labeled by li . For instance, if the
set of atomic propositions is {p, q}, a transition labeled by the propositional
formula ¬p actually stands for two transitions in the original representation:
one transition labeled by {q}, and another transition labeled by ∅ (empty
set).
6.3.2
Checking internal consistency and compatibility
In this section, we present the translation of the policy ϕpol (resp. the system
A) into a Büchi automaton Apol (resp. and A). Checking internal consistency
of the policy corresponds to checking emptiness of Apol . The verification of
the compatibility of the system with respect to its policy corresponds to the
?
following inclusion test: L(A) ⊆ L(Apol ).
Translation of ϕpol into Apol
Using a standard translation technique [133, 61, 60], from ϕpol we can com , S
P ∪E∪DSF , Δ , F ), which
pute the Büchi automaton Apol = (Spol
pol 0 , 2
pol
accepts exactly the infinite sequences which satisfy - according to LT L semantics - ϕpol , where deontic subformulas are considered as atoms. For
every transition δ = (s1 , l, s2 ) ∈ Δpol , we apply SDL satisfiability decision
procedure to the following deontic formula:
φ ∧
¬φ
φ∈DSF ∩l
φ∈DSF \l
If the decision procedure returns unsatisfiable then we suppress δ.
We then suppress deontic labels of the remaining transitions (the set of
labels is now 2P ∪E ) and call Apol the resulting Büchi automaton.
Let us illustrate this translation by the following simple example. Consider a policy ϕpol defined as the conjunction of the following rules.
• G (c1 ⇒ O(p))
• G (c2 ⇒ O(¬p))
• G (O(p) ∧ ¬p) ⇒ Xq
Figure 6.3 represents automaton Apol , where both states are accepting
states. It is the translation of the ϕpol into a Büchi automaton obtained
6.3. DECIDABLE FRAGMENT
109
with the tool LTL 2 BA [60]. At this point, we consider c1 , c2 , p, O(p), and
O(¬p), as atomic propositions. The condensed representation of transition
explained in section 6.3.1 is used. Moreover, on each transition, the label is
very long and will not be presented entirely.
¬c1 ∨ (¬p)
∨ ¬c2 ∧ (p)
∨ (p) ∧ (¬p)
ººº
¬c1 ∧ ¬c2 ∧ p
∨ ¬c1 ∧ ¬ (p) ∧ ¬c2
∨ ¬c1 ∧ (¬p) ∧ p
∨ ¬c1 ∧ ¬ (p) ∧ (¬p)
∨ (p) ∧ (¬p)
¬c1 ∧ ¬c2 ∧ q
∨ ¬c1 ∧ (¬p) ∧ q
∨ ¬c2 ∧ (p) ∧ q
ººº
¬c1 ∧ ¬ (p) ∧ ¬c2 ∧ q
∨ (¬p) ∧ (¬p) ∧ q ∧ p
∨ (p) ∧ ¬c2 ∧ q ∧ p
ººº
ººº
Figure 6.3: Illustration of Apol
Figure 6.4 illustrates automaton Apol obtained from Apol after the suppression of ’deontic inconsistent’ transitions, and the suppression of the remaining deontic labels.
¬c1 ∨ ¬c2
(¬c1 ∧ ¬c2)
∨ (¬c1 ∧ p)
∨ (¬c2 ∧ p)
q ∧ (¬c1 ∨ ¬c2)
(¬c1 ∧ q) ∨
(¬c2 ∧ p ∧ q)
Figure 6.4: Illustration of Apol
The following property shows that Apol can be used to check whether a
trace is compatible with the policy.
Property 27. Let ϕpol be an SED-LT L− formula which specifies a security policy, and Apol the Büchi automaton obtained by the above-mentioned
procedure. Let σ be a state/event sequence over the sets P and E of atomic
110
propositions and events. σ is compatible with ϕpol if and only if its state-based
translation is accepted by Apol .
σ |=compat ϕpol
iff
σ ∗ ∈ L(Apol )
where σ ∗ ∈ (2P ∪E )ω is the sequence obviously obtained from σ by considering
events as propositions.
Sketch of the proof. Let σ a state/event trace over P and E, and ϕpol a
formula of SED-LT L− .
’⇐’: Suppose that its state-based translation σ ∗ is accepted by Apol .
Clearly it is possible to enrich state labels (atomic proposition sets) in σ
with satisfiable subsets of DSF (in the sense of SDL) such that the enriched sequence σ satisfies ϕpol in the sense of SE-LT L (σ |=SE−LT L ϕpol )
where deontic subformulas are considered as atoms. Since each subset of
DSF which labels a state of σ is SDL-satisfiable, and ϕpol contains only
propositional formulas in the scope of deontic operators, then we can easily build a temporal deontic model M = (W, R, V ) such that σ ∈ W and
M, σ |= ϕpo .
’⇒’: Suppose that σ |=compat ϕpol . There exists a temporal deontic
model M = (W, R, V ) such that σ ∈ W and M, σ |=SED−LT L ϕpol . Let σ
the state/event sequence obtained by adding to the state labels of each state
i the following set of deontic subformulas:
{φ ∈ DSF / M, σ, i |=SED−LT L φ}, i.e., the deontic subformulas φ which
are true in i. Since SED-LT L is a conservative extension of SE-LT L,
then σ |=SE−LT L ϕpol , where deontic subformulas are considered as atomic
propositions. Besides, since SED-LT L is a conservative extension of SDL,
that every set of deontic subformulas which labels some state σ, i is satisfiable
for SDL. Thus, σ ∗ is accepted by Apol .
Translation of an LKS A into a Büchi automaton A
As explained in section 6.1.2, we can translate an LKS A = (S, S0 , Δ, V )
over the sets P and E of atomic propositions and events, into an equivalent state-based Kripke structure. Actually, it can also be translated into a
transition-based Büchi automaton A = (S , S0 , 2P ∪E , Δ , F ), such that an
infinite state/event sequence σ is accepted by A if and only if its state-based
translation σ ∗ is accepted by A, where
• S = S,
S0 = S0
• Δ = {(s1 , E ∪ V (s1 ), s2 ) ∈ S × 2P ∪E × S / (s1 , E, s2 ) ∈ Δ}
• F = S (every state is an accepting state)
The following property states that the compatibility of an LKS A with
respect to a policy ϕpol is equivalent to the inclusion of A into Apol .
6.4. BEYOND COMPATIBILITY
111
Property 28. Let A be an LKS which models a system, and ϕpol an SEDLT L− formula which specifies its security policy. Let A and Apol be respectively their corresponding Büchi automata. A is compatible with ϕpol if and
only if the language accepted by A is a subset of the language accepted by
Apol :
A |=compat ϕpol iff L(A) ⊆ L(Apol )
Proof. The proof is immediate from property 27.
Checking inclusion L(A) ⊆ L(Apol ) is equivalent to checking emptiness
of L(A) ∩ L(Apol ), where L(Apol ) is the complement of L(Apol ). Since the
complement of a Büchi automaton is computable [19, 113, 132], it follows
that checking the compatibility of an LKS with respect to its security policy
expressed in SED-LT L− is decidable.
6.4
Beyond compatibility
The notion of compatibility is too weak to be interpreted as compliance.
In this section, we discuss some cases where a trace is compatible with a
policy whereas it is intuitively not compliant with the policy. In order to
formally define compliance, which relies on more complex notions, we adopt
a restricted fragment of SED-LT L− , which nevertheless allows to model
many practical cases.
6.4.1
Policy language
This section deals with the syntax of the restricted policy language. A policy
is defined as a set (or a conjunction) of rules. We distinguish between two
kinds of rules:
• obligation/permission positioning rules of the form C → ϕ, where C
is a propositional condition under which the rule is ’triggered’. ϕ is a
deontic formula, i.e. either an obligation (“it is obligatory that ...”) or
a permission (“it is permitted that ...”).
• sanctioning rules of the form V ϕ, which express that if the violation V occurs, then sanction ϕ will be enforced in the next state.
The sanction is necessarily an obligation (it cannot be a permission).
The condition V is the conjunction of a propositional formula and a
violation formula of the form V iol(e), that expresses that there is a
violation concerning event e.
We distinguish between two kinds of obligations: strong obligations and
weak obligations. The violation of a weak obligation may trigger a sanction,
which can also be violated if it is a weak obligation. All these violations
112
may be performed by a system which is still considered as compliant with
the policy, if the sanctions are eventually enforced. On the other hand, we
cannot reason about the violation of a strong obligation: a system which
violates such a strong obligation is not compliant with the policy.
Two kinds of violations may occur: a (weakly) obligatory event that does
not happen, or a non-permitted event that happens. So we have in fact two
violation formulas V iolO (e), which means “e is (weakly) obligatory, but it
does not occur in the next transition”, and V iolP (e), which means “e does
occur in the next transition whereas it is not permitted”. We consider that
every event which is not permitted by the policy is prohibited, i.e., we work
with the closed policy principle.
The right hand side ϕ of a rule is either of the form P (ϕev ) (ϕev is
permitted), or O(ϕev ) (ϕev is weakly obligatory), or Ô (ϕev ) (ϕev is strongly
obligatory) where ϕev is a positive event formula, i.e., a propositional formula
(without any negation) whose atoms are events. We only consider in this
section immediate obligations, but we plan to take into account obligations
with deadline.
Here are some examples of rules that could be specified in the security
def
def
policy, with P = {p, q} and E = {e1 , e2 }:
• p ∧ q → O(e1 )
If p and q are true in the current state then there is a weak obligation
that e1 occurs next.
• p → P(e1 ∧ e2 )
If p is true in the current state then it is permitted that e1 and e2 occur
simultaneously next.
• p ∧ V iolO (e1 ) O (e2 ∨ e3 )
If p is true and the obligation to perform e1 is violated, then in the next
state, there is a weak obligation to perform e2 or e3 .
• p ∧ V iolO (e2 ∨ e3 ) Ô(e4 )
If p is true and the obligation to perform e2 or e3 is violated, then event
e4 must occur next (and this cannot be violated).
Let us formally define the rule language. We first define the language
LE of (positive) event formulas (in the remainder, ϕev will denote an event
formula):
ϕev ::= e | ϕev ∧ ϕev | ϕev ∨ ϕev
where e ∈ E is an event.
The limitation to positive events (without any negation) is due to the
choice not to reason on explicit prohibitions. Indeed, with the negation
in the language of events, we would be able to express the obligation not
to perform an event, which is equivalent to the prohibition to perform
113
this event. This limitation then avoids prohibition/permission and obligation/prohibition conflicts, and allows to focus on violation management.
The condition of a rule (left hand side of a rule) can be a propositional
formula, a violation formula, or a conjunction of a propositional and a violation formula. We define the language LP of the propositional formulas
by the following syntax (in the remainder of this section, ϕp will denote a
propositional formula):
ϕp ::= p | ϕp ∧ ϕp | ϕp ∨ ϕp | ¬ϕp
The language Lviol of the violation formulas is defined by the following
syntax:
ϕviol ::= V iolO (ϕev ) | V iolP (ϕev )
def
where ϕev ∈ LE is a positive event formula, and V iol0 (ϕev ) = O (ϕev )∧¬ϕev ,
def
V iolP (ϕev ) = ϕev ∧ ¬P(ϕev ).
The left hand side of a rule is a condition, and the right hand side is a
positive deontic formula (permission, weak obligation, or strong obligation).
In our framework, the obligation of a given event can be both violable
if it appears as a weak sanction in some rule, and non violable if it appears
as a strong sanction in some other rule. For instance, if p → O(e2 ) and
V iolO (e1 ) Ô(e2 ) are two rules of the policy, then in the context p there is
an obligation to perform e2 , which can be violated, but if there is a violation
of an obligation to perform e1 , then the obligation to perform e2 is not
violable.
We define the language Lrule of the rules by the following syntax:
ϕ ::=
→ (O(ϕev ) | P (ϕev ) | Ô(ϕev ))
ϕp
| ϕp ∧ ϕviol (O(ϕev ) | Ô(ϕev ))
where ϕp ∈ Lp is a propositional formula, ϕev ∈ LE is a positive event
formula, and ϕviol ∈ Lviol is a violation formula.
A policy is defined as a set of rules.
6.4.2
Compliance of a system with its security policy
Given a model A = (S, S0 , Δ, V ) of a security system, and a policy, we
focus on the meaning of the compliance of the system with the policy, in
our context of violation management. We actually reason on a single trace
of the system (the compliance of the whole system is then defined by the
compliance of all its traces). We first give an intuition of the definition, and
then formally specify these aspects.
114
Informal view
Roughly speaking, we say that a system is compliant with a policy if
• either there is no violation,
• or each time some violation occurs, the associated sanction is enforced.
To state more precisely the notion of enforcement, we introduce some
vocabulary and a support example.
s1
debit
s2
debit
s3
go_to_ jail
s4
p
Figure 6.5: State/Event trace
Example Let us come back to the bank example introduced in section 6.2.3.
Consider the state/event trace illustrated by Figure 6.5 together with the
policy consisting of rules (1), (2), and (3).
1. ¬p → P (debit)
2. V iolP (debit) O(pay_charges)
3. V iolO (pay_charges) Ô(go_to_jail)
The first event (debit) is performed without permission since P(debit)
cannot be deduced from the rules in the context of state s1 (recall we only
work with closed policies). Therefore, according to rule (2) there is an obligation in state s2 to perform event pay_charges as a sanction. During the
second transition, event pay_charges is not performed, so the sanction is
also violated. According to rule (3), there is then a strong obligation to perform go_to_jail as a second sanction, in state s3 . It is effectively performed
by the behaviour of the bank customer. Thus, according to our approach,
this system is compliant with its security policy, even if the sanctions triggered by security rules (1) and (2) are violated.
Vocabulary We say that an obligation O(ϕev ) is fulfilled if ϕev holds in
the current state, i.e., if the event formula ϕev is going to be performed during
the next transition. In the example of Figure 6.5, the (strong) obligation to
perform go_to_jail is fulfilled in state s3 .
A violation may induce several obligations. In the example, V iolP (debit)
holds in state s1 (because of the first transition). Then rule (2) triggers the
115
obligation O(pay_charges). (Recall that an obligation which is triggered
by a violation is also named sanction). Then, in s3 , because of the violation
V iolO (pay_charges), rule (3) triggers the sanction Ô (go_to_jail). We say
that the initial transition labeled by debit triggers the sequence of sanctions
[O(pay_charges), Ô (go_to_jail)].
A transition is called managed if every sequence of sanctions which is
triggered by this transition ends with a fulfilled obligation. In the example,
the first transition is then managed.
When a transition is not managed, i.e., when it triggers some sequence of
sanctions which does not end with a fulfilled obligation, we can distinguish
between three situations:
• Some triggered sequence of sanctions ends with a strong obligation
which is not fulfilled, then the transition is called ultimately strong
• Some triggered sequence of sanctions ends with a weak obligation which
is not fulfilled, and no sanction is specified by the policy in case this
weak obligation is violated, then the transition is called ultimately unexpected
• There is an infinite triggered sequence of sanctions, then the transition
is called never caught.
This last situation is illustrated by the system described in Figure 6.6, together with the following policy:
e1
s1
p
s2
e2
Figure 6.6: Infinite sequence of weak sanctions
(1) p → O(e2 )
(2) V iolO (e2 ) O (e1 )
(3) V iolO (e1 ) O (e2 )
In state s1 , according to rule (1), it is obligatory to perform e2 since
p is true. So, performing event e1 violates this obligation, and rule (2)
triggers O (e1 ) in the destination state s2 . Then, doing event e2 violates this
obligation. The system is then back to state s1 , where rule (3) triggers O(e2 ).
116
If we consider the infinite state/event trace generated by this automaton,
then in every state of this trace, there is a violation which triggers some rule.
Therefore, the initial transition triggers the infinite sequence of sanctions
[O (e1 ), O(e2 ), O(e1 ), O(e2 ), . . .].
The specification of this situation is not straightforward. Indeed, a definition which first comes in mind is a transition is never caught if after
this transition, all the successive states satisfy some violation. The following
example shows that it does not correspond to a transition which is never
caught. Let us consider the system described by Figure 6.7 and the following
policy
(1) (p ∨ q) → O(e1 )
(2)
V iolO (e1 ) O(e2 )
In state s1 , p is true, so, according to rule (1), it is obligatory to perform
e2
s2
q
s1
p
e2
Figure 6.7: Violation in every state
e1 . The first transition violates this obligation. According to rule (2), it is
then obligatory in s2 to perform e2 , and this obligation is fulfilled by the
next transition. Similarly, in state s2 , q is true, so it is obligatory to perform
e1 . This obligation is violated by the next transition, but the associated
sanction will be fulfilled by the transition from s1 to s2 . So, considering the
state/event trace of this system, there is a violation in every state, and yet
each triggered sequence of sanctions is eventually fulfilled, i.e., each transition
is managed. We now see the need to precise the notion of triggered sequence
of sanctions before clearly defining our diagnostic cases.
Triggered sequence of sanctions Each obligation of a triggered sequence can be related to the previous one in a complex way. Each obligation
can actually be divided into two parts: the part which is inherited from the
previous obligation of the sequence, and the part which is only due to the
current state. For instance, let us consider the following policy:
(1) p → O(e1 )
(2) V iolP (e2 ) O(e4 )
(3) V iolO (e1 ) O(e3 )
117
(4) q → O(e5 )
(5) V iolO (e4 ∧ e5 ) Ô(e6 )
(5’) V iolO (e5 ) Ô(e7 )
s1
p
e2
s2
{e6, e7}
s3
q
Figure 6.8: State/Event sequence
Let us analyse the first transition of the state/event sequence illustrated by
Figure 6.8. This transition violates the obligation to perform e1 and the nonpermission to perform e2 . So, according to rules (3) and (2), this transition
triggers the sanction O (e3 ) ∧ O(e4 ), i.e., O (e3 ∧ e4 ). This obligation holds
in the second state s2 , and is violated by the next transition. Now, do we
consider that rules (5) and (5’) are triggered? In order to answer, let us
notice that in the current state (s2 ), q holds, so it is obligatory to perform e5
according to rule (4). This obligation, which is also violated, does not play
the same role in the sequence of sanctions as obligation O (e3 ∧ e4 ), which
is inherited from previous violations. Inherited obligations are important to
determine whether the current violation is unexpected (and the triggered
sequence of sanctions ends), or there is an ’enabled’ rule (and the triggered
sequence is continued). In order to distinguish between these two cases, we
consider separately the rules which can be triggered depending on the set of
obligations we assume to hold in the current state:
(a) current obligations are supposed to be only inherited sanctions
(b) current obligations are supposed to be both inherited and ’new’ sanctions
(c) current obligations are supposed to be only ’new’ sanctions
If there exists an enabled rule in case (a), then the triggered sequence of
sanctions is continued. If there exists an enabled rule in case (b) which is
not enabled rule in case (c), then the triggered sequence of sanctions is also
continued. Otherwise, we consider that the current violation is unexpected,
and the sequence of triggered obligations ends
In the example, if we consider rule (5’) instead of rule (5), then the
violation of obligation O (e3 ∧e4 ) is unexpected, and the sequence of sanctions
triggered by the first transition ends (it has only one element). Indeed, if we
only suppose that e3 ∧ e4 is obligatory (case (a)), then no rule is enabled. In
the case (b) ((e3 ∧ e4 ) ∧ e5 is obligatory), rule (5’) is enabled, and in the case
118
(c) it is also enabled, so our criterion is not satisfied. On the other hand, if
we consider rule (5), then our criterion is satisfied: rule (5) is enabled in the
case (b) but not in the case (c). The sequence of sanctions is then continued.
To sum up, given a state/event sequence, and a current transition, there
are five different diagnostic cases to consider:
1. no violation occurs
2. the transition is managed
3. the transition is ultimately strong
4. the transition is ultimately unexpected
5. the transition is never caught
It is clear that cases 1 and 2 correspond to a transition which is compliant
with its security policy and that the cases 3 and 5 correspond to a transition
which is not. Case 4 is less clear: one can consider that there is a lack in the
policy specification, and the transition is still compliant with the (specified
part of the) policy. On the other hand, we cannot consider that the sanction
is enforced (because no sanction is specified), so it is also reasonable to
conclude that the transition is not compliant with the security policy. We
will adopt the latter point of view.
Definition 62 (Compliance). A state/event trace is said to be compliant
with a policy iff for every transition
1. either there is no violation
2. or the transition is managed
A system is compliant iff all its traces are compliant.
Formal definitions
In this section, we formally define the notion of triggered sequence of obligations, which allows to define the five diagnostic cases, and thus the compliance. The definition of these concepts is out of the scope of the language of
deontic and temporal logics. Indeed, we will reason about individual rules,
and about sequences of sanctions in which a causal relation between their elements is involved. We then propose ad-hoc definitions based on a syntactical
point of view.
119
Auxiliary definitions Given a state/event sequence σ and a policy pol,
we need the following auxiliary definitions. (σ is implicit in the following
definitions
for ease of reading.) In the remainder, if A is a set of formulas,
φ.
then A denotes the formula
φ∈A
W Obl(i) (resp. SObl(i)) is the set of the formulas which are weakly
(resp. strongly) obligatory in the ith state of σ, and which are not sanctions
(they are not triggered by any sanctioning rule).
def
W Obl(i) = {φ / ∃(ϕp → O(φ)) ∈ pol such that σ, i |= ϕp }
def
SObl(i) = {φ / ∃(ϕp → Ô(φ)) ∈ pol such that σ, i |= ϕp }
P erm(i) is the set of all the event sets which are permitted in state i.
Notice that it may be the case that {e1 } and {e2 } are permitted whereas
{e1 , e2 }, i.e., the simultaneous occurrence of e1 and e2 , is not. Therefore,
P erm(i) is necessarily a set of event sets and not simply a set of events. We
denote P erm(i) the event formula which characterizes permitted events.
def
P erm(i) = {E ⊆ E / ∃(ϕp P (ϕev )) ∈ pol such that
ϕev ⇒ ( E ) and σ, i |= ϕp }
def
( E)
P
erm(i) =
E∈P erm(i)
W SancP (i) (resp. SSancP (i)) is the set of the formulas which are weakly
(resp. strongly) obligatory in state i + 1 because of the occurrence of nonpermitted events in the current transition.
W SancP (i) =
def
{φ /
∃(ϕp ∧ V iolP (ϕev ) O(φ)) ∈ pol such that
σ, i |= ϕp ∧ ϕev and P erm(i) ϕev }
def
{φ /
∃(ϕp ∧ V iolP (ϕev ) Ô(φ)) ∈ pol such that
σ, i |= ϕp ∧ ϕev and P erm(i) ϕev }
SSancP (i) =
The set W SancO (i, ϕ) represents the formulas which are weakly obligatory in state i+1 of a state/event trace σ because of the violation V iolO (ϕev )
(where ϕev is implied by ϕ), i.e., because obligation O(ϕev ) is not fulfilled
by the current transition.
W SancO (i, ϕ)
def
=
{φ /
∃(ϕp ∧ V iolO (ϕev ) O(φ)) ∈ pol such that
ϕ ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev }
Similarly, we define SSanc(i, ϕ) as the set of the formulas which are
strongly obligatory in state i because of the violation V iolO (ϕev ), (whereϕev
120
is implied by ϕ) :
SSancO (i, ϕ)
def
=
{φ /
∃(ϕp ∧ V iolO (ϕev ) Ô(φ)) ∈ pol such that
ϕ ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev }
During the informal discussion, we saw that the criterion which allows
to determine whether the violation of a given sanction is unexpected is quite
complex. We explained the need to distinguish between an inherited part
new
O(ϕinh
ev ) and a ’new’ part O (ϕev ) in the sanction.
def
new
ExistsSanc(i, O (ϕinh
ev ), O (ϕev )) =
∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that ϕinh
ev ⇒ ϕev and σ, i |= ϕp ∧ ¬ϕev
or ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that
new ⇒ ϕ
new
ϕinh
ev and ϕev ϕev and σ, i |= ϕp ∧ ¬ϕev
ev ∧ ϕev
Triggered sequence of sanctions We consider finite and infinite sequences, indexed by I. In the former case, I has the form 0..N for some
non-negative integer N ∈ N. In the latter case, I = N. A sequence of
new
inh
sanctions is denoted by (O (ϕinh
k ), O (ϕk ))k∈I , where O(ϕk ) denotes the
new
inherited part of the sanction, and O(ϕk ) denotes the ’new’ part of the
new
sanction. It can also be denoted by (O inh
k , O k )k∈I . The last pair of obligations (in case the sequence is finite) can be either a pair of weak obligations
or a pair of strong obligations, and all the other obligations of the sequence
are weak.
new
Definition 63 (Triggered sequence of sanctions). A sequence (O(ϕinh
k ), O(ϕk ))k∈I
th
of sanctions is said to be triggered in the i state of a state/event trace σ if
• the first sanction is due to the violations which occur in σ i
O(ϕinh
0 ) ≡ W SancO (i, φ) ∧ W SancP (i)
SSancO (i, φ) ∧
SSancP (i) (and there is only one
or O(ϕinh
0 )≡
pair in the sequence)
def
where φ =
W Obl(i)
• The inherited part of a sanction in the sequence is due to the violation
of the previous sanction
new
≡
W SancO (i + k, ϕinh
∀k ∈ I \ {0}
ϕinh
k
k−1 ∧ ϕk−1 )
new
≡
SSancO (i + k, ϕinh
or ϕinh
k
k−1 ∧ ϕk−1 )(and k is the
last index)
• The new part of each sanction is due to the current state and the nonpermitted events in the previous transition.
≡
W Obl(i + k + 1) ∧
W SancP (i + k)
∀k ∈ I ϕnew
k
121
• each sanction in the sequence (except the last sanction if the sequence
is finite) is violated, and this violation is not unexpected (there exists
a new sanction according to the policy)
∀k ∈ I such that k is not the last index of the sequence of sanctions
σ, i + k + 1 |= ¬ϕinh
k
and
new
ExistsSanc(i + 1, O(ϕinh
k ), O(ϕk ))
• if the sequence is finite (I = 0..N ) and the last pair of sanctions is
weak, then, either the last sanction is fulfilled or the policy specifies no
sanction
new
inh
new
if (Oinh
N , ON ) is of the form (O(ϕN ), O(ϕN ) then
inh
new
or ¬ ExistsSanc(i + N + 1, O(ϕinh
σ, i + N + 1 |= ϕN
N ), O(ϕN ))
Let us come back to the example of page 117. We consider all the rules
(1)-(5) and (5’). Then, the first transition triggered the sequence of sanctions
[(O(e3 ∧ e4 ), O (e5 )), (Ô(e6 ∧ e7 ), )], according to this definition.(Notice
that there is no ’new’ part in the last sanction.)
Diagnostic cases We can now define the semantics of the different kinds
of transitions in which a violation occurs: managed transition, ultimately
strong transition, ultimately unexpected transition, and never caught transition, through the predicates managed, strong, unexpected, and never_caught.
Definition 64 (Managed transition). Given a state/event sequence σ and a
nonnegative integer i, the ith transition of σ is managed if every sequence of
triggered sanctions is finite and ends with a fulfilled sanction.
managed(σ, i) iff
every sequence of sanctions triggered by σ i (there exists some) is finite
new
inh
and for every triggered sequence of sanctions (Oinh
k , Ok )k∈0..N , σ, i + N + 1 |= ϕN
inh
inh
inh
where Oinh
N = O(ϕN ) or ON = Ô(ϕN ).
Definition 65 (Ultimately strong transition). A transition is ultimately
strong if there is a sequence of triggered sanctions which ends with an unfulfilled strong violation.
strong(σ, i)
new
i
iff ∃(Oinh
k , Ok )k∈0..N sequence of sanctions triggered by σ
inh
such that Oinh
N = Ô(ϕN ) and σ, i + N + 1 |= ¬ϕN
Definition 66 (Ultimately unexpected transition). A transition is ultimately
unexpected if the policy specifies no sanction for the violations which occur
122
during this transition, or for the violation of the last sanction of some triggered sequence of sanctions.
unexpected(σ, i)
iff viol(σ, i) and N oInitialSanc(i)
new
i
or ∃(O(ϕinh
k ), O(ϕk ))k∈0..N finite sequence of sanctions triggered by σ such that
new
σ, i + N + 1 |= ¬ϕinh
and ¬ExistsSanc(i + N + 1, O(ϕinh
N
N ), O(ϕN )
where viol(σ, i)
def
=
σ, i W Obl(i)
or
P
erm(i) e
e∈σi
and
def
N oInitialSanc(i) = W SancP (i)= SSancP (i) = ∅ and W Sanc0 (i, W Obl(i)) = SSanc0 (i, W Obl(i)) = ∅
Definition 67 (Never caught transition). A transition is never caught if it
triggers an infinite sequence of sanctions.
never_caught(σ, i)
iff
there is an infinite sequence of sanctions triggered by σ i
Property 29. A transition in which some violation occurs and which is not
managed is either ultimately strong, or ultimately unexpected, or never
caught.
Given a policy pol, a state/event trace σ, a natural i, then the following
property holds
viol(σ, i) ∧ ¬managed(σ, i)) ⇔
(strong(σ, i) ∨ unexpected(σ, i) ∨ never_caught(σ, i))
Proof. Let σ a state/event sequence and i ∈ N a nonnegative integer.
’⇐’: If strong(σ, i) then there exists a triggered sequence of sanctions
which ends with an unfulfilled (strong) obligation. It directly follows that
¬managed(σ, i). Suppose that unexpected(σ, i). Then, either there is a violation and no triggered sequence, or there is a triggered sequence which ends
with an unfulfilled (weak) obligation. It follows that ¬managed(σ, i). Now,
suppose that never_caught(σ, i). Then, there exists an infinite sequence of
sanctions triggered by σ i . We deduce that ¬managed(σ, i).
In the three previous cases, the existence of a triggered sequence of sanctions implies viol(σ, i).
’⇒’: We suppose that viol(σ, i) ∧ ¬managed(σ, i). Then, considering the
definition of managed, we have that
• either there is an infinite sequence of triggered sanctions (then
never_caught(σ, i) holds)
• or there is no triggered sequence of sanctions (then unexpected(σ, i)
holds)
123
• or there is a triggered sequence of sanctions which ends with an unfulfilled obligation. If this obligation is strong, then strong(σ, i) holds.
new
Otherwise, if there exists a sanction (ExistsSanc(σ, i+N +1, O inh
N , O N ))
then the sequence of sanction does not end at N . So, there does not
exist any sanction, and unexpected(σ, i) holds.
Definition 68 (Compliance). A trace σ is compliant iff for every transition
in σ, either there is no violation, or the transition is managed.
compliant(σ)
iff
∀i ∈ N
viol(σ, i) ⇒ managed(σ, i)
From property 29, we deduce that a trace σ is not compliant iff
∃i ∈ N (strong(σ, i) ∨ unexpected(σ, i) ∨ never_caught(σ, i)).
Compatibility vs compliance In order to compare both notions of compatibility and compliance, we first have to consider the policy as an SEDLT L-formula:
• → is interpreted as usual implication: ⇒.,
• is interpreted as ’implies next’: ⇒ X
• Ô(ϕev ) is interpreted as ϕev ,
• other operators already belong to SED-LT L,
• a policy is interpreted as G ϕ, where ϕ is the conjunction of its rules.
Property 30 (Compatibility vs compliance). Let σ be a state/event sequence, pol a policy (set of Lrule -formulas) and ϕpol its SED-LT L translation. σ is compatible with the ϕpol iff every transition in σ is not ultimately
strong with respect to pol.
Sketch of the proof. Let pol a policy (set of Lrule -formulas) and ϕpol its
SED-LT L translation.
’⇒’: Let σ be a state/event sequence and i ∈ N a non negative integer such that strong(σ, i). There is a triggered sequence of sanctions
new
inh
inh
(O inh
k , O k )k∈0..N such that O N = Ô(ϕN ) and σ, i+N +1 |= ¬ϕN . It
inh
new
can be shown that (σ, i+k +1), ϕk ∧ϕk is obligatory in the ’combination’
of the system and the policy (cf definition 60, section 6.2.2) for every k < N .
∧ ϕnew
In other words, every ’deontic extension’ of σ satisfies O(ϕinh
k
k ) in
inh
new
state i + k + 1, i.e., σ, i + k + 1 |=pol O exp (ϕk ∧ ϕk ). Similarly, since
Ô(ϕ) is interpreted as ϕ, every ’deontic extension’ of σ which satisfies ϕpol ,
satisfies ϕinh
N in sate i+k+N +1. So, there cannot be any ’deontic extension’
of σ which satisfies ϕpol . So, σ is not compatible with ϕpol .
124
’⇐’: Let σ be a state/event sequence which is not compatible with the
policy. There is no ’deontic extension’ of σ which satisfies ϕpol . So, a conflict
prevents from satisfying ϕpol with a temporal deontic model ’based’ on σ.
Since there is no negative event formulas in the policy, there cannot be any
obligation/prohibition conflict which would be in contradiction with axiom
D, and there cannot be any contradiction with axiom K either. Since there
is no negation of obligation and no negation of permission, there cannot be
any permission/prohibition conflict. The only kind of rules which may cause
a conflict is the rules where the consequent if a strong obligation of the form
Ô(ϕev ), interpreted as ϕev in SED-LT L. This is exactly the conflict which
arises if an ultimately strong transition occurs.
In the next section, we provide an algorithm which checks the compliance
of a transition of a given a system with a policy. It also allows to provide a
diagnostic.
6.4.3
Diagnostic algorithm
We present an algorithm that analyses the system and the policy, to check
whether the five following properties hold, given the current transition t:
1. There is no violation in t
2. For every trace which starts from t, t is managed
3. There is some trace which starts from t, such that t is ultimately strong
4. There is some trace which starts from t, such that t is ultimately unexpected
5. There is some trace which starts from t, such that t is never caught
Preliminary definitions
We refer to propositional logic, and suppose we have access to a decision
procedure for the validity of any propositional formula. Given an LKS
A = (S, S0 , Δ, V ) over the sets P and E of propositions and events, we call
s the propositional formula that characterizes the atomic propositions that
are true in s ∈ S, succ(s, E) the set of the possible successors of s after a
transition labelled by E, and Out(s) the set of all the event sets that label
an outgoing transition from s:
def
s =
p∈V (s)
def
p∧
¬p
p∈V
/ (s)
succ(s, E) = {s ∈ S / (s, E, s ) ∈ Δ}
125
def
Out(s) = {E ∈ 2E / ∃s ∈ S such that (s, E, s ) ∈ Δ}
Since we analyse a whole system A, we have to adapt auxiliary definitions
given in section 6.4.2 to the branching time case. These definitions will make
algorithms more readable.
W Obl(i), SObl(i), P erm(i) only concern the current state, so they can
easily be re-defined as W Obl(s), SObl(s), P erm(s), respectively. W SancP (i)
and SSancP (i) concern the current transition, so they have to be re-defined
as W SancP (s, E) and SSancP (s, E). W Sanc0 (i, ϕ) and SSancO (i, ϕ) depend on the current transition and a given event formula (supposed to be
obligatory), so they can be re-defined as W SancO (s, E, ϕev ) and SSancO (s, E, ϕev )
new
respectively. ExistsSanc(i, O(ϕinh
ev ), O (ϕev )) depends on the current transition, and on two given formulas (supposed to be the inherited part, and
the ’new’ part of the current obligation). These re-definitions are given in
figure 6.9.
We use so me variables to “diagnose” the situation. no_viol is true until
some violation occurs, strong_violation is false until some strong sanction
is not fulfilled, unexpected_violation is false until some violation occurs for
which no sanction is specified, and never_caught is false until some never
caught violation is detected. The detection uses a variable po which records
the triples (current state, current transition, parsed obligation). In order to
have more precise information, we could provide the trace of the different
rules that are triggered, but we do not consider such trace here for the sake
of brevity.
Algorithms
Given a state s and an outgoing transition labeled by E, CheckT ransition(s, E)
(algorithm 1) provides the above-mentioned diagnostic. It first initialises the
four diagnostic variables. Then, if a violation occurs during the transition,
it sets no_viol to false, computes the weak and strong sanctions, and call
CheckSanction (algorithm 2) on the next possible transitions in order to
recursively check that the sanctions are fulfilled. CheckT ransition then
returns the four variables that provide a diagnostic.
CheckSanction(s, E, inh, new, so) (algorithm 2) aims at checking that
the current transition complies with the sanctions which are triggered by
the initial transition (on which CheckT ransition was called). inh is the set
of the weakly obligatory formulas which are inherited from previous violations. It corresponds to the inherited part of the sanction in the triggered
sequence of sanctions. new is the set of the formulas which are weakly obligatory because of the current state, and because of the non-permitted events
which occurred during the previous transition. It corresponds to the ’new’
part of the sanction in the triggered sequence of sanctions. so is the set of
the strong obligations which are inherited from previous sanctions. Since a
126
def
W Obl(s) = {φ / ∃(ϕp O(φ)) ∈ pol such that s ⇒ ϕp }
def
SObl(s) = {φ / ∃(ϕp Ô(φ)) ∈ pol such that s ⇒ ϕp }
def
P erm(s) = {E ⊆ E /
∃(ϕp P(ϕ
ev )) ∈ pol s.t.
|= ϕev ⇒ ( E ) and |= s ⇒ ϕp }
def
( E)
P
erm(s) =
E∈P erm(s)
W SancP (s, E)
such that
SSancP (s, E)
such that
def
=
def
{φ
{φ
=
def
W SancO (s, E, ϕev ) =
such that
def
SSancO (s, E, ϕev ) =
such that
{φ
{φ
/ ∃(ϕp ∧ V iolP (ϕev ) O(φ)) ∈ pol
s ⇒ ϕp and ( E) ⇒ ϕev and P erm(s) ϕev }
/ ∃(ϕp ∧ V iolP (ϕev ) Ô(φ)) ∈ pol
s ⇒ ϕp and ( E) ⇒ ϕev and (P erm(s)) ϕev }
/ ∃(ϕp ∧ V iolO (ϕev ) O (φ)) ∈ pol
ϕev ⇒ ϕev and ( E) ϕev and s ⇒ ϕp }
/ ∃(ϕp ∧ V iolO (ϕev ) Ô (φ)) ∈ pol
ϕev ⇒ ϕev and ( E) ⇒ ϕev and s ⇒ ϕp }
def
new
ExistsSanc(s, O(ϕinh
ev ), O (ϕev )) =
∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that ϕinh
ev ⇒ ϕev and s ⇒ ϕp and ( E) ϕev
or ∃(ϕp ∧ V iolO (ϕev ) _) ∈ pol such that
new ⇒ ϕ
new
ϕinh
ev and ϕev ϕev and s ⇒ ϕp and ( E) ϕev
ev ∧ ϕev
Figure 6.9: Auxiliary definitions in the branching-time case
127
Algorithm 1: CheckTransition (s, E, wo, so)
/* initialization of diagnostic variables
no_viol := true; strong_violation := f alse; po := ∅;
unexpected_violation := f alse; never_caught := f alse;
if ( E) W Obl(s) or P erm(s) ( E) then
no_viol := f alse; wo := W SancO (s,
W Obl(s)) ∪ W SancP (s, E);
so := SSancO (s, W Obl(s)) ∪ SSancP (s, E);
if wo = ∅ and so = emptyset then
unexpected := true;
else
foreach s ∈ succ(s, E) and E ∈ Out(s ) do
CheckSanction(s , E , wo, ∅, so);
*/
return (no_viol, strong, unexpected, never_caught)
strong obligation can only appear at the last position in a triggered sequence
of sanctions, there is no need to consider ’new’ strong obligations which may
hold in the current state. Such a ’new’ strong obligation which may appear
during a transition (s , E ) is dealt with by the call CheckT ransition(s , E ).
If the current transition does not perform strongly obligatory events,
then the variable strong is set to true. If the current transition performs
the inherited part of the current obligation, then the algorithm terminates.
If the set of inherited weak obligations inh is already parsed in the current
state/transition pair, then the variable never_caught is set to true and the
algorithm terminates. If inh is not already parsed, then the set po of the
parsed obligations is increased with the triple (s, E, wo). If no sanction is
specified, according to our criterion which depends on inh and new, then
the variable unexpected is set to true, else, the algorithm checks whether
the new sanctions are enforced in the next states calling itself recursively on
every possible successor.
Property 31 (Termination).
CheckT ransition terminates.
Sketch of the proof. There is no loop, and the only recursive call is in
CheckSanction. The termination of CheckSanction is straightforward, because the set of triples (state, transition, obligation) is finite (finiteness of
the set of rules implies finiteness of the set of possible obligations), and the
set of triples for which the obligation is not parsed (the complementary of
the set po) is strictly decreasing at each recursive call, which guarantees the
termination.
128
Algorithm 2: CheckSanction (s, E, inh, new, so)
if ( E) so then
strong :=true;
if ( E) ( inh) then
if (s, E, inh) ∈ po then
never_caught := true;
else
po := po ∪ {(s, E, inh)};
new := wo ∪ W Obl(s);
if ¬ExistsSanc(s, inh, new) then
unexpected := true;
else
inh := W SancO (s, inh ∪ new);
new := SSancP (s, E);
so := SSanc(s, inh ∪ new);
foreach s ∈ succ(s) and E ∈ Out(s ) do
CheckSanction(s , E , inh, new, so);
We now establish the soundness of CheckT ransition with respect to the
definition of the diagnostic cases provided in section 6.4.2.
Property 32 (Soundness).
Given a system A = (S, S0 , Δ, V ), and a state s ∈ S, and an outing transition
labeled
by
E
∈
Out(s)
after
the
call
of
CheckT ransition(s, E), the following holds
• no_viol = true iff for every state/event trace σ = (s, E, . . .) of A
starting with s, E, no violation occurs during the first transition.
• strong_violation, unexpected_violation, and never_caught all equal
false iff for every state/event trace σ = (s, E . . .) of A starting with
s, E, the first transition is managed: managed(σ, 0)
• strong_violation = true iff there is some state/event trace σ = (s, E . . .)
of A starting with s, E, such that strong(σ, 0)
• unexpected_violation = true iff there is some state/event trace σ =
(s, E, . . .) of A starting with s, E, such that unexpected(σ, 0)
• never_caught = true iff there is some state/event trace σ = (s, E . . .)
of A starting with s, E, such that never_caught(σ, 0)
129
The proof is straightforward because the algorithm deals with concepts
that are close to the semantics of the formal definitions. In particular, triggered sequences of sanctions are directly obtained from the successive values
of inh, new, and so.
6.4.4
Concluding example
In this section, we develop the aforementioned bank example and test the algorithm given in section 6.4.3. Figure 6.13 shows the output of this algorithm
for some instances of a bank model.
The bank system is modeled as an automaton that models the behaviour
of a customer together with the state of his/her bank account. Let us remind
that the sets P and E of atomic propositions and events are
P = {positive}
and E = {credit, debit, pay_charges, go_to_jail}
debit
debit
credit
s1
credit p
s2
credit
Figure 6.10: First example of a system
debit
debit
credit
s1
credit p
s2
credit
debit
Figure 6.11: Second example of a system
We consider the following policy:
• credit, pay_charges, and go_to_jail operations are always permitted.
→ P (credit ∧ pay_charges ∧ go_to_jail)
• When the balance is positive, it is permitted to perform a debit operation.
positive → P (debit)
• If the balance is negative, then it is obligatory to credit the account.
¬positive → O(credit)
130
debit
debit
credit
credit
s1
s2
p
credit
credit,
pay _charges
debit
credit,
pay _charges
s4
debit
s3
go_to_jail
Figure 6.12: Third example of a system
XX
XXX
variable
XXX
no_viol
XXX
system
example2
example3
false
false
strong
unexpected
never_caught
true
false
false
false
false
false
Figure 6.13: Output of CheckT ransition(s2 , {debit})
• If a debit operation is performed without permission, then it is obligatory to pay charges.
V iolP (debit) O(pay_charges)
• If an obligation to credit the account is violated, then it is obligatory to
pay charges.
V iolO (credit) O(pay_charges)
• If an obligation to pay the charges is violated, the customer has a strong
obligation to go to jail.
V iolO (pay_charges) Ô(go_to_jail)
The first system (Figure 6.10) is compliant with the policy, and never
violates any obligation or prohibition (every trace σ satisfies ¬V iol(σ, i) for
every i ∈ N). The second one (Figure 6.11) may clearly violate the obligation to credit the account in state s2 , if it performs event debit. Then,
there is an obligation to pay charges, which can also be violated by performing again event debit. Then, there is a strong obligation to go to jail,
which may be violated by performing debit, or also credit. So the second
system is not compliant with the policy (a trace, for instance, which starts
131
with σ = (s1 , {debit}, s2 , {debit}, s2 , {debit}, s2 , {debit}) satisfies the property strong(σ). The third one (Figure 6.12) is compliant but may violate
some obligations: every trace satisfies viol(σ, i) ⇒ managed(σ, i) for every
i ∈ N. For instance, a trace which starts with σ = (s1 , {debit}, s2 , {debit})
satisfies V iolO (credit) in its second state (σ, 1), but also satisfies managed(σ, 1).
Figure 6.13 shows the value of diagnostic variables after the call of our
algorithm on the transition starting from state s2 and labeled by {debit}.
132
7
Conclusion
7.1
Summary
The goal of this thesis was to propose a logical framework to deal with
security properties. We have focused on the combination of deontic and
temporal logics. The key interaction we have studied is the propagation
of unfulfilled obligations. We have studied this interaction in the case of
deadline obligations and for a more general form of obligations. We have
then presented how such a logical framework can be useful for specifying
and verifying security properties. Here are the main contributions of this
work.
• We have proposed semantic definitions for an operator dedicated to
obligations with deadline in a combination (product) of temporal and
deontic logics. This study showed that the semantic issues are more
complex than expected. The last definition we came up with was satisfying, but the corresponding operator was out of the scope of the
product language, and had a rather complex semantics.
• We have then expressed a generalisation of the propagation of deadline
obligations, which concerns a special temporal disjunction. To the best
of our knowledge, this is the first time this general property has been
studied. We have proposed a (semantically defined) logic which is a
conservative extension of LT L and SDL, such that the propagation
property is satisfied in every state where no ’immediate obligation’ is
true.
• We have exhibited a necessary and sufficient condition on an arbitrary
temporal deontic model (based on an accessibility relation for each
modality) to satisfy the propagation property. This condition showed
that any such temporal deontic model which validates both axiom D
and the propagation property has undesirable properties.
133
CHAPTER 7. CONCLUSION
134
• We have developed a tableaux-like decision procedure and an axiomatization for a fragment of our logic. They are based on a decomposition
of the deontic operator into more primitive operators.
• Using our logic as a security policy specification language, and a Labeled Kripke Structure to model a system, we have defined the notion
of compatibility of a system with respect to a policy. We have proposed
a decision procedure for the compatibility problem where the policy is
specified in a fragment of our logic. A careful analysis showed that
there are more subtle notions involved in the intuition of compliance,
which is a strong version of compatibility. We have then restricted
again the policy language and provided a definition of compliance.
This definition has been refined into five diagnostic cases. We have
then provided an algorithm to establish this diagnostic and thus check
the compliance.
7.2
Future investigations
Many future investigations are envisaged. In section 4.1, we did not consider
decidability issues for the product LT L SDL enriched with deadline operators. Since decidability of the genuine product is complex to show, we have
reasons to think that this open question is non trivial, and needs further
studies.
Several results are valid only for some restrictions of the temporal deontic
language. A natural path for further investigations is to extend these results
to a more powerful fragment, or even to the whole language. In chapter 5
we developed a decision procedure and an axiomatization for the until-free
fragment of our logic. We plan to further investigate a tableaux method and
an axiomatization for the whole logic.
Concerning the security issues, we have also considered in section 6.3 a
fragment of the logic in order to decide the compatibility of a system with
respect to a policy. We only allowed propositional formulas in the scope
of deontic operators. This restriction made it possible to use traditional
techniques of temporal model checking, enriched with a standard deontic
decision procedure. We need to investigate how far this approach could be
extended if we allow nesting temporal operators inside deontic ones. Another
possibility would be to use a temporal deontic decision procedure in order to
check the compatibility. Indeed, let us remind that checking the compliance
of a system with respect to a policy consists in checking for each trace, the
existence of a ’deontic extension’ which satisfies the policy. Thus, checking
compliance is somewhere between the satisfiability problem (we need to build
a temporal deontic model which satisfies the policy) and the model checking
problem (we need to check whether a given model ’satisfies’ a given formula,
where ’satisfies’ means ’complies with’ in our case).
7.2. FUTURE INVESTIGATIONS
135
In section 6.4, we have restricted again the language in order to define the
notion of compliance, and to check whether a given system complies with
a policy. We have actually refined this concept into five diagnostic cases.
Their definition involved complex notions and was out of the scope of our
temporal deontic semantics. However, the comparison between compliance
and compatibility, studied in section 6.4.2 established a connection with the
semantic point of view adopted in sections 6.2 and 6.3.
A natural extension would be to consider deadline obligations. Actually, we could easily extend our definitions and algorithms so that deadline
obligations are propagated while they are not fulfilled. But then, the connection with the semantic point of view would not be possible. Indeed, let
us remind that in our semantics, the propagation property is only true in the
states which do not violate any immediate obligation. Moreover, section 4.2.3
showed that when immediate violations occur, problems are inevitable in a
model which interpret temporal and deontic modalities with an accessibility
relation. We then come to the following question: is it possible to consider a
temporal deontic logic, with a non-classical deontic operator, such that the
propagation property does not conflict with situations of ’immediate violations’ ?
In this thesis, we have considered neither entities who give obligations,
nor those who are concerned by obligations. In some works [128], deontic operators are indexed with the concerned agent: O a (ϕ) then means that agent
a is obliged to satisfy ϕ. Another lead is to follow the idea of temporal logics
of agency [123], such as AT L [10, 11] and ST IT logics [20, 71]. These logics
can handle some interactions between agents. In particular, it is possible
to express that a given group of agents can ensure a property. Horty developed in [71] a deontic logic in a STIT framework. It would be interesting to
integrate these aspects in our context of propagation of obligations.
136
Conclusion
Bilan
Le but de cette thèse était de proposer un cadre logique pour spécifier
des politiques de sécurité. Nous nous sommes intéressés à la combinaison des
logiques déontique et temporelle. L’interaction clé que nous avons étudiée est
la propagation des obligations non remplies. Nous avons étudié cette interaction dans le cas des obligations avec délai, ainsi que pour une forme plus
générale d’obligations. Nous avons ensuite présenté comment un tel cadre
logique pouvait être utile à la spécification et la vérification de propriétés de
sécurité. Voici les principales contributions de ce travail.
– Nous avons proposé plusieurs définitions sémantiques pour un opérateur dédié à l’obligation avec délai dans le contexte d’un produit de
logiques temporelle et déontique. Cette étude nous a montré que pour
avoir des propriétés satisfaisantes, la sémantique d’un tel opérateur
doit être complexe. Notre définition la plus satisfaisante sors même du
cadre de la logique produit.
– Nous avons ensuite exprimé une généralisation de la propriété de propagation, qui concerne une disjonction temporelle particulière. A notre
connaissance, c’est la première fois que cette propriété générale est étudiée. Nous avons proposé une logique, définie de manière sémantique,
qui est une extension conservative de LT L et SDL, telle que la propriété de propagation est satisfaite dans tous les états dans lesquels
aucune obligation immédiate n’est vraie.
– Nous avons exhibé une condition nécessaire et suffisante sur un modèle
temporel et déontique quelconque pour satisfaire la propriété de propagation. Cette condition montre que tout modèle temporel et déontique
qui satisfait à la fois l’axiome D et la propriété de propagation a des
conséquences indésirables.
137
138
– Nous avons développé une procédure de décision basée sur une méthode des tableaux et une axiomatisation pour un fragment de notre
logique. Elles sont basées sur la décomposition de l’opérateur déontique
en opérateurs plus primitifs.
– En utilisant notre logique pour spécifier une politique de sécurité, et
une structure de Kripke avec labels pour modéliser un système, nous
avons défini la notion de compatibilité d’un système vis à vis d’une
politique. Nous avons proposé une procédure de décision pour le problème de compatibilité, si la politique est spécifiée dans un fragment
de notre logique. Une analyse minutieuse a montré que des notions
subtiles sont en jeu dans la notion intuitive de conformité, qui est une
version plus forte de la compatibilité. Nous avons ensuite restreint à
nouveau le langage de spécification d’une politique et proposé une définition de la conformité. Cette définition a été raffinée en cinq cas de
diagnostic. Nous avons ensuite fourni un algorithme pour établir ce
diagnostic et donc vérifier la conformité.
Perspectives
De nombreuses pistes de recherche sont envisagées. Dans la section 4.1,
nous n’avons pas étudié la décidabilité du produit LT L SDL enrichi
par l’opérateur d’obligation avec délai. Étant donné que la décidabilité du
produit est difficile à montrer (la complexité est non élémentaire), nous avons
des raisons de penser que cette question ouverte est non triviale, et nécessite
une étude approfondie.
Plusieurs résultats que nous avons établis ne sont valables que pour des
restrictions du langage temporel déontique. Une voix de recherche naturelle
est donc d’étendre ces résultats à un fragment plus riche, ou éventuellement
à tout le langage. Dans le chapitre 5, nous avons par exemple développé
une procédure de décision et une axiomatisation pour le fragment sans until de notre logique. Nous prévoyons d’étudier à la fois les tableaux et une
axiomatisation pour la logique entière.
En ce qui concerne les questions de décidabilité, nous avons considéré
dans la section 6.3 un fragment de la logique de manière à pouvoir décider la
compatibilité d’un système vis à vis d’une politique. Nous avons seulement
autorisé les formules propositionnelles dans le champ des opérateurs déontiques. Cette restriction a rendu possible l’utilisation de techniques traditionnelles de model checking. Nous devons étudier à quel point cette approche
pourrait être étendue si nous autorisons des formules temporelles dans le
champ des opérateurs déontiques. Une autre possibilité serait d’utiliser une
procédure de décision temporelle déontique pour vérifier la compatibilité. En
effet, rappelons-nous que la vérification de la compatibilité d’un système vis
à vis d’une politique consiste à vérifier que pour chaque trace, il existe un
7.2. FUTURE INVESTIGATIONS
139
«extension déontique» qui satisfait la politique. Donc, la vérification de la
conformité se situe entre le problème de satisfiabilité (il faut construire un
modèle temporel déontique qui satisfait la politique) et le problème de model checking (il s’agit de vérifier qu’un modèle donné «satisfait» une certaine
formule, où «satisfait» veut dire «est compatible avec» dans notre cas.
Dans la section 6.4, nous avons restreint à nouveau le langage de manière à pouvoir définir la notion de conformité, et vérifier qu’un système est
conforme à une politique. Nous avons en fait raffiné ce concept en cinq cas de
diagnostic. Leur définition a mis en jeu des notions complexes qui sortent du
cadre de notre sémantique temporelle déontique. Cependant, la comparaison
entre compatibilité et conformité, étudiée dans la section 6.4.2 a établi des
liens avec le point de vue sémantique adopté dans les sections 6.2 et 6.3.
Une extension naturelle serait de considérer les obligations avec délai.
En fait, nous pourrions facilement étendre nos définitions et algorithmes de
manière à ce que les obligations avec délai soient propagées tant qu’elles ne
sont pas remplies. Mais le lien avec le point de vue sémantique ne serait
alors plus possible. En effet, rappelons-nous que dans notre sémantique, la
propagation n’est valide que dans les états qui ne violent pas d’obligation
immédiate. De plus, la section 4.2.3 a montré que lorsque qu’une violation
immédiate a lieu, alors des conséquences indésirables sont inévitables dans
un modèle qui interprète les modalités temporelles et déontiques avec des
relations d’accessibilité. Nous arrivons alors à la question suivante : est-il
possible de considérer une logique temporelle déontique, munie d’un opérateur déontique non classique, telle que la propriété de propagation ne soit
pas en conflit avec les situations de «violations immédiates» ?
Dans cette thèse, nous n’avons considéré ni les entités qui donnent les
obligations, ni celles qui les subissent. Dans certains travaux [128], les opérateurs déontiques sont indexés par les agents concernés : O a (ϕ) signifie alors
que l’agent a a l’obligation de satisfaire ϕ. Une autre piste consiste à suivre
l’idée des logiques temporelles avec agents [123], comme AT L [10, 11] ou
les logiques ST IT [20, 71]. Ces logiques permettent de prendre en compte
certaines interactions entre les agents. En particulier, il est possible d’exprimer qu’un certain groupe d’agents peut garantir une propriété. Horty a
développé dans [71] une logique déontique dans un cadre STIT. Il serait
intéressant d’intégrer ces aspects dans notre contexte de propagation des
obligations.
140
A
Proofs of section 4.1.4
A.1
Proofs of property 11
Let us remind the definition of Ok .
Definition 69 (Obligation with deadline).
O(ϕ)
if k = 0
def
Ok (ϕ) =
O(Fk ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ X Ok−1 (ϕ))
otherwise
Property. The monotonicity property with respect to the obligatory formula
holds:
|= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 )
Proof. Let i ∈ N, w ∈ W . i, w |= O0 (ϕ1 ∧ ϕ2 ) ⇒ O0 (ϕ1 ).
Recursion hypothesis on k: |= Ok (ϕ1 ∧ ϕ2 ) ⇒ Ok (ϕ1 ).
Let i ∈ N, w ∈ W . Suppose that i, w |= Ok+1 (ϕ1 ∧ ϕ2 ). Then, i, w |=
O(Fk+1 ϕ1 ∧ ϕ2 ) ∧ (¬ϕ1 ∨ ¬ϕ2 ∨ O (¬ϕ1 ∨ ¬ϕ2 )) ⇒ XOk (ϕ1 ∧ ϕ2 ).
Thus, i, w |= O(Fk+1 ϕ1 ). Moreover, suppose that i, w |= (¬ϕ1 ∨
O(¬ϕ1 )). We can deduce i, w |= ¬ϕ1 ∨ ¬ϕ2 ∨ O(¬ϕ1 ∨ ¬ϕ2 ), and thus
i, w |= XOk (ϕ1 ∧ ϕ2 ). From the recursion hypothesis we have that i + 1, w |=
Ok (ϕ1 ), i.e., i, w |= X Ok (ϕ1 ). So, i, w |= Ok+1 (ϕ1 ).
Property. The ’perfect recall’ property holds:
Proof. Let i ∈ N, w ∈ W . Since the ’perfect recall’ property for O holds,
then i, w |= O0 (Xϕ) ⇒ XO0 (ϕ).
Recursion hypothesis on k: |= Ok (Xϕ) ⇒ XOk (ϕ)
Let i ∈ N, w ∈ W . Suppose that i, w |= Ok+1 (Xϕ). Since X commutes
with O, Fk , and distributes on ∧ and ∨, then
i, w |= X (O (Fk+1 ϕ) ∧ ((¬ϕ ∨ O (¬ϕ)) ⇒ Ok (Xϕ))). From the recursion
141
APPENDIX A. PROOFS OF SECTION 4.1.4
142
hypothesis, we deduce that
i, w |= X (O (Fk+1 ϕ) ∧ ((¬ϕ ∨ O(¬ϕ)) ⇒ XOk (ϕ))), i.e., i, w |=
XOk+1 (ϕ).
A.2
Proofs of property 12
Let us first remind the definition of Ok .
(i, w) |= Ok (ϕ, k ) iff
(i − k , w) |= OFk+k ϕ
and (i − k , w) O Fk+k −1 ϕ
and ∀j ∈ N if i − k j < i then (j,w) |= ¬ϕ ∨ O(¬ϕ)
To prove the properties, we will use a recursive definition of the operator
Ok .
Definition 70 (Recursive definition).
(i, w) |= Okr (ϕ) iff (i, w) |= OFk ϕ ∧ ¬OFk−1 ϕ
r ϕ ∧ (O¬ϕ ∨ ¬ϕ)
or (i − 1, w) |= Ok+1
Property. Both definitions Ok et Okr are equivalents.
Proof
Let w ∈ W .
Let k ∈ N, and ϕ a formula, then (0, w) |= Ok ϕ iff (0, w) |= Okr ϕ since both
are equivalents to (0, w) |= O(Fk ϕ) ∧ ¬O(Fk−1 ϕ).
Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |= Ok ϕ
iff (i, w) |= Okr ϕ.
Suppose that the recursion hypothesis is true for i. Let k ∈ N. Suppose
that (i + 1, w) |= Ok ϕ. Then ∃k0 ∈ N such that
(1) (i + 1 − k0 , w) |= OFk+k0 ϕ
(2) (i + 1 − k0 , w) OFk+k0 −1 ϕ
(3) ∀ i + 1 − k0 j < i + 1(j, w) |= O (¬ϕ) ∨ ¬ϕ
If k0 = 0 then (i + 1, w) |= OFk ϕ ∧ ¬OFk−1 ϕ.
r ϕ ∧ (O (¬ϕ) ∨ ¬ϕ). Indeed, (i, w) |=
If k0 = 0, then (i, w) |= Ok+1
O(¬ϕ) ∨ ¬ϕ from (3). And (i, w) |= Ok ϕ, since if k0 > 0, the definition of
Ok+1 ϕ holds at point (i, w) with k0 − 1 in the role of k . From the recursion
r ϕ.
hypothesis, we have (i, w) |= Ok+1
r
Thus, (i + 1, w) |= Ok ϕ.
Suppose now that (i + 1, w) |= Okr ϕ. Then
(1) either (i + 1, w) |= O Fk ϕ ∧ ¬OFk−1 ϕ
r ϕ ∧ (O(¬ϕ) ∨ ¬ϕ)
(2) either (i, w) |= Ok+1
A.2. PROOFS OF PROPERTY 12
143
If (1) then (i + 1, w) |= Ok ϕ, since the definition of Ok ϕ stands at with
0 in the role of k .
r ϕ. From the recursion hypothesis, we
If (2) then we have (i, w) |= Ok+1
deduce (i, w) |= Ok+1 ϕ. (2) also implies (i, w) |= (O(¬ϕ) ∨ ¬ϕ. So we have
(i, w) |= Ok+1 ϕ ∧ (O (¬ϕ) ∨ ¬ϕ). From the properties of Ok , we deduce
(i + 1, w) |= Ok ϕ.
Property.
Proof
Let w ∈ W . ∀k ∈ N, (0, w) |= Ok (Xϕ) ⇒ XOk (ϕ). Indeed (0, w) |=
Ok (Xϕ) iff (0, w) |= OFk Xϕ ∧ ¬OFk−1 Xϕ. X commutes with O,
with Fk , and with ¬, we have (1, w) |= O Fk ϕ ∧ ¬OFk−1 ϕ. It follows
(0, w) |= XOk (ϕ).
Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |=
Ok (Xϕ) ⇒ XOk (ϕ).
Let k ∈ N. Suppose (i + 1, w) |= Ok (Xϕ). Then
(1) either (i + 1, w) |= OFk Xϕ ∧ ¬OFk−1 Xϕ
(2) or (i, w) |= Ok+1 Xϕ ∧ (O (¬Xϕ) ∨ ¬Xϕ)
If (1) then (i + 1, w) |= XOk (ϕ) in the same way as for the case i = 0.
If (2), then the recursive hypothesis allows to deduce (i, w) |= XOk+1 (ϕ).
Moreover (i, w) |= O (¬Xϕ) ∨ ¬Xϕ, then (i + 1, w) |= O(¬ϕ) ∨ ϕ. So,
(i + 1, w) |= Ok+1 (ϕ) ∧ (O(¬ϕ) ∨ ϕ). From the definition of Ok , we have
(i + 2, w) |= Ok (ϕ), i.e. (i, w) |= XOk (ϕ).
Property.
XOk (ϕ) ⇒ Ok (Xϕ)
Figure A.1 shows a counter-example that invalidates the property (the
first state satisfies XO1 (p) ∧ ¬O1 (Xp)).
Property (Propagation property).
|= Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1 (ϕ)
Proof : Let w ∈ W , and k ∈ N. If (0, w) |= Ok ∧ (O (¬ϕ) ∨ ¬ϕ),
then the definition of Ok−1 (ϕ) stands at state (1, w). Therefore, (0, w) |=
Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ) ⇒ XOk−1 (ϕ).
Recursion hypothesis on i : For every k ∈ N, ϕ formula, (i, w) |=
(Ok (ϕ) ∧ (O(¬ϕ) ∨ ¬ϕ)) ⇒ XOk−1 (ϕ).
Let k ∈ N. Suppose that (i + 1) |= Ok (ϕ) ∧ (O (¬ϕ) ∨ ¬ϕ). The definition
of Ok−1 (ϕ) stands at point (i + 2, w). So (i + 1) |= XOk−1 (ϕ).
APPENDIX A. PROOFS OF SECTION 4.1.4
144
p
p
¬p
O2(p)
¬O1(Xp)
O1(p)
Figure A.1: Counter-example for the ’no learning’ property
Bibliography
[1] M. Abadi and L. Lamport. The existence of refinement mappings.
Theoretical Computer Science, 82(2):253–284, 1991.
[2] A. Abou El Kalam, R. E. Baida, P. Balbiani, S. Benferhat, F. Cuppens,
Y. Deswarte, A. Miège, C. Saurel, and G. Trouessin. Organization
based access control. In IEEE 4th International Workshop on Policies
for Distributed Systems and Networks (Policy 2003), Lake Come, Italy,
June 2003.
[3] B. Alpern and F. B. Schneider. Recognizing safety and liveness. Distributed Computing, 2(3):117–126, 1987.
[4] R. Alur. Techniques for automatic verification of real-time systems.
PhD thesis, Stanford University, 1991.
[5] R. Alur, C. Courcoubetis, and D. Dill. Model-checking for real-time
systems. In Proceedings of the 5th Symposium on Logic in Computer
Science (LICS’90), pages 414–425. IEEE Computer Society Press,
1990.
[6] R. Alur and D. Dill. A theory of timed automata. Theoretical Computer
Science, 126(2):183–235, 1994.
[7] R. Alur, T. Feder, and T. Henzinger. The benefits of relaxing punctuality. Journal of the ACM, 43(1):116–146, 1996.
[8] R. Alur and T. Henzinger. Real-time logics: complexity and expressiveness. In Proceedings of the 5th Symposium on Logic in Computer Science (LICS’90), pages 390–401. IEEE Computer Society Press, 1990.
145
146
BIBLIOGRAPHY
[9] R. Alur and T. A. Henzinger. A really temporal logic. Journal of the
ACM, 41:181–204, 1994.
[10] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. In Proceedings of the 38th Annual Symposium on Foundations
of Computer Science, pages 100–109. IEEE Computer Society Press,
1997.
[11] R. Alur, T. A. Henzinger, and O. Kupferman. Alternating-time temporal logic. Journal of the ACM, 49:672–713, 2002.
[12] L. Aqvist. Some results on dyadic deontic logic and the logic of preference. Synthese, 66:95–110, 1986.
[13] L. Aqvist. Combinations of tense and deontic logic. Journal of Applied
Logic, 3:421–460, 2005.
[14] A. Arnold. Finite transition systems. Prentice-Hall, 1994.
[15] P. Bailhache. The deontic branching time: two related conceptions.
Logique et Analyse, 141-142:159–175, 1993.
[16] P. Bailhache. Canonical models for temporal deontic logic. Logique et
Analyse, pages 3–21, 1995.
[17] P. Balbiani, J. Broersen, and J. Brunel. Decision procedures for a
deontic logic modeling temporal inheritance of obligations. In Proc.
of 5th workshop Methods for Modalities (M4M5), Electronic Notes in
Theoretical Computer Science. Elsevier, November 2007.
[18] P. Balbiani and D. Vakarelov. Iteration-free pdl with intersection: a
complete axiomatization. Fundamenta Informaticae, 45(3):173–194,
2001.
[19] J. Büchi. On a decision method in restricted second-order arithmetic.
In Proc. 1960 of Int. Congr. for Logic, Methodology, and Philosophy
of Science, pages 1–11. Standford University Press, 1962.
[20] N. Belnap and M. Perloff. Seeing to it that: a canonical form for
agentives. Theoria, 54:175–199, 1988.
[21] E. Bertino, B. Catania, E. Ferrari, and P. Perlasca. A Logical Framework for Reasoning about Access Control Models. ACM Transactions
on Information and System Security, 6(1), February 2003.
[22] C. Bettini, S. Jajodia, X. S. Wang, and D. Wijesekera. Obligation
Monitoring in Policy Management. In International Workshop, Policies
for Distributed Systems and Neworks (Policy 2002), Monterey CA,
June 5–7 2002.
BIBLIOGRAPHY
147
[23] P. Blackburn, M. de Rijke, and Y. Venema. Modal Logic. Cambridge
University Press, 2001.
[24] P. Bouyer, F. Chevalier, and N. Markey. On the expressiveness of tptl
and mtl. In R. Ramanujam and S. Sen, editors, 25th Conference on
Fundations of Software Technology and Theoretical Computer Science
(FSTTCS’05), volume 3821 of Lecture Notes in Computer Science,
pages 432–443, 2005.
[25] P. Bouyer and A. Petit. Decomposition and composition of timed automata. In J. Wiedermann, P. van Emde Boas, and M. Nielsen, editors,
Proceedings of the 26th International Colloquium on Automata, Languages and Programming (ICALP’99), volume 1644 of Lecture Notes
in Computer Science, pages 210–219, Prague, Czech Republic, July
1999. Springer.
[26] M. Bratman. Intention, plans, and practical reason. Harvard University Press, Cambridge Massachussetts, 1987.
[27] J. Broersen. Strategic deontic temporal logic as a reduction to ATL,
with an application to Chisholm’s scenario. In L. Goble and J.-J. C.
Meyer, editors, Proc. of 8th International Workshop on Deontic Logic
in Computer Science (DEON’06), volume 4048 of Lecture Notes in
Computer Science, pages 53–68. Springer, 2006.
[28] J. Broersen and J. Brunel. Preservation of obligations in a temporal
and deontic framework. In E. H. Durfee and M. Yokoo, editors, Proc.
of 6th International Joint Conference on Autonomous Agents & Multi
Agent Systems (AAMAS-07), Honolulu, Hawaii, USA, pages 1108–
1110, http://www.acm.org/, 2007. ACM Press. short paper.
[29] J. Broersen and J. Brunel. ‘What I fail to do today, I have to do tomorrow’: a logical study of the propagation of obligations. In F. Sadri
and K. Satoh, editors, Proceedings of the 8th Workshop on Computational Logic in Multi-Agent Systems (CLIMA-VIII), Porto, Portugal,
September 2007.
[30] J. Broersen, F. Dignum, V. Dignum, and J.-J. C. Meyer. Designing a
deontic logic of deadlines. In 7th International Workshop on Deontic
Logic in Computer Science (DEON’04), Madeira, Portugal, 26-28 May
2004.
[31] J. Brunel. Deontic logic for the specification of availability policies. In
6th school on Modeling and Verifying Parallel Processes (MOVEP’04),
pages 40–45, 2004. students’ paper.
148
BIBLIOGRAPHY
[32] J. Brunel, J.-P. Bodeveix, and M. Filali. A state/event temporal deontic logic. In L. Goble and J.-J. C. Meyer, editors, Proc. of 8th International Workshop on Deontic Logic in Computer Science (DEON’06),
volume 4048 of Lecture Notes in Computer Science, pages 85–100.
Springer, 2006.
[33] J. Brunel, F. Cuppens, N. Cuppens-Boulahia, T. Sans, and J.-P. Bodeveix. Security Policy Compliance with Violation Management. In Proc.
of the 5th ACM Workshop on Formal Methods in Security Engineering:
From Specifications to Code, Washingthon, USA, pages 31–40. ACM
Press, novembre 2007.
[34] A. Chagrov and M. Zakharyaschev. Modal Logic, volume 35 of Oxford
Logic Guides. Clarendon Press, 1997.
[35] S. Chaki, E. Clarke, O. Grumberg, J. Ouaknine, N. Sharygina,
T. Touili, and H. Veith. State/event software verification for branchingtime specifications. In Fifth International Conference on Integrated
Formal Methods (IFM 05), volume 3771 of Lecture Notes in Computer
Science, pages 53–69, 2005.
[36] S. Chaki, E. M. Clarke, J. Ouaknine, N. Sharygina, and N. Sinha.
State/event-based software model checking. In E. A. Boiten, J. Derrick,
and G. Smith, editors, Proceedings of the 4th International Conference
on Integrated Formal Methods (IFM ’04), volume 2999 of Lecture Notes
in Computer Science, pages 128–147. Springer-Verlag, April 2004.
[37] R. M. Chisholm. Contrary-to-duty imperatives and deontic logic.
Analysis, 24(2):33–36, December 1963.
[38] E. Clarke and E. Emerson. Design and synthesis of synchronization
skeletons using branching-time temporal logic. In Proceedings of the
3rd Workshop of Logic of Programs (LOP’81), volume 131 of Lecture
Notes in Computer Science, pages 52–71, 1981.
[39] E. Clarke, O. Grumberg, and D. Peled. Model Checking. MIT Press,
1999.
[40] E. M. Clarke, E. A. Emerson, and A. P. Sistla. Automatic verification
of finite-state concurrent systems using temporal logic specifications.
ACM Transactions on Programming Languages and Systems, 8(2):244–
263, 1986.
[41] F. Cuppens, N. Cuppens-Boulahia, and T. Sans. Nomad: a security
model with non atomic actions and deadlines. In Proceedings of the
18th IEEE Computer Security Foundations Workshop, pages 186–196,
June 2005.
BIBLIOGRAPHY
149
[42] F. Cuppens and A. Miège. Modelling Contexts in the Or-BAC Model.
In 19th Annual Computer Security Applications Conference (ACSAC
’03), 2003.
[43] R. Demolombe, P. Bretier, and V. Louis. Formalisation de l’obligation
de faire avec délais. In Proc. Journées Francophones sur la modélisation
Formelle de l’Interaction (MFI’05), Caen, 2005.
[44] S. Demri. Linear-time temporal logics with Presburger constraints:
An overview. Journal of Applied Non-Classical Logics, 16(3-4):311–
347, 2006.
[45] S. Demri, R. Lazić, and D. Nowak. On the freeze quantifier in constraint LTL: Decidability and complexity. Information and Computation, 205(1):2–24, 2007.
[46] F. Dignum and R. Kuiper. Obligations and dense time for specifying
deadlines. In Thirty-First Annual Hawaii International Conference on
System Sciences (HICSS)-Volume 5, pages 186–195, 1998.
[47] C. Dixon, M.-C. F. Gago, M. Fisher, and W. v. d. Hoek. Temporal
logics of knowledge and their applications in security. Electronic Notes
in Theoretical Computer Science, 186:27–42, 2007.
[48] J. A. V. Eck. A System of Temporally Relative Modal and Deontic
Predicate Logic and its Philosophical Applications. PhD thesis, Department of Philosophy, University Groningen, 1981.
[49] J. A. V. Eck. A system of temporally relative modal and deontic
predicate logic and its philosophical applications. Logique et Analyse,
99 and 100:249–290 and 339–381, 1982.
[50] E. Emerson and J. Halpern. "sometimes" and "not never" revisited:
On branching versus linear time temporal logic. Journal of the ACM,
33(1):151–178, january 1986.
[51] E. A. Emerson and J. Y. Halpern. Decision procedure and expressiveness in the temporal logic of branching time. Journal of Computer and
System Sciences, 30(1):1–24, 1985.
[52] E. A. Emerson and A. Sistla. Deciding full branching time logic. Informationand Control, 61:175–201, 1984.
[53] R. Fagin, J. Halpern, Y. Moses, and M. Vardi. Reasoning about Knowledge. The MIT Press, 1995.
[54] L. Fariñas del Cerro and O. Gasquet. Tableaux based decision procedures for modal logics of confluence and density. Fundamenta Informaticae, 4:317–333, 1999.
150
BIBLIOGRAPHY
[55] M. Fitting. Proof Methods for Modal and Intuitionistic Logics, volume
169 of Synthese library. D. Reidel Publishing Company, 1983.
[56] D. Gabbay. Theoretical foundations for non-monotonic reasoning in
expert systems. In K. Apt, editor, Logics and models of concurrent
systems, volume 13, pages 439–457. Springer-Verlag, 1989.
[57] D. Gabbay, A. Kurucz, F. Wolter, and M. Zakharyachev. ManyDimensional Modal Logics: Theory and Applications, volume 148 of
Studies in Logic and the foundations of mathematics. Elsevier, 2003.
[58] D. Gabbay, A. Pnueli, S. Shelah, and J. Stavi. On the temporal analysis
of fairness. In Conference record of the 7th ACM Symposium on Principles of Programming Languages (POPL’80), pages 163–173. ACM
Press, 1980.
[59] D. M. Gabbay, I. Hodkinson, and M. Reynolds. Temporal logic (vol.
1): mathematical foundations and computational aspects. Oxford University Press, Inc., New York, NY, USA, 1994.
[60] P. Gastin and D. Oddoux. Fast LTL to Büchi automata translation.
In G. Berry, H. Comon, and A. Finkel, editors, Proceedings of the 13th
Conference on Computer Aided Verification (CAV’01), number 2102
in Lecture Notes in Computer Science, pages 53–65. Springer Verlag,
2001.
[61] R. Gerth, D. Peled, M. Y. Vardi, and P. Wolper. Simple on-the-fly
automatic verification of linear temporal logic. In Protocol Specification
Testing and Verification, pages 3–18, Warsaw, Poland, 1995. Chapman
& Hall.
[62] B. Hansson. An analysis of some deontic logics. Deontic Logic: Introductory and Systematic Readings, pages 121–147, 1971.
[63] D. Harel, D. Kozen, and J. Tiuryn. Dynamic logic. In D. Gabbay
and F. Guenther, editors, Handbook of Philosophical Logic Volume II
— Extensions of Classical Logic, pages 497–604. D. Reidel Publishing
Company: Dordrecht, The Netherlands, 1984.
[64] M. A. Harrison, W. L. Ruzzo, and J. D. Ullma. Protection in operating
systems. In Communication of the ACM, volume 19, pages 461–471,
1976.
[65] J. G. Henriksen and P. S. Thiagarajan. Dynamic linear time temporal
logic. Annals of Pure and Applied Logic, 96(1-3):187–207, 1999.
[66] T. A. Henzinger, Z. Manna, and A. Pnueli. What good are digital
clocks? In 9th International Colloquium on Automata, Languages and
BIBLIOGRAPHY
151
Programming (ICALP’92), volume 623 of Lecture Notes in Computer
[67] G. Het, G. Khan, and C. Paulin-Mohring. The coq proof assistant,
a tutorial. Technical report, INRIA Rocquencourt and CNRS-ENS
Lyon, 1999.
[68] R. Hilpinen, editor. New Studies in Deontic Logic, volume 152 of
Synthese Library. D. Reidel publishing company, 1981.
[69] J. Hintikka. The modes of modality. Acta Philosophica Fennica, 16:65–
82, 1963.
[70] G. Holzmann. The model checker SPIN. IEEE Transactions on Software Engineering, 23(5):279–295, 1997.
[71] J. Horty. Agency and Deontic Logic. Oxford University Press, 2001.
[72] J. Horty. Nonmonotonic logic. In L. Goble, editor, The Blackwell
Guide to Philosophical Logic. Blackwell Publishing, 2001.
[73] S. Jajodia, S. Samarati, and V. S. Subrahmanian. A logical Language
for Expressing Authorizations. In IEEE Symposium on Security and
Privacy, Oakland, CA, May 1997.
[74] H. W. Kamp. Tense Logic and the Theory of Linear Order. PhD thesis,
UCLA, Los Angeles, California, USA, 1968.
[75] R. Koymans. Specifying real-time properties with metric temporal
logic. Real-Time Systmes, 2(4):255–199, 1990.
[76] M. Kracht and F. Wolter. Properties of independently axiomatizable
bimodal logics. Journal of Symbolic Logic, 56:1469–1485, 1991.
[77] S. Kripke. Semantical analysis of modal logic I: Normal modal propositional calculi. Zeitschrift für Mathematische Logik und Grundlagen
der Mathematik, 9:67–96, 1963.
[78] S. Kripke. Semantical considerations on modal logic. Acta Philosophica
Fennica, 16:83–9, 1963.
[79] O. Kupferman and A. Pnueli. Once and for all. In Procedures of
the 10th Symposium on Logic in Computer Science (LICS’95), pages
25–35, San Diego, June 1995.
[80] A. Kurucz. Combining modal logics. In J. van Benthem, P. Blackburn,
and F. Wolter, editors, Handbook of Modal Logic, volume 3 of Studies
in Logic and Practical Reasoning, pages 869–924. Elsevier, 2006.
152
BIBLIOGRAPHY
[81] R. E. Ladner. The computational complexity of provability in systems
of modal propositional logic. SIAM Journal on Computing, 6(3):467–
480, 1977.
[82] L. Lamport. Proving the correctness of multiprocess programs. IEEE
Transactions on Software Engineering, SE-3(2):125–143, 1977.
[83] F. Laroussinie, N. Markey, and P. Schnoebelen. Temporal logic with
forgettable past. In Proceedings of the 17th Symposium on Logic in
Computer Science (LICS’02), pages 383–392. IEEE Comp. Soc. Press,
2002.
[84] F. Laroussinie and P. Schnoebelen. Specification in ctl + past for
verification in ctl. Information and Computation, 156(1-2):236–263,
2000.
[85] O. Lichtenstein and A. Pnueli. Propositional temporal logics: decidability and completeness. Logic Journal of the IGPL, 8(1):55–85, 2000.
[86] O. Lichtenstein, A. Pnueli, and L. Zuck. The glory of the past. In
G. Goos and J. Hartmanis, editors, Lecture Notes in Computer Science,
volume 193, pages 196–218. Springer-Verlag, 1985. conf. Logics of
Programs.
[87] J. Ligatti, L. Bauer, and D. Walker. Edit automata: enforcement
mechanisms for run-time security policies. International Journal of
Information Security, 4(1):2–16, 2004.
[88] A. Lomuscio and M. Sergot. Deontic interpreted systems. Sudia Logica,
75(1):63–92, 2003.
[89] A. Lomuscio and M. Sergot. A formalisation of violation, error recovery, and enforcement in the bit transmission problem. Journal of
Applied Logic, 2(93):93–116, 2004.
[90] E. Mally. Grundgesetze des sollens: Elemente der logik des willens.
Graz: Leuschner und Lubensky, Universitäts-Buchhandlung, 1926.
[91] Z. Manna and A. Pnueli. The anchored version of the temporal framework. In J. de Bakker, W. de Roever, and G. Rosenberg, editors, Logics
and Models for Concurrency, volume 354 of Lecture Notes in Computer
Science, pages 201–284. Springer-Verlag, 1989.
[92] F. Massacci. Single step tableaux for modal logics. Journal of Automated Reasoning, 24:319–364, 2000.
[93] L. McCarthy. Defeasible deontic reasoning. Fundamenta Infromaticas,
21:125–148, 1994.
BIBLIOGRAPHY
153
[94] P. McDaniel. On Context in Authorization Policy. In Proceedings of
the 8th ACM Symposium On Access Control Models and Technologies
(SACMAT 2003), Como, Italy, June 2003.
[95] J.-J. C. Meyer, R. Wieringa, and F. Dignum. The role of deontic logic
in the specification of information systems. In Logics for Databases
and Information Systems, pages 71–115, 1998.
[96] J.-F. Monin. Comprendre les Méthodes formelles, panorama et outils
logiques. CTST. Masson, 1996. Préface de G. Huet.
[97] J.-F. Monin. Introduction aux méthodes formelles. CTST. Hermès,
2000. Edition revue et augmentée de [96].
[98] J.-F. Monin. Understanding Formal Methods. Springer Verlag, 2002.
Translation of [97], updated. Translation editor M. Hinchey.
[99] J. Park and R. Sandhu. The UCON-ABC Usage Control Model. ACM
Transactions on Information and System Security, 7(1):128–174, 2004.
[100] C. Paulin-Mohring. Extraction de programmes dansle calcul des constructions. PhD thesis, Université de Paris VII, 1989.
[101] A. Pnueli. The temporal semantics of concurrent programs. Theoretical
Computer Science, 13:45–60, 1981.
[102] A. Pnueli and Y. Kesten. A deductive proof system for ctl*. In CONCUR 2002, volume 2421 of Lecture Notes in Computer Science, pages
24–40, 2002.
[103] H. Prakken and M. Sergot. Contrary-to-Duty Imperatives, Defeasibility and Violability. In A. J. I. Jones and M. Sergot, editors, Second International Workshop on Deontic Logic in Computer Science
(DEON’94), Oslo, Norway, 1994.
[104] H. Prakken and M. Sergot. Dyadic deontic logic and contrary-to-duty
obligations. In D. Nute, editor, Defeasible Deontic Logic, pages 223–
262. Kluwer, 1997.
[105] H. Prakken and G. Vreeswijk. Logics for defeasible argumentation.
In D. Gabbay and F. Guenthner, editors, Handbook of Philosophical
Logic, pages 218–319. Kluwer Academic Publishers, 2002.
[106] A. N. Prior. Time and Modality. Clarendon Press, 1957.
[107] A. N. Prior. Past, Present, and Future. Clarendon Press, 1967.
154
BIBLIOGRAPHY
[108] J.-P. Queille and J. Sifakis. Specification and verification of concurrent
systems in cesar. In Proceedings of the 5thInternational Symposium
on Programming (SOP’82), volume 137 of Lecture Notes in Computer
[109] M. Reynolds. An axiomatization of full computation tree logic. Journal
of Symbolic Logic, 66(3):1011–1057, 2001.
[110] M. Reynolds. An axiomatization of PCTL*. Information and Computation, 201(1):72–119, 2005.
[111] A. Ross. Imperatives and logic. Theoria, 7:53–71, 1941.
[112] Y. Ryu and R. Lee. Deafisibe deontic reasoning: a logic programming
model. In Proc. of the First International Workshop on Deontic Logic
in Computer Science, pages 347–363, 1991.
[113] S. Safra. On the complexity of ω-automata. In Proc. of 29th IEEE
Symposium on Foundations of Computer Science, pages 319–327, 1988.
[114] H. Sahlqvist. Completeness and correspondence in the first and second
order semantics for modal logic. In S. Kanger, editor, Proc. Third
Scand. Logic Symp, pages 110–143. North-Holland publishing company,
1975.
[115] R. Sandhu, E. J. Coyne, H. L. Feinstein, and C. Youma. Role-based
access control models. In IEEE Computer, volume 29, pages 38–47,
1996.
[116] F. B. Schneider. Enforceable security policies. Information and System
Security, 3(1):30–50, 2000.
[117] K. Segerberg. Two-dimensional modal logics. Journal of Philosophical
Logic, 2:77–96, 1973.
[118] A. P. Sistla and E. Clarke. The complexity of propositional linear
temporal logics. Journal of the Association for Computing Machinery,
pages 733–749, 1985.
[119] A. P. Sitla. Safety, liveness, and fairness in temporal logic. Formal
Aspects in Computing, 6:495–511, 1994.
[120] C. Stirling. Comparing linear and branching time temporal logics. In
B. Banieqbal, H. Barringer, and A. Pnueli, editors, Temporal Logic in
Specification, Altrincham, UK, April 8-10, 1987, Proceedings, volume
398 of Lecture Notes in Computer Science, pages 1–20. Springer, 1989.
BIBLIOGRAPHY
155
[121] M. Strembeck and G. Neumann. An Integrated Approach to Engineer and Enforce Context Constraints in RBAC Environements. ACM
Transactions on Information and System Security, 7(3):392–427, 2004.
[122] W. Thomas. Languages, automata, and logic. In G. Rozenberg and
A. Salomaa, editors, Handbook of Formal Languages, volume 3, pages
389–455. Springer, 1997.
[123] N. Troquard. Independent agents in branching time. PhD thesis, Université de Toulouse, Università degli studi di Trento„ 2007.
[124] D. Vakarelov. Modal rules for intersection. In Abstract of the 10th international congress of Logic, Methodology, and Philosophy of Science,
Florence, Italy, 1995.
[125] J. van Benthem. Correspondence theory. In D. Gabbay and F. Guenthner, editors, Handbook of Philosophical Logic, vol. II. reidel, 1984.
[126] J. van Benthem and P. Blackburn. Modal logic: A semantic perspective. In J. van Benthem, P. Blackburn, and F. Wolter, editors,
Handbook of Modal Logic, volume 3 of Studies in Logic and Practical
Reasoning. Elsevier, 2007.
[127] L. van der Torre. Contextual deontic logic: Normative agents, violations and independence. Annals of Mathematics and Artificial Intelligence, Special issue on Computational Logic in Multi-Agent Systems,
37:33–63, 2003.
[128] L. van der Torre, J. Hulstijn, M. Dastani, and J. Broersen. Specifying
multiagent organizations. In Seventh International Workshop on Deontic Logic in Computer Science (DEON’04), volume 3065 of Lecture
Notes in Computer Science, pages 243–257, 2004.
[129] L. van der Torre and Y. Tan. The temporal analysis of chisholm’s
paradox. In Proceedings of 15th National Conference on Artificial Intelligence (AAAI’98), pages 650–655, 1998.
[130] L. van der Torre and Y. Tan. Contrary-to-duty reasoning with
preference-based dyadic obligations. Annals of Mathematics and Artificial Intelligence, 27:49–78, 1999.
[131] H. van Ditmarsch, W. van der Hoek, and B. Kooi. Dynamic Epistemic
Logic, volume 337 of Synthese Library. Springer, 2007.
[132] M. Y. Vardi. The büchi complementation saga. In 24th Annual Symposium on Theoretical Aspects of Computer Science, volume 4393 of
Lecture Notes in Computer Science, pages 12–22, 2007.
156
BIBLIOGRAPHY
[133] M. Y. Vardi and P. Wolper. Reasoning about infinite computations.
Information and Computation, 115(1):1–37, 1994.
[134] F. Wolter. Fusions of modal logics revisited. In M. Kracht, M. de Rijke,
H. Wansing, and M. Zakharyaschev, editors, Advances in Modal Logic,
volume 1, pages 361–379. CSLI Publications, Stanford, CA, 1998.
[135] F. Wolter and M. Zakharyaschev. Satisifiability problem in description
logics with modal operators. In A. Cohn, L. Schubert, and S. Shapiro,
editors, 6th Conference on Principles of Knowledge Representation and
Reasoning (KR’98), pages 512–523, 1998.
[136] G. H. V. Wright. Deontic logic. Mind, 1951.
Combinaison des logiques temporelle et déontique pour
la spécification de politiques de sécurité
Thèse soutenue le 12 décembre 2007 par Julien Brunel
MOTS-CLES : logique temporelle, logique déontique, politique de sécurité
RESUME :
Pour spécifier formellement une politique de sécurité, il est naturel de raisonner d'une part sur
la notion de temps, et d'autre part sur les notions d'obligation, de permission, et d'interdiction.
En effet, il s'agit d'exprimer par exemple le droit d'accès à une ressource pendant une certaine
durée, l'obligation de la libérer avant un instant donné, ou encore l'obligation qu'une certaine
tâche ne soit pas exécutée pendant un temps trop important. Les logiques temporelle et
déontique apparaissent comme des outils adéquats pour spécifier de telles notions. Dans cette
thèse, nous étudions comment combiner de telles logiques.
Nous étudions dans un premier temps le produit de la logique temporelle linéaire avec la
logique déontique standard, et définissons une obligation avec délai dans ce contexte.
L'obligation avec délai doit notamment satisfaire une propriété que l'on nomme propagation:
tant qu'elle n'est pas remplie et que le délai n'est pas atteint, elle se propage à l'instant suivant.
Nous proposons ensuite une sémantique qui valide une propriété de propagation plus générale,
puis définissons une axiomatique et une procédure de décision pour fragment du langage qui
ne contient pas l'opérateur temporel 'until'.
Nous nous intéressons enfin à la notion de conformité d'un système vis à vis d'une politique de
sécurité spécifiée dans un tel langage. La première définition que nous proposons est une
version faible de la conformité que l'on nomme compatibilité. Nous restreignons ensuite le
langage afin définir une version plus forte de la conformité, et proposons un algorithme pour
vérifier la conformité d'un système vis à vis d'une politique.
ABSTRACT :
In order to formally specify a security policy, it is natural to reason about time on the one hand,
and obligations, permissions, and prohibitions on the other hand. Indeed, we have to express for
instance the permission to access a resource for a certain period, the obligation to release a
resource before a deadline, or the prohibition to execute a task for a too long period. Temporal
and deontic logics seem well suited to specify such concepts. In this thesis, we study how to
combine these logics.
Firstly, we study the product of linear temporal logic and standard deontic logic, and define
obligation with deadline in this context. It has to satisfy a property called propagation property:
while it is not fulfilled, it is propagated to the next instant. We then propose a more general
propagation property, and propose a semantics to validate it. For the until-free fragment of our
logic, we define an axiomatics and a tableaux-like decision procedure.
Lastly, we investigate the notion of compliance of a system with respect to a policy specified in
such a language. The first definition we come up with is a weak version of compliance called
compatibility. For a new fragment of our logic, we adapt the Büchi approach of Vardi and Wolper
to decide whether a system is compliant with a policy. We then restrict again the language so
that we can define a stronger version of compliance. Actually, a careful analysis shows the
necessity to refine the notion of compliance into 5 different diagnostic cases which give 'levels of
compliance'. We provide an algorithm to establish this diagnostic.

Combinaison des logiques temporelle et déontique pour la

Transcription

Similar documents

The Wyndhaven III - SEDA Construction

presentation

FIVE ROSES PUB - Vapor Expo International

Gregory Tsolias Legal Attorney, Prive law Dimitris Anastasopoulos

Images of The Human Skull: Outer, Middle and Inner Ear Anatomy

PDF - Pinsent Masons

2015 UNE IFAMA Team IFAMA World Conference Experience

The Virtual Light of Other Days

Paseo Colorado 11x17 Lease Plan COMPLETE