Combinaison des logiques temporelle et déontique pour la spécification de politiques de sécurité

École doctorale Mathématiques, Informatique, et Télécomunications de Toulouse

Institut de Recherche en Informatique de Toulouse

THÈSE

en vue de l’obtention du

DOCTORAT DE L’UNIVERSITÉ DE TOULOUSE délivré par l’université Toulouse III - Paul Sabatier

Discipline : Informatique

Combinaison des logiques temporelle et

déontique pour la spécification de

politiques de sécurité

Julien Brunel

soutenue le 12 décembre 2007 devant le jury composé de Philippe Balbiani examinateur Jean-Paul Bodeveix directeur de thèse Jan Broersen examinateur Frédéric Cuppens examinateur Stéphane Demri rapporteur

Mamoun Filali Amine co-directeur de thèse Sergei Soloviev examinateur

Combining temporal and deontic logics for the specification of security policies

Julien Brunel

supervisors: Jean-Paul Bodeveix, Mamoun Filali Amine Abstract

In order to formally specify a security policy, it is natural to reason about time on the one hand, and obligations, permissions, and prohibitions on the other hand. Indeed, we have to express for instance the permission to access a resource for a certain period, the obligation to release a resource before a deadline, or the prohibition to execute a task for a too long period. Temporal and deontic logics seem well suited to specify such concepts. In this thesis, we study how to combine these logics.

Firstly, we study the product of linear temporal logic and standard de-ontic logic, and define obligation with deadline in this context. It has to satisfy a property called propagation property: while it is not fulfilled, it is propagated to the next instant. We then propose a more general propagation property, and propose a semantics to validate it. For the until-free fragment of our logic, we define an axiomatics and a tableaux-like decision procedure. Lastly, we investigate the notion of compliance of a system with respect to a policy specified in such a language. The first definition we come up with is a weak version of compliance called compatibility. For a new fragment of our logic, we adapt the Büchi approach of Vardi and Wolper to decide whether a system is compliant with a policy. We then restrict again the language so that we can define a stronger version of compliance. Actually, a careful analysis shows the necessity to refine the notion of compliance into five different diagnostic cases which give ’levels of compliance’. We provide an algorithm to establish this diagnostic.

Combinaison des logiques temporelle et déontique pour la spécification de politiques de sécurité

Julien Brunel

directeurs de thèse : Jean-Paul Bodeveix, Mamoun Filali Amine Résumé

Pour spécifier formellement une politique de sécurité, il est naturel de rai-sonner d’une part sur la notion de temps, et d’autre part sur les notions d’obligation, de permission, et d’interdiction. En effet, il s’agit d’exprimer par exemple le droit d’accès à une ressource pendant une certaine durée, l’obligation de la libérer avant un instant donné, ou encore l’obligation qu’une certaine tâche ne soit pas exécutée pendant un temps trop important. Les logiques temporelle et déontique apparaissent comme des outils adéquats pour spécifier de telles notions. Dans cette thèse, nous étudions comment combiner de telles logiques.

Nous étudions dans un premier temps le produit de la logique temporelle linéaire avec la logique déontique standard, et définissons une obligation avec délai dans ce contexte. L’obligation avec délai doit notamment satisfaire une propriété que l’on nomme propagation : tant qu’elle n’est pas remplie et que le délai n’est pas atteint, elle se propage à l’instant suivant. Nous proposons ensuite une sémantique qui valide une propriété de propagation plus générale, puis définissons une axiomatique et une procédure de décision pour fragment du langage qui ne contient pas l’opérateur temporel ’until’.

Nous nous intéressons enfin à la notion de conformité d’un système vis à vis d’une politique de sécurité spécifiée dans un tel langage. La première définition que nous proposons est une version faible de la conformité que l’on nomme compatibilité. Nous restreignons ensuite le langage afin définir une version plus forte de la conformité, et proposons un algorithme pour vérifier la conformité d’un système vis à vis d’une politique.

Remerciements

Une première étape se termine aujourd’hui. Je saisis l’occasion de remer-cier ceux qui ont contribué, d’une manière ou d’une autre, à mon travail durant ces trois années et demie. Tout d’abord, je tiens à remercier très chaleureusement mes directeurs de thèse Jean-Paul Bodeveix et Mamoun Filali Amine, qui m’ont donné l’opportunité de faire cette thèse, pour leur soutien permanent et leurs conseils. Je me souviens du stage, durant l’été 2002, pendant lequel ils m’ont initié à la recherche et transmis leur passion pour les méthodes formelles. Leur enthousiasme et leur complémentarité ont constitué un grand atout pour ma thèse, et travailler avec eux a été un grand plaisir.

Je voudrais ensuite remercier Stéphane Demri et Wiebe van der Hoek, pour l’intérêt qu’ils ont apporté à mon travail en acceptant d’être rappor-teurs de cette thèse. Leurs corrections, remarques, et questions, m’ont permis d’améliorer ce mémoire et m’ont donné des perspectives très intéressantes.

Merci à Jan Broersen qui a accepté de m’accueillir à Utrecht, en février 2006, avant même de me connaître ! L’accueil fut très chaleureux, et le sé-jour très agréable. J’y ai appris beaucoup sur les logiques déontiques, et les logiques d’action. La collaboration qui a suivi a été un excellent stimulant jusqu’à la fin de ma thèse, et la logique proposée en est le fruit.

Merci à Philippe Balbiani, pour les nombreuses discussions, pour ses conseils aussi bien sur des aspects scientifiques pointus que sur le déroulement de ma thèse. J’ai beaucoup apprécié sa disponibilité. Sa connaissance des logiques modales m’a apporté beaucoup.

Merci également à Frédéric Cuppens et Nora Cuppens-Boulahia. Grâce à leur enthousiasme, la collaboration entamée dans le cadre du projet DISPO a pu se poursuivre lors de plusieurs séjours à Rennes, où nous avons pu discuter

longuement des obligations et des violations dans une politique de sécurité. Je voudrais également remercier Sergei Soloviev pour le regard extérieur qu’il a porté sur mon travail, et pour avoir accepté de présider le jury. Je remer-cie Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, et Wiebe van der Hoek, pour leurs questions et commentaires stimulants lors de la soutenance.

Je remercie toutes les personnes que j’ai côtoyées à l’IRIT (chercheurs, secrétaires, enseignants, et techniciens) qui ont contribué à un environnement agréable. Merci en particulier à ceux qui ont partagé mon bureau (Abbassia, Jean-François, Lei, et Marjorie) avec qui j’ai passé de bons moments.

Je pense aussi à ma famille, que j’étais très heureux de retrouver pendant la semaine de ma soutenance. À mon père, qui a traversé l’océan Indien pour y assister ! À ma mère, qui a fait preuve d’un sang froid à toute épreuve pour la gestion de mon pot de thèse ! Je leur dois beaucoup.

À ma grand-mère, Mamette, qui a apporté un peu de notre île de beauté avec elle. À Vanina et Yann, sans qui j’aurais sûrement renoncé à la par-tie4.2.3 (quel dommage ça aurait été !). Et bien sûr à Benjamin, mon petit frère, qui est malheureusement déjà plus grand que moi.

À tous les toulousains qui ont contribué aux conditions agréables dans lesquelles j’ai effectué cette thèse, à travers les soirées, repas, discussions, élaborations de théories-minute, etc. : Mehdi, Camille, Jérôme, Matthieu, Simon, Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas, Arnaud, Marie, David et Marie. Je pense aussi à ceux qui me supportent depuis bien plus longtemps : Thierry, Rémi, Viviane, Rémy, Nico, Gilles, Sonia, Candice, Ben, . . .

À Anne-Laure, qui m’a subi pendant la période d’autisme/rédaction, et qui a su m’apporter toute sa douceur. Je lui dédie cette thèse.

Acknowledgments

I would like to use this page as an opportunity to thank the people who have played a role, in a way or another, in my work during these three years and a half.

First of all, I would like to thank my supervisors Jean-Paul Bodeveix and Mamoun Filali Amine for their support and advice. I remember in particular this training period in 2002, during which they introduce me to research, and impart their passion for formal methods to me. Their enthusiasm and their complementarity were a great asset for my thesis, and I have really enjoyed working with them.

My acknowledgment also goes to Stéphane Demri and Wiebe van der Hoek, for having reviewed this thesis. Their corrections, remarks, and ques-tions, allowed me to improve this dissertation, and gave me some interesting leads for future work.

I also thank Jan Broersen, who accepted to welcome me in February 2006 in Utrecht, before even knowing me! The welcome was warm, and the stay very pleasant. I learnt a lot about deontic logics and action logics. The collaboration that followed was really stimulating until the end of my PhD, and the logic proposed in this dissertation is its fruit.

My acknowledgment then goes to Philippe Balbiani, for all the discus-sions we had, about scientific aspects as much as about the progress of my PhD. I have really appreciated his availability. His knowledge of modal logics was very helpful.

I also owe thanks to Frédéric Cuppens and Nora Cuppens-Boulahia. Thanks to their enthusiasm, the collaboration we started in the DISPO project went on with some stays in Rennes, during which we were able to talk a lot about obligations and violations in a security policy.

I would also like to thank Sergei Soloviev, for the interesting look he gave to my work, and for having accepted to be president of the jury. I thank Philippe Balbiani, Jan Broersen, Frédéric Cuppens, Stéphane Demri, and Wiebe van der Hoek for being part of the jury, and for their stimulating questions and comments during the defense.

I thank all the IRIT staff members who played a part in making the environment pleasant, in particular those who shared my office: Abbassia, Jean-François, Lei, and Marjorie.

My thoughts go to my family, that I was so happy to see the week after the defense. To my father, who crossed Indian ocean to attend it! To my mother, who handled the organisation of the drinks party with a lot of self-control! I owe them much.

To my grand-mother, who brought a little of our “île de beauté” with her. To Vanina and Yann, without who I would have given section 4.2.3 up (what a pity it would have been!). To Benjamin, my little brother, who is unfortunately already taller than me.

To people from Toulouse, who made my after work enjoyable thanks to parties, meals, discussions, etc.: Mehdi, Camille, Jérôme, Matthieu, Simon, Thierry, Chloé, Raphaël, Serge, Élodie, Vincent, Juliette, Nicolas, Arnaud, Marie, David and Marie. I also think about those I have known for much more time: Thierry, Rémi, Viviane, Rémy, Nico, Gilles, Sonia, Candice, Ben, . . .

To Anne-Laure, who endured me during the autism/writing period, and who gave me all her sweetness. This thesis is dedicated to her.

1 Introduction 7

1.1 Security . . . 7

1.2 Formal methods and logics. . . 8

1.3 Outline . . . 10

1.4 Bibliographic notes . . . 11

2 Basic logical concepts 13 2.1 Modal logic . . . 13

2.1.1 Axiomatics . . . 14

2.1.2 Semantics . . . 15

2.2 Deontic logic . . . 19

2.2.1 Standard Deontic Logic SDL . . . 19

2.2.2 Some theorems and paradoxes. . . 19

2.2.3 Dyadic deontic logic based on a preference relation . . 21

2.3 Temporal logic . . . 22

2.3.1 Linear temporal logic. . . 23

2.3.2 LT L semantics . . . 24

2.3.3 Characterization of properties . . . 25

2.3.4 LT L axiomatization . . . 27

2.3.5 Branching-time temporal logic . . . 29

2.3.6 Timed logic . . . 33

2.4 Model checking . . . 37

3 Combining temporal and deontic logics 39 3.1 Fusion of modal logics . . . 40

3.1.1 Fusion of LT L and SDL. . . 41

3.1.2 Fusion of CT L and SDL . . . 43

3.2 Interaction properties . . . 44 xi

3.2.1 ’Perfect recall’ property . . . 44

3.2.2 ’No learning’ property . . . 46

3.2.3 ’Confluence’ property . . . 46

3.2.4 Obligation and branching time . . . 47

3.3 Product . . . 48

3.3.1 Product of modal logics . . . 48

3.3.2 Product LT L SDL . . . 50

4 Propagation property 53 4.1 Deadline obligation . . . 53

4.1.1 Studied properties . . . 54

4.1.2 A first attempt for defining deadline obligation . . . . 56

4.1.3 Validation of the propagation property . . . 57

4.1.4 New operator Ok . . . 58

4.2 General propagation property . . . 63

4.2.1 Propagation property and product . . . 63

4.2.2 Semantics based on the restriction of the ideal states . 65 4.2.3 Model correspondence for the propagation . . . 69

4.2.4 Semantics with levels of deontic ideality . . . 74

4.2.5 Branching time structures . . . 79

5 Decision procedure and axiomatization 81 5.1 Tableaux decision procedure for satisfiability . . . 82

5.1.1 Tableau data structure and update operations . . . 83

5.1.2 Tableaux rules . . . 84

5.1.3 Soundness and completeness. . . 86

5.1.4 Termination . . . 88

5.2 Axiomatization . . . 90

5.2.1 Admissible forms . . . 91

5.2.2 Axiomatization . . . 91

5.2.3 Soundness and completeness. . . 92

5.2.4 Theories . . . 93

5.2.5 Canonical model construction . . . 96

6 Computer security application 99 6.1 Specification of the system . . . 100

6.1.1 Events or actions? . . . 100

6.1.2 Labeled Kripke Structures . . . 101

6.2 Deontic extension and compatibility . . . 102

6.2.1 Deontic extension . . . 103

6.2.2 Compatibility . . . 103

6.2.3 Illustration . . . 105

6.3 Decidable fragment . . . 106

6.3.2 Checking internal consistency and compatibility . . . . 108 6.4 Beyond compatibility . . . 111 6.4.1 Policy language . . . 111 6.4.2 Compliance of a system with its security policy . . . . 113 6.4.3 Diagnostic algorithm . . . 124 6.4.4 Concluding example . . . 129 7 Conclusion 133 7.1 Summary . . . 133 7.2 Future investigations . . . 134 A Proofs of section 4.1.4 141

A.1 Proofs of property 11 . . . 141 A.2 Proofs of property 12 . . . 142

Cette thèse propose un cadre logique qui permet de traiter des notions de temps et d’obligation, dans le but de spécifier des politiques de sécurité. Le point de départ de ce travail est la nécessité de méthodes formelles pour spécifier et vérifier des propriétés de sécurités spécifiques. Cette introduction présente la sécurité informatique, et introduit le point de vue logique que nous allons adopter.

Sécurité

Les systèmes informatiques sont présents dans de plus en plus de do-maines faisant intervenir des aspects de coopération, de distribution, et de réseau. L’augmentation de la complexité des systèmes a permis de nom-breuses innovations, mais a aussi soulevé de nouvelles questions. En particu-lier, garantir des exigences de sécurité est devenu de plus en plus complexe. Ces exigences sont habituellement classifiées comme suit :

– confidentialité : assurance que l’information est partagée seulement par des personnes ou organisations autorisées ;

– intégrité : assurance que l’information est authentique et complète ; – disponibilité : assurance que les systèmes chargés de délivrer, stocker,

ou traiter des informations sont accessibles en cas de besoin.

De manière à garantir ces exigences, une politique de sécurité est tradi-tionnellement spécifiée. Il s’agit d’un ensemble de normes et de procédures à mettre en oeuvre pour assurer au mieux les exigences. Cela consiste par exemple à décrire comment les utilisateurs peuvent accéder au système ou aux informations.

La modélisation de politiques de contrôle d’accès a été beaucoup étu-diée dans la littérature [64,115,21,73,2]. Une politique de contrôle d’accès consiste en un ensemble de règles qui spécifient quelles actions les sujets sont autorisés à effectuer. Une permission peut ne s’appliquer que lorsque certaines conditions sont satisfaites [94, 42, 121]. Par exemple, dans une banque, la politique de contrôle d’accès peut spécifier qu’un employé a l’au-torisation d’accorder un prêt à un client seulement si le montant du prêt est inférieur à 50 000 euros. La politique de contrôle d’accès peut aussi inclure des interdictions qui sont en particulier utiles pour spécifier des exceptions à des permissions.

Plus récemment, il a aussi été suggéré de considérer d’autres exigences dans une politique de sécurité qui correspondent à des obligations [22,41]. Par exemple, la politique peut spécifier que n’importe quel utilisateur dans le système informatique de la banque a l’obligation de changer son mot de passe s’il n’a pas été changé depuis trente jours. Les modèles qui considèrent les obligations vont au-delà du contrôle d’accès et sont utilisés pour spécifier des exigence de contrôle d’usage [99]. Comme exemple d’exigence de contrôle d’usage, la banque peut spécifier dans sa politique qu’il est obligatoire d’in-terrompre la transaction d’un client sur Internet si celui-ci est resté inactif pendant plus d’une minute.

Comme dans de nombreux autres domaines scientifiques, les méthodes formelles sont utiles pour lever certaines ambiguïtés et améliorer la qualité de compréhension et d’analyse. Dans le contexte de la sécurité, l’application de méthodes formelles permet de vérifier que la politique est cohérente, ou qu’un système est conforme à une politique.

Méthodes formelles et logiques

Les méthodes formelles [98] font références à des techniques et des outils mathématiques pour raisonner de manière rigoureuse. Elles permettent de spécifier, concevoir, et valider des systèmes logiciels et matériels. Les spéci-fications utilisées dans les méthodes formelles sont des énoncées bien formés dans un langage mathématique, et les validations (ou vérifications) sont des preuves de ces énoncés. La définition d’un tel langage de spécification, assor-tie d’un moyen de déterminer si un énoncé est vrai, est appelée une logique. Un énoncé dans le langage est une formule. Le moyen de déterminer la «va-leur de vérité» d’une formule peut être soit syntaxique soit sémantique. Une déduction syntaxique est une séquence finie de formules, qui commence par un axiome (formule arbitrairement vraie) et telle que chaque formule dans la séquence est obtenue à partir des formules précédentes par l’application d’une règle d’inférence. Le moyen sémantique consiste à donner un cadre in-tuitif à la définition de la vérité d’une formule. Plusieurs familles de logiques ont été étudiées, selon le domaine d’application. Les logiques constructives

sont utilisées en informatique, en particulier avec le but de généré du code à partir de la spécification d’un programme [67, 100]. Chaque formule est associée à une preuve qui démontre cette formule, plutôt qu’à une valeur de vérité (vrai ou faux). Une preuve peut aussi être vue comme un algo-rithme. Une autre famille de logiques a été développée à l’origine par les philosophes : les logiques modales. Elles étudient au départ les raisonne-ments qui utilisent les notions de nécessité («il est nécessaire que . . . ») et de possibilité («il est possible que . . . »). Les logiques modales sont main-tenant plus largement utilisées pour des concepts comme les croyances [53], les intentions [26], les exécutions de programmes [63], les obligations [136], et les aspects temporels [106]. Les formules modales sont construites à par-tir d’énoncés atomiques, appelés propositions, et d’opérateurs modaux, qui expriment les notions mentionnées ci-dessus. Dans cette thèse, nous nous fo-caliserons sur les obligations et les aspects temporels, habituellement étudiés à l’aide des logiques temporelles et déontiques.

La logique temporelle a été introduite par Prior [106, 107], pour expri-mer des phrases comme «il sera toujours le cas que . . . », «il sera un jour le cas que . . . », qui correspondent respectivement aux opérateurs modaux G et F . Kamp [74] a proposé une extension avec l’opérateur binaire U (until ) : A U B signifie que A est vrai, et reste vrai jusqu’à ce que B le devienne. Pnueli a proposé en 1977 d’utiliser la logique temporelle pour la spécifica-tion et la vérificaspécifica-tion des systèmes réactifs [101]. Cette idée a donné lieu, peu après, à une technique de vérification appelée vérification de modèle (model checking en anglais) [38, 108]. La première étape consiste à fournir un modèle du système à vérifier - en général, un automate fini - dans un formalisme accepté par l’outil de vérification de modèle. La seconde étape consiste à spécifier le propriété exigée par une formule logique. L’outil ap-plique ensuite une procédure de parcours pour déterminer si la formule est vraie dans l’abstraction du système. Dans les années 80, lors des débuts de la vérification de modèle, il n’était possible que de gérer des systèmes avec quelques milliers d’états. Aujourd’hui, de grands progrès dans les techniques permettent une bien meilleure efficacité, mais l’explosion de l’espace d’états reste un défi important.

Le premier système de logique déontique a été introduit par Mally en 1926 [90] ! Malheureusement, ce système a de nombreuses propriétés indé-sirables, et la logique déontique est seulement devenue un domaine de re-cherche actif après le premier système de von Wright [136], dont la version avec modèle de Kripke est connue sous le nom de Logique Déontique Stan-dard (StanStan-dard Deontic Logic, ou SDL, en anglais). Depuis lors, les logiciens ont soulevé des paradoxes dans SDL, et proposé différentes variantes de SDL pour les éliminer. Cet aspect sera discuté dans le chapitre suivant. Nous pen-sons que la logique déontique peut être utile à la sécurité informatique dans un contexte où les normes peuvent être violées, et où on voudrait raisonner explicitement sur ces violations. Ça concerne typiquement une politique de

sécurité qui spécifie des contraintes faibles. Considérons, par exemple, les règles suivantes dans un contexte d’allocation de ressource :

(1) useri a l’obligation de libérer la ressource r après 5 unités de temps

d’utilisation ;

(2) Si useri utilise la ressource sans la permission, alors il doit ne plus

la demander pendant 10 unités de temps.

La règle (1) spécifie que useri a l’obligation de libérer la ressource r

lorsqu’une certaine condition est vraie. Cette obligation peut être violée, et la règle (2) raisonne explicitement sur cette violation. La logique déontique semble appropriée pour spécifier et raisonner sur ces notions. Par ailleurs, ces deux règles contiennent clairement un aspect temporel.

Notre travail consiste à combiner les logiques temporelles et déontiques de manière à pouvoir

– exprimer de telles politiques de sécurité ; – vérifier qu’une politique est cohérente ;

– vérifier qu’un système est conforme à une politique.

Plan du document

Cette thèse est organisée de la manière suivante.

Le chapitre 2 présente des concepts logiques basiques. Nous y développons les aspects syntaxiques et sémantiques des logiques modales. Nous étudions d’abord les logiques déontiques, qui traitent des obligations, permissions, et interdictions, puis nous nous intéressons aux logiques temporelles. Nous détaillons particulièrement le cas du temps discret et linéaire, dans lequel nous nous situerons dans la suite de la thèse, puis présentons plus brièvement les principales logiques du temps arborescent, et du temps continu.

Le chapitre 3 introduit la combinaison des logiques temporelle et dé-ontique. Tout d’abord, nous présentons rapidement les autres propositions pour combiner ces notions, et les mettons en relation avec notre approche. Ensuite, nous appliquons la plus simple des combinaisons logiques, appelée fusion, aux logiques temporelle et déontique, et discutons les variantes déon-tiques des propriétés d’interaction temporelles-épistémiques connues. Enfin, nous présentons le produit de logiques modales, une manière générique de combiner des logiques en garantissant certaines propriétés d’interaction.

Dans le chapitre 4, nous considérons le produit des logiques temporelle et déontiques comme un point de départ. Nous nous intéressons à une nouvelle propriété d’interaction, que nous appelons propriété de propagation, parti-culièrement intuitive dans le contexte temporel et déontique. Nous étudions dans un premier temps la propagation des obligations avec délai. Nous propo-sons alors deux sémantiques possibles pour un opérateur dédié à l’obligation

avec délai, et discutons certaines propriétés caractéristiques pour chacune. Dans un deuxième temps, nous présentons une formulation plus générale de la propriété de propagation, qui concerne une disjonction de formules temporelles particulières. Nous proposons ensuite une sémantique intuitive qui valide la propagation, mais perd l’axiome D (garant de la cohérence des obligations entre elles). De plus, si nous considérons seulement la classe des modèles qui satisfait l’axiome D, alors aucune violation n’est satisfiable. Nous prenons alors le problème sous un angle différent, et recherchons une condi-tion nécessaire et suffisante, sur un modèle temporel et déontique arbitraire, pour valider la propriété de propagation. La conclusion est que lorsque une obligation est violée à un certain instant, alors des propriétés indésirables surviennent à partir de cet instant. Nous raffinons alors notre sémantique à l’aide d’une relation de préférence, de manière à ce que l’axiome D soit valide, et que la propriété de propagation ne soit satisfaite que dans les états qui ne violent pas d’obligations immédiates.

Le chapitre 5 présente une procédure de décision basée sur une méthode des tableaux, ainsi qu’une axiomatisation, pour le fragment de notre logique sans l’opérateur «until». La sémantique de l’obligation semble trop complexe pour développer des directement de tels outils pour notre logique. En ef-fet, deux quantificateurs différents sont cachés dans la définition sémantique de l’opérateur d’obligation. Nous proposons de décomposer cet opérateur à l’aide de nouveaux opérateurs plus simples. Nous développons alors un système de tableaux, et une axiomatisation pour cette logique. L’axiomati-sation comporte deux règles d’inférence non classiques qui correspondent à deux particularités de la logique : d’une part, une des relations d’accessibilité dépend des valuations, et d’autre part, un des opérateurs est interprété par l’intersection de deux relations d’accessibilité.

Le chapitre 6 propose une application à la sécurité de l’étude logique présentée dans les chapitres précédents. Nous considérons un modèle d’un système, et une formule temporelle déontique qui spécifie la politique. Le but est de déterminer d’une part si la politique est cohérente, et d’autre part si le système est conforme à la politique. La cohérence d’une politique est réduite à la satisfiabilité de la formule correspondante. La première définition de conformité à laquelle nous parvenons est une version faible appelée com-patibilité. Dans le cas général, nous n’avons pas de résultat de décidabilité, ni pour la vérification de cohérence, ni pour la vérification de conformité. Nous exhibons alors un fragment de notre logique temporelle déontique tel que les deux problèmes sont décidables pour une politique exprimée dans ce fragment. Nous réduisons de nouveau le langage pour pouvoir définir une version plus forte de la conformité. En fait, une analyse approfondie montre la nécessité de raffiner la notion de conformité en cinq différents cas de diag-nostic qui donnent des «niveaux de conformité». Nous fournissons enfin un algorithme qui permet d’établir ce diagnostic (la correction et la terminaison sont établies).

Dans le chapitre 7, nous concluons la thèse et discutons quelques pers-pectives.

Indications bibliographiques

Le contenu de cette thèse a été partiellement publié dans différentes com-munications. La partie3.2du chapitre3est extraite de [31]. L’étude de l’obli-gation avec délai dans un produit de logiques (chapitre 4, partie 4.1) vient de [32]. La sémantique qui garantit la propriété de propagation (chapitre 4, partie4.2) a été publiée dans un travail commun avec Jan Broersen [28,29]. La procédure de décision et l’axiomatisation pour cette sémantique (cha-pitre 5) sont extraites d’un travail commun avec Philippe Balbiani et Jan Broersen [17]. Le chapitre 6 est une version enrichie d’un article écrit avec Frédéric Cuppens, Nora Boulahia-Cuppens, et Thierry Sans [33]. Bien en-tendu, mes directeurs de thèse, Jean-Paul Bodeveix et Mamoun Filali-Amine, ont contribué à toutes les parties ce travail, qu’ils apparaissent ou non en tant que co-auteurs.

1

Introduction

This thesis deals with providing a logical framework which handles the no-tions of time and obligation, with the aim of being useful to computer se-curity. The starting point of this work is a need for formal tools to specify and verify some specific security properties. This introduction presents the security context in which the thesis takes place, and introduces the logical point of view we will adopt.

1.1

Security

Electronic systems are present in more and more areas which involve co-operation, distribution, and networking aspects. This growth of systems’ complexity has brought many innovations, but has also raised several new concerns. In particular, ensuring security requirements have become more and more complex. These requirements are usually classified as follows:

• confidentiality: assurance that information is shared only among au-thorised persons or organisations. Breaches of confidentiality can occur when data is not handled in a manner adequate to safeguard the con-fidentiality of information;

• integrity: assurance that information is authentic and complete, i.e., that information can be relied upon to be sufficiently accurate for its purpose;

• availability: assurance that the systems responsible for delivering, stor-ing and processstor-ing information are accessible when needed, by those who need them.

In order to ensure these requirements, a security policy is traditionally specified. A security policy is a set of regulations and laws that describes

how users may access the system or information. It regulates how entities access objects in a system.

Modelling such access control policies has been extensively investigated in the literature [64,115,21,73,2]. An access control policy corresponds to a set of permission rules which specifies which actions subjects are authorized to perform in the information system controlled by this policy. A permission may only apply when some contextual conditions are satisfied [94,42,121]. For instance, in a bank, the access control policy may specify that a clerk is permitted to grant a loan to a customer, only if the amount of the loan is less than 50,000 euros. The access control policy can also include prohibitions that are especially useful to specify exceptions to permissions.

More recently, it has also been suggested to consider other requirements in the security policy that correspond to obligations [22,41]. For instance, the policy may specify that any user in the bank information system is obliged to change his or her password if this password has not been changed for more than 30 days. Models that consider obligations go beyond access control and are used to specify usage control requirements [99]. As an exam-ple of usage control requirement, the bank can specify in its policy that it is obligatory to stop the internet transaction of a bank customer if this user has been idle for more than one minute.

As in many other scientific areas, formal methods are useful in order to avoid ambiguities and improve quality of understanding and model analysis. In the context of security, applying formal methods allows to verify that a policy is coherent, or that a system complies with a policy.

1.2

Formal methods and logics

’Formal Methods’ [98] refers to mathematically rigorous techniques and tools for the specification, design, and verification of software and hardware sys-tems. The phrase ’mathematically rigorous’ means that the specifications used in formal methods are well-formed statements in a mathematical lan-guage and that the formal verifications are rigorous proofs of these state-ments. The definition of such a language with a way to determine whether a statement is true, is called a logic. A statement in the language is called a formula. The way to determine the truth of a formula can be can be either syntactic or semantic. A syntactic deduction is a finite sequence of formulas, which starts from an axiom (arbitrary true formula), such that each formula in the sequence is obtained from earlier formulas by applying some inference rule. The semantic way aims at giving an intuitive framework to the defini-tion of truth for a formula. Several families of logics have been investigated, depending on the application area. Constructive logics are used in computer science, in particular with the aim of generating code from the specifica-tion of a program [67, 100]. Each formula is associated with a proof which

demonstrates this formula, instead of a value (true or false). A proof of a formula can also be seen as an algorithm. Another family of logics, origi-nating from philosophy, is called modal logic. It originally studies reasoning that involves the use of the expressions “necessarily” and “possibly”. Modal logics are now used more broadly for concepts such as belief [53], intention [26], program execution [63], obligation [136], and temporal ordering [106]. Modal formulas are built from atomic statements, called propositions, and modal operators, which handle the above-mentioned notions. Here, we focus on obligation and temporal ordering, usually addressed through deontic and temporal logics.

Temporal logic was introduced by Prior [106, 107], in order to express sentences as ’henceforth, it will be the case that . . . ’, and ‘it will eventually be the case that . . . ’ corresponding to modal operators G and F respec-tively. Kamp proposed an extension with binary modal operator U (read until ): A U B means that A is true, and remains true until B becomes true. Pnueli proposed in 1977 to use temporal logic for the specification and the verification of reactive systems [101]. This idea gave rise, shortly after, to the verification technique called temporal logic model checking [38,108]. The first step is to provide a model of the system to verify - usually, a finite state transition graph - in a formalism accepted by a model checking tool. The second step consists in specifying the required property as a logic formula. The model checker then applies a search procedure to determine whether the formula is true in the abstraction of the system. In the 1980s, when temporal model checking was first developed, it was only possible to handle systems with a few thousands states. Even if today, sophisticated procedures have a better efficiency, state space explosion problem remains an important challenge.

The first logical system of deontic logic was introduced by Mally in 1926 [90]! Unfortunately, this system had a lot of undesirable theorems, and deontic logic has only become an ongoing active academic area after the first system of von Wright [136], of which the first Kripke-style version is known as Standard Deontic Logic (SDL). Since then, logicians have raised some paradoxes in SDL, and proposed different variants of SDL to avoid them. This we will be discussed in the first chapter. According to us, deontic logic can be useful in computer security in a context where norms can be violated, and where we want to reason explicitly about these violations. This typically concerns a security policy which specifies some soft (violable) con-straints. Consider for instance, the following rules in a resource monitoring context:

(1) useri has to release resource r after 5 time units of utilization;

(2) if useriuses the resource without the permission, then he must not ask

Rule (1) specifies that useri is obliged to release resource r when some

con-dition is true. This obligation can be violated, and rule (2) explicitly reasons about this violation. Deontic logic seems appropriate to express and reason about these notions. Besides, both rules clearly capture temporal aspects.

Our work consists in combining temporal and deontic logics so that we can easily

• express such security policies; • check that a policy is coherent;

• check that a system is compliant with a policy.

1.3

Outline

This dissertation is organized as follows.

Chapter 2 deals with basic logical concepts. We review syntactic and se-mantic aspects of modal logic. Firstly, we present the family of modal logics which model deontic concepts. Secondly, we focus on temporal logics. We especially develop the linear and discrete time case, in which we are particu-larly interested. We also present the main temporal logics of branching-time and of continuous time.

Chapter 3 introduces the combination of temporal and deontic logics. Firstly, we give a brief presentation of other attempts to combine these no-tions, and express how we are in relation with them. Secondly, we apply the simplest logical combination, called fusion, to temporal and deontic log-ics, and discuss deontic variants of temporal-epistemic interaction properties. Then, we present the product of modal logics, a natural and generic logic combination, which ensures these interaction properties.

In chapter 4, we take the product of temporal and deontic logics as a starting point. We investigate another interaction property, called propa-gation property, which is particularly intuitive in a temporal and deontic context. We first discuss the propagation of deadline obligations. We pro-pose two possible semantics for an operator dedicated to obligation with deadline, and discuss some characteristic properties for each one. Secondly, we provide a more general formulation of the propagation property, which concerns a special temporal disjunction. We propose an intuitive semantics which validates the propagation, but loses axiom D (which guarantees the coherence of obligations). Moreover, if we only consider the class of models which satisfy axiom D, then no violation is satisfiable. We then consider the problem from a different point of view, and look for a necessary and sufficient condition on an arbitrary temporal deontic model to validate the propagation property. The conclusion is that when an obligation is violated at some moment, undesirable properties necessarily occur from that instant

on. We then refine our semantics with a preference-based deontic relation, so that the propagation property is only satisfied in the states that do no violate any immediate obligations.

Chapter 5 deals with a tableaux-like decision procedure and an axioma-tization for the until-free fragment of this logic. The semantics of obligation seems too complicated to develop logical tools. Two different quantifiers are hidden in the semantic definition of the obligation operator. We propose to decompose this operator into more simple ones. We then develop a tableau system with explicit accessibility relations, and an axiomatization with non-classical rules which handle the two following semantic particularities of our logic: one of the accessibility relations depends on valuations, one operator corresponds to the intersection of two accessibility relations.

Chapter 6 provides a security application of the logical study. We con-sider a model of a system, and a temporal deontic formula which specifies the policy. The goal is to determine whether the policy is coherent on the one hand, and whether the system complies with the policy on the other hand. The coherence of a policy is reduced to the satisfiability of the cor-responding formula. The first definition of compliance we come up with is a weak version called compatibility. In the general framework, we have no decidability result, neither for coherence checking, nor for compliance check-ing. We then exhibit a fragment of our temporal deontic logic such that for a policy expressed in this fragment, both problems are decidable. We then constrain again the policy language in order to define a stronger version of compliance. Actually, a careful analysis shows the necessity to refine the notion of compliance into five different diagnostic cases which give ’levels of compliance’. A terminating and correct algorithm is provided to establish the diagnostic.

In chapter 7 we conclude the thesis and discuss some perspectives.

1.4

Bibliographic notes

The content of this thesis has been partially published in several communica-tions. Section 3.2of chapter 3is extracted from [31]. The study of deadline obligations in a product settings (chapter4, section4.1) comes from [32]. The semantics which ensures the propagation property (chapter 4, section 4.2) has been published in a joint work with Jan Broersen [28, 29]. Decision procedure and axiomatization for this semantics (chapter 5) are extracted from a joint work with Philippe Balbiani and Jan Broersen [17]. Chapter 6 is the sequel of a paper with Frédéric Cuppens, Nora Boulahia-Cuppens, and Thierry Sans [33]. Of course, my supervisors Jean-Paul Bodeveix and Mamoun Filali-Amine have played an important role in all parts of this work, whether they appear or not as co-authors.

2

Basic logical concepts

In this chapter, we introduce the basic concepts of logics which are needed in the remainder of the Ph.D. thesis. Section 2.1 deals with some gen-eral points of modal logic: we present Hilbert-style axiomatization, possible worlds semantics, and some basics about correspondence between axioms and semantic conditions. Section 2.2 focuses on deontic logic. Section 2.3 introduces temporal logic, and section 2.4 presents model-checking results for temporal logics.

2.1

Modal logic

In this section, we present some basics of modal logic. We stay in the frame-work of unimodal logic because it is simpler to write and sufficient for the remainder of the thesis, although every definition can easily be extended to multimodal logic.

Definition 1 (Modal language). Given a set P of atomic propositions, the propositional modal language ML is defined as

ϕ ::= p | ⊥ | ϕ ⇒ ϕ | ϕ

where⊥ is a constant (’false’) and p ∈ P is an atomic proposition. The usual boolean operators are defined in terms of the constant⊥ and the operator ⇒:

¬ϕdef= ϕ⇒ ⊥ def= ¬⊥

ϕ₁∨ ϕ₂def= (¬ϕ₁)⇒ ϕ₂ ϕ₁∧ ϕ₂ def= ¬(¬ϕ₁∨ ¬ϕ₂)  is called the necessity modal operator and ♦ def= ¬¬, defined as its dual, is called the possibility operator.

We can define similarly the propositional n-modal language MLn with n

necessity and n possibility operators ₁, . . . ,n and♦1, . . . ,♦n.

A logical system in general, and a modal system in particular, consists in singling out and describing a subset of formulas considered as true, no matter what values are assigned to their variables. There are two ways of defining logics: semantic and syntactic. Both complement each other. Usually, the semantic way introduces a semantic domain and explains the meaning of the logical constants and connectives as operators of the semantic domain, while the syntactic way reasons about the structure of a formula.

2.1.1 Axiomatics

As a syntactic way, we consider in this thesis Hilbert-style inference systems. They consist in indicating which formulas are chosen as axioms, and defining inference rules. A derivation of a formula ϕ in such a system is a finite sequence ending with ϕ and such that each formula in the sequence is either an axiom or obtained from earlier formulas in the sequence by applying some inference rule. The logic of the inference system is then defined as the set of all derivable formulas.

A set of ML-formulas which contains • all axioms of propositional logic • the modal axiom scheme (K)

(ϕ1 ⇒ ϕ2)⇒ (ϕ1 ⇒ ϕ2) (K)

and which is closed under the following inference rules • ϕ1 ϕ1⇒ϕ2

ϕ₂ Modus Ponens (MP)

• ϕ(x1,...,xn)

ϕ(ψ₁/x₁,...,ψ_n/x_n) Uniform Substitution (US)

where ϕ(ψ₁/x₁, . . . , ψn/xn) is obtained from ϕ(x1, . . . , xn) by

substi-tuting formulas ψ₁, . . . , ψn for the atomic propositions x1, . . . , xn in

ϕ.

• _ϕϕ Necessitation

is called a normal modal logic.

The minimal normal modal logic is denoted by K (its only axioms and inference rules are the ones listed above). It is too weak to provide an adequate account of necessity. For instance, axiom ϕ ⇒ ϕ, called T , is not provable in K , but it is clearly desirable. It claims that whatever is necessary is the case. On the other hand, axiom T is not correct if we read  as it is obligatory that, or some agent believes that. Thus, depending on the concept to be modeled, several modal systems have been introduced.

Actually, every modal logic L can be obtained be extending system K with a set Γ of extra axioms. In this case, we note

L =K ⊕ Γ

Here are some modal systems obtained by enriching K with extra axioms. • KDdef= K ⊕ ϕ ⇒ ♦ϕ

• KTdef= K ⊕ ϕ ⇒ ϕ • S4def= KT ⊕ ϕ ⇒ ϕ • S5def= S4 ⊕ ϕ ⇒ ♦ϕ

2.1.2 Semantics

The semantic way aims at giving an intuitive framework to the definition of truth for a modal formula. It has been developed by Hintikka [69] and Kripke [78,77]. Necessity is then understood as truth in all possible worlds. Thus, structures in which formulas are interpreted contain different worlds which can have some alternatives. Every world ’lives’ under the laws of classical logic: an atomic proposition is either true or false in it, and the truth-values of a boolean combination of atoms (propositional formulas) is determined by boolean truth-tables.

Definition 2 (Possible worlds semantics). The semantics of ML-formulas is given through relational structures F = (W, R) called Kripke frames, or simply frames.

• W is non empty a set of worlds

• R ⊆ W × W is an accessibility relation on W which associates each world with a set of alternative worlds

A valuation V : W → 2P for a structure F = (W, R) is a function which associates each world with a set of atomic propositions. The pair (F, V ) is called a Kripke model, or simply a model.

Figure2.1shows an illustration of a model, where the states are the cir-cles, the accessibility relation is represented by the arrows, and the valuation by the sets of atomic propositions associated with each state.

We can now define the conditions under which a world of a model satisfies a formula.

{p}

{q}

{p,q}

Figure 2.1: Kripke model

Definition 3 (Satisfaction). Given a frame F = (W, R), a valuation V for F , and a formula ϕ, we can define the satisfaction relation |= by induction on ϕ, where F, V, w|= ϕ is read as ’ϕ is satisfied by the world w of the model (F, V )’ or ’ϕ is true in the world w of the model (F, V )’:

F, V, w|= p iff p∈ V (w) where p∈ P

F, V, w ⊥

F, V, w|= ϕ₁ ⇒ ϕ₂ iff if F, V, w|= ϕ₁ then F, V, w|= ϕ₂ F, V, w|= ϕ iff ∀w ∈ W if wRw then F, V, w |= ϕ When there is no ambiguity, we write w|= ϕ instead of F, V, w |= ϕ for the sake of brevity.

The semantics of MLn-formulas is then given through structures F =

(W, R₁, . . . , Rn) with n accessibility relations, called n-frames.

A model (F, V ) satisfies ϕ if every world in W satisfies it. F, V |= ϕ iff ∀w ∈ W F, V, w |= ϕ A frame F validates ϕ if every model based on F satisfies it.

F |= ϕ iff for every valuation V F, V |= ϕ A formula ϕ is valid if every frame validates it.

|= ϕ iff for every frame F F |= ϕ

A formula ϕ is satisfiable if there exists a model and a world which sat-isfies it, or equivalently, if its negation is not valid.

Definition 4 (Logic: a semantic definition).

• Given a class C of frames, we can define the set Log(C) of the formulas that every frame of C validates:

Log(C)def= {ϕ / ∀F ∈ C F |= ϕ}

It is easy to check that Log(C) is a normal modal logic, and we call it the logic of C.

• A normal logic L is said to be sound with respect to C if ∀ϕ ∈ L ∀F ∈ C F |= ϕ, i.e., L ⊆ Log(C). L is complete with respect to C if every formula which is valid in every frame of C is in L, i.e., Log(C)⊆ L. L is determined, or characterized by C if L = Log(C).

• A logic L is Kripke-complete if there exists a class C of frames such that L = Log(C).

• Then F r(L) denotes the class of all the frames which validate every formula of L. For L Kripke complete, it can be proved that L = Log(F r(L)) [23, 57].

An attractive feature of the possible worlds semantics is that many log-ics are characterized by classes of frames satisfying simple conditions. For instance, we have the following completeness results concerning the modal logics introduced in section 2.1.1.

Theorem 1 (Completeness [78]).

The logicsK, KD, KT, S4, and S5, are Kripke-complete. Besides, we have: • F r(KD) is the class of all frames (W, R) such that R is serial1_.

• F r(KT) is the class of all frames (W, R) such that R is reflexive. • F r(S4) is the class of all frames (W, R) such that R is reflexive and

transitive.

• F r(S5) is the class of all all frames (W, R) such that R is an equiva-lence relation, i.e., R is reflexive, transitive, and symmetric.

Another related issue is the direct translation of a modal axiom schema into a condition on Kripke frames: Correspondence theory [125,126] studies the class of frames which is ’defined’ by a given formula. We say that a formula ϕ defines the class C of frames if F ∈ C iff F validates ϕ, for every frame F . Actually, every axiom schema we have considered to enrich the logic K defines a simple class of frame, independently of a deduction in modal logic.

Theorem 2 (Correspondence). Here are the class of frames which are de-fined by each of the previously considered axiom schemas.

(axiom T) Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such that R is reflexive.

(axiom D) Axiom schema ϕ ⇒ ♦ϕ defines the frames (W, R) such that R is serial.

(axiom 4) Axiom schema ϕ ⇒ ϕ defines the frames (W, R) such that R is transitive.

(axiom B) Axiom schema ϕ⇒ ♦ϕ defines the frames (W, R) such that R is symmetric.

Automatic translations of modal formulas into such conditions on frames have been widely studied. In particular, Sahlqvist [114] exhibited a class of formulas, called Sahlqvist formulas, which have nice correspondence prop-erties. Indeed, although in general, every modal formula is equivalent to a second-order condition on frames, a Sahlqvist formula ϕ have a first-order equivalent F O(ϕ) (this first-order equivalent can be obtained in an effective way). Moreover the logic K⊕ ϕ is characterized by the frames which satisfy F O(ϕ).

Definition 5 (Sahlqvist formulas). Let a positive (resp. negative) formula of modal logic be one where all atomic propositions occur in the scope of an even (resp. odd) number of negation signs only.

Let a Sahlqvist antecedent be a formula that is built up from atomic propo-sition prefixed by any finite number of necessity operators and negative for-mulas, using only ∧ and ∨, and the possibility operator ♦. For example, ♦p is a Sahlqvist antecedent, whereas ♦p and (p ∨ q) are not.

Then, a Sahlqvist formula is any formula that may be obtained by applying conjunctions and necessity operators to implications of the form ϕ₁ ⇒ ϕ₂, where ϕ₁ is a Sahlqvist antecedent, and ϕ₂ is a positive formula.

Theorem 3 (Sahlqvist theorem [114]). Let ϕ be a Sahlqvist formula. There is a computable first order condition on frames F O(ϕ) such that

(1) ϕ defines the frames (W, R) which satisfy F O(ϕ),

(2) the logic K⊕ ϕ is characterized by the frames which satisfy F O(ϕ). Actually, item (2) is more general: it applies not only to K but also to any canonical logic. The notion of canonicity of a logic will not be defined here.

Remark 1. Axioms T, D, 4, and B are Sahlqvist formulas.

We now provide the results of decidability and complexity for the previ-ously introduced logics. A logic L is said to be decidable if the satisfiability problem for L is decidable. For proofs consult [81,34].

Theorem 4 (Decidability). All the logics K, KD, KT, S4, and S5, are decidable. The satisfiability problem for K, KD, KT, and S4 is PSPACE-complete. The satisfiability problem for S5 is NP-complete.

2.2

Deontic logic

Instead of presenting an exhaustive state of the art in deontic logic, we discuss Standard Deontic Logic (SDL) introduced by Von Wright [136], and some direct extension. We will not deal with non-monotonic/defeasible logics [56, 105,72], which are useful to model argumentation or legal reasoning. 2.2.1 Standard Deontic Logic SDL

One of the first logical systems which attempted to capture obligation was published in 1951 by Von Wright [136], of which the modal Kripke-style version is known as Standard Deontic Logic (SDL).

Definition 6 (SDL). Standard Deontic Logic SDL is the modal logic KD, where the necessity operator, which expresses obligation, is denoted O instead of , and the possibility operator, which expresses permission, is denoted by P instead of ♦.

Axiom D expresses that every obligatory formula is permitted, i.e., not forbidden. Another formulation of axiom D is that a formula cannot be both obligatory and forbidden.

Definition 7 (SDL semantics). As stated in theorem1, SDL can be defined as the logic which is characterized by the class of all the serial frames: SDL = Log({F / F is serial}).

A SDL-frame is then a Kripke frame F = (W, R) such that R is serial, a SDL-model is a triple M = (W, R, V ) such that (W, R) is an SDL-frame and V is a valuation on W .

Since the modal operators express obligation and permission instead of necessity and possibility, we now consider that the accessibility relation R gives ideal alternative worlds, i.e., worlds in which what is obligatory effec-tively occurs. The fact that R is serial means that in every world, there exists at least one ideal alternative. If there were a world from which no ideal world is accessible, then everything would be obligatory in this world. 2.2.2 Some theorems and paradoxes

Here are some theorems in SDL (see e.g. [95] for a more detailed discussion): • O(ϕ1∧ ϕ2)⇔ O(ϕ₁)∧ O(ϕ₂) (distributivity of O over ∧)

• P(ϕ1∨ ϕ2)⇔ P(ϕ₁)∨ P(ϕ₂) (distributivity of P over∨) • P(ϕ1∧ ϕ2)⇒ P(ϕ₁)∧ P(ϕ₂)

• O(ϕ1∨ ϕ2)∧ O(¬ϕ₁) ⇒ O(ϕ₂)

• O(ϕ1)⇒ O(ϕ1∨ ϕ2) (Ross’s paradox)

Ross claims [111] that this theorem is not intuitive under a common-sense reading: being obliged to post a letter does not imply being obliged to post it or to burn it. According to many deontic logi-cians, the paradox is due to an incorrect reading [68]. First, SDL reasons about state propositions, and obligation to satisfy state for-mulas, whereas the letter example reasons about obligation to perform some action. In order to distinguish these two kinds of obligations, the denominations ’obligation to be’ and ’obligation to do’ are often used. An obvious difference is that the latter implicitly refers to an agent, whereas the former does not. If we read O(ϕ₁) as ’it is obligatory to satisfy the condition ϕ₁’, then it makes perfect sense to say that it entails that ’it is obligatory to satisfy the condition ϕ₁∨ ϕ₂’, because this latter condition is a logical consequence of the former condition. • O(¬ϕ1)⇒ O¬(ϕ1∧ ϕ2) (Penitent’s paradox)

This theorem is obtained by substituting ¬ϕ₁ and ¬ϕ₂ for ϕ₁ and ϕ₂ respectively in the latter theorem. It is considered as Penitent’s paradox. If it is forbidden to do a crime, then it is forbidden to do a crime and do a penitence. Again, if O(ϕ) is correctly interpreted as ’it is forbidden to satisfy the condition ϕ’, then this theorem poses no problem.

One of the most serious paradoxes in SDL involves the notion of contrary-to-duty (CTD) obligations. These have to do with the specification of norms which apply in case some other norms have already been violated. The best known example is given by Chisholm [37]. Although the four following statements are consistent, their formulation in SDL is not.

1. it is obligatory that John goes to the assistance of his neighbors 2. if John does go then it is obligatory that he tells them he is coming 3. if John doesn’t go, then it is obligatory that he does not tell them he

is coming 4. John doesn’t go

Let ϕ₁ express ’John goes to the assistance of his neighbors and ϕ₂ express ’John tells them his coming’. The formalisation of (1) and (4) as O (ϕ₁) and ¬ϕ1 respectively is straightforward. On the other hand, the formalisation of

conditional obligations (2) and (3) is unclear. Indeed, do we have to model (2) as ϕ₁ ⇒ O(ϕ₂) or as O(ϕ₁ ⇒ ϕ₂)? Both formulations seem reasonable, but ϕ₁ ⇒ O(ϕ₂) is derivable from (4) (¬ϕ₁), whereas all of (1)-(4) are intuitively independent from each other. Similarly, among both formulations of (3)¬ϕ₁ ⇒ O(¬ϕ₂) and O(¬ϕ₁ ⇒ ¬ϕ₂), the latter is derivable from (1) (O(ϕ₁)). So, the four sentences are traditionally expressed as follows:

1. O(ϕ₁) 2. O(ϕ₁ ⇒ ϕ₂) 3. ¬ϕ₁ ⇒ O(¬ϕ₂) 4. ¬ϕ₁

In SDL, this set (1)-(4) is inconsistent, contrary to the intuition behind the four initial sentences. In conclusion, SDL cannot handle this situation: either the considered statements are logically dependent, or they are incon-sistent.

Several analyses and solutions have been proposed to solve CTD para-doxes. Some solutions are based on a temporal reading of paradoxes [49, 129,15,27]. Temporal deontic logics will be dealt with in the next chapter. Another direction is to handle defeasible reasoning with nonmonotonic logics [112,93]. Statement 1 is then considered as a defeasible rule, and rule 3 applies in exceptional circumstances (John does not go to the assistance of his neighbours). If these exceptional circumstances hold, then rule 3 ’defeats’ rule 1. There is no conflict because rule 1 and rule 3 does not apply in the circumstances.

Many arguments have been developed against the defeasible view of CTD obligations (see, e.g., [104, 127]). Indeed, it fails to model that when the secondary obligation applies (’it is obligatory that John does not tell he is coming’), the primary obligation (’it is obligatory that John goes to the assistance of his neighbours’) is violated. Some works [103, 104, 130, 127] have followed another direction, based a on a dyadic obligation operator, with a preference semantics.

2.2.3 Dyadic deontic logic based on a preference relation In this section, we present Hansson’s Dyadic Standard Deontic Logic 3 (DSDL3) [62], the first logic to propose a semantics based on a preference relation (denoted by) for a dyadic obligation operator. This idea gave rise to extensions of DSDL3 [104, 127] and other deontic systems [12, 71]. An obligation to satisfy ϕ₁ given ϕ₂ is true, denoted by O(ϕ₁/ϕ₂), holds either if there is no world which satisfies ϕ₂, or if ϕ₁ is satisfied by the best worlds (maximal for ) among those which satisfy ϕ₂.

Definition 8 (Preference semantics). A model is a tuple M = (W,, V ) where

• W is a set of worlds

• ⊆ W × W is a transitive and complete (or total) binary relation, viewed as a preference relation. w  w is read as w is at least as good as w.

– (transitivity) ∀w, w, w ∈ W if w  w and w  w then w w

– (completeness, or totality) ∀w, w ∈ W w  w or w  w

• V : W → 2P_{is a valuation function on W}

The formal semantics of a conditional obligation O(ϕ₁/ϕ₂) is given as fol-lows:

w|= O(ϕ₁/ϕ₂) iff ∀w ∈ W w |= ¬ϕ₂

or ∃w ∈ W such that w |= ϕ₂ and ∀w _{∈ W if w} _{ w} _{then w} _{|= ϕ}

2 ⇒ ϕ1

Notice that O(ϕ₁/ϕ₂) is true in a world w iff it is true in every world. The Chisholm scenario, now formulated as follows, is consistent. 1. O (ϕ₁)

2. O (ϕ₂/ϕ₁) 3. O (¬ϕ2/¬ϕ1) 4. ¬ϕ₁

Notice, however, that from O(¬ϕ₂/¬ϕ₁) and ¬ϕ₁, we cannot deduce O(¬ϕ₂), i.e., the derivation usually called ’deontic detachment’ does not hold. This problem has been taken care of in some above-mentioned exten-sions, which are out of the scope of this thesis.

2.3

Temporal logic

Temporal logic corresponds to one of the most usual modal logics, and has become essential in computer science for the specification of reactive systems. Its modal operators may concern the future (it is always true that . . . , it will eventually be true that . . . ) or the past (it has always been true that . . . , ϕ₁ is true since ϕ₂ was true). Because of two dyadic operators (until and since), the language and the semantics does not fit exactly with the generic

framework described in section 2.1. Another difference between temporal logic and other modal logics is the presence of initial worlds.

Temporal logics are often classified according to whether time is assumed to have a linear or a branching structure. Another classification is made be-tween discrete and continuous models of time. We will introduce temporal logic trough linear temporal logic with discrete time, known as Linear Tem-poral Logic (LT L). In section 2.3.2, we will present LT L semantics more in details, and in section 2.3.4 we will introduce an axiomatization of LT L. In section2.3.5, we will present more shortly branching-time temporal logic, and in section 2.3.6 we will be interested in timed logic.

2.3.1 Linear temporal logic

Linear Temporal Logic (LT L) studies temporal properties in the framework of a linear and discrete time. Here are the main temporal operators of LT L.

Future operators Past operators

Xϕ next ϕ X−1ϕ previous ϕ

ϕ₁ U ϕ₂ ϕ₁ until ϕ₂ ϕ₁ S ϕ₂ ϕ₁ since ϕ₂

Xϕ means that ϕ will hold in the next state, and X−1ϕ means that there is a previous state, and it satisfies ϕ. The same symmetry stands between U and S: ϕ₁U ϕ₂ means that ϕ₂ will be true, eventually, at some moment i, and ϕ₁ is true from now until the moment before i, whereas ϕ₁Sϕ₂ means that ϕ₂ was true, in the past, at some moment i, and ϕ₁ has been true from the moment after i until now.

The usual temporal operators G (always), G−1 (always in the past ), F (eventually), and F−1 (eventually in the past ) are defined as the following abbreviations:

Future operators Past operators F ϕ def= Uϕ F−1ϕ def= Sϕ Gϕ def= ¬F ¬ϕ G−1ϕ def= ¬F−1¬ϕ

We also define the weak previous operator as X−1 def= ¬X−1¬. X−1ϕ means that there is no previous state (the current instant is 0), or ϕ was true in the previous state.

To reason about deadlines, we will often index future operator F with  k, to express that a formula will be satisfied before k time steps:

F_k ϕdef= 

ϕ if k = 0

Definition 9 (LT L-language). The language L(X, U, X−1, S) of LT L with all future and past operators is defined by the following syntax:

ϕ ::= P | ⊥ | ϕ ⇒ ϕ | X ϕ | ϕ U ϕ | X−1 ϕ | ϕ S ϕ The language LLT L(E), where E ⊆ {X, U, X−1, S}, corresponds to the

fragment ofL(X, U, X−1, S) which only contains the modal operators in E. For instance, L(X, U) corresponds to the pure future fragment of the lan-guage.

The logic LT L(E), where E ⊆ {X, U, X−1, S}, is defined as the set of valid formulas (in the semantic point of view) or theorems (in the syntactic point of view) of L(E). The definitions of valid formulas and theorems of L(X, U, X−1_{, S) are given in sections2.3.2 and 2.3.4respectively.}

Many variants and extensions of LT L, which are out of the scope of this thesis, have been investigated (consult, e.g., [83,44,45]).

2.3.2 LT L semantics

Let us see more in detail the semantics of LT L, i.e., the structures needed to define the truth of temporal formulas.

Definition 10 (LT L-model).

An LT L-model is a tuple M = (N, <, V ) where

• the set N of the natural numbers represents the set of the moments • <⊆ N × N is the usual strict order on N; the immediate <-successor of

i∈ N is denoted i + 1 as usual

• V : N → 2P _{is a valuation function which associates each instant with}

a set of atomic propositions

In the remainder, we use all the usual orders , >,  on N which can all be defined from <.

Definition 11 (LT L satisfaction relation).

Given an LT L-model M = (N, <, V ), an instant i ∈ N, and a formula ϕ, we define |= by induction on ϕ (we write V, i |= ϕ or i |= ϕ for short):

i|= p iff p∈ V (i) where p∈ P

i ⊥

i|= ϕ₁ ⇒ ϕ₂ iff if i|= ϕ₁ then i|= ϕ₂

i|= Xϕ iff i + 1|= ϕ

i|= ϕ₁ U ϕ₂ iff ∃i  i such that i |= ϕ₂ and ∀ i_{∈ N if i  i}_{< i} _{then i}_{|= ϕ}

1

i|= X−1ϕ iff i > 0 and i− 1 |= ϕ

i|= ϕ₁ S ϕ₂ iff ∃i  i such that i |= ϕ₂ and ∀ i_{∈ N if i} _{< i}_{ i then i}_{|= ϕ}