A Substructural Epistemic Resource Logic: Theory and Modelling Applications

We present a substructural epistemic logic, based on Boolean BI, in which the epistemic modalities are parametrized on agents' local resources. The new modalities can be seen as generalizations of the usual epistemic modalities. The logic combines Boolean BI's resource semantics --- we introduce BI and its resource semantics at some length --- with epistemic agency. We illustrate the use of the logic in systems modelling by discussing some examples about access control, including semaphores, using resource tokens. We also give a labelled tableaux calculus and establish soundness and completeness with respect to the resource semantics.


Introduction
The concept of resource is important in many fields including, among others, computer science, economics, and security.For example, in operating systems, processes access system resources such as memory, files, processor time, and bandwidth, with correct resource usage being essential for the robust function of the system.The internet can be regarded as a giant, dynamic net of resources, in which Uniform Resource Locators refer to located data and code.
In recent years, the concept of resource has been studied and analysed in computer science through the bunched logic, BI, [21,30,36] and its variants, such as Boolean BI (BBI) [25] and bunched modal logics [13,15], and applications, such as Separation Logic [25,37].
The truth-functional, Kripke semantics of these logics, based on preordered partial monoids is sketched below.However, before proceeding to describe this semantics, it is perhaps worth observing that this choice of structure for BI's models can be motivated directly in terms of natural requirements for the properties of a notion of resource.Assuming a set of resource elements, we expect to be able to -combine two resource elements to give a new resource element, and -to be able to compare two resource elements, to determine which is the greater.
It is also natural to expect that the combination of elements be partial and this is indeed amply justified by leading examples.These simple assumptions, that around are cleanly captured by preordered partial monoids, have led to a remarkably useful 'resource semantics'.The need for partiality arises in two ways.Conceptually, we observe that in our semantics of resources it is quite natural to expect that not all combinations of resource elements will exist (Separation Logic [25,37] provides an immediate and compelling example).Second, partiality is technically convenient for BI's metatheory [21].
These considerations lead to a semantics for BI based on partially ordered partial monoids of worlds, R = (R, , •, e).
Here, composition of resources is captured by the partial monoidal operation, •, with unit e, and comparison of resources is captured by the partial order .Where defined, this structure is required to satisfy the bifunctoriality condition that if r 1 s 1 and r 2 s 2 , then r 1 • r 2 s 1 • s 2 .Let us note that ↓ denotes definedness of the composition.Given such structures, the logic BI of bunched implications -see, for example, [21,30,34,36] -which freely combines intuitionistic propositional additives with intuitionistic propositional multiplicatives -has its Kripke semantics given by the following satisfaction relation, where V is an interpretation of propositional letters in ℘(R), in the usual way: This resource semantics for BI -that is, the interpretation of BI's semantics in terms of resources -underpins its applications to Separation Logic -and its family of derivatives; see [18,19] for an extensive discussion -and is mainly concerned with sharing and separation.
Specifically, Separation Logic is usually given as a presentation (often using Hoare triples) of a specific theory of Boolean BI for a language of memory cells and pointers with a model based on the stack and the heap [25].Versions of Separation Logic that are based on (intuitionistic) BI, as given above, are also possible [25].
In Boolean BI (BBI), [25,37], the additives are classical, so that the order is collapsed to equality in the partial monoid.Thus we have The semantics described above is otherwise unchanged.Thus sharing of resources is captured by additive connectives, such as ∧, while separation of resources is captured by multiplicative connectives, such as * .These connectives are the logical kernels of the family of separation logics, with resources being interpreted in various ways, such as memory regions, [25,37], or elements of other particular monoids of resources [9].This semantic view of resource stands in stark contrast to the the 'number-of-uses' reading of Linear Logic's proof theory [23].We shall return to this point in the sequel, where we consider the evolution of a model of system of resources.
This framework of resource semantics has also been extended into modal logic.Specifically, we can set up a conservative extension (a 'Logic of Separating Modalities' or LSM [15]) of the modal logic S4 which adds multiplicative modalities -modalities that are parametrized on (local) resources.These modalities are defined relative to two-dimensional worlds, one of which captures the S4 accessibility relation and one of which supports the resource parametrization.
Roughly speaking, an LSM model is a 4-tuple (W, R , R, V ), where W is a set of worlds, R is a partial monoid of 'resources' (Res, •, e), R ⊆ (W × Res) × (W × Res) is a reflexive and transitive relation, and V is an interpretation of propositional letters in ℘(W × Res).Then, using the both dimensions of 'worlds' to handle, respectively, both classical modality and resource parametrization, we have w, r |= ♦ s φ iff there exist w ∈ W and r ∈ R such that r • s ↓, (w, r • s)R(w , r ) and w , r |= φ w, r |= s φ iff for all w ∈ W and all r ∈ R, if r • s ↓ and (w, r • s)R(w , r ), then w , r |= φ.
Here, s is the local resource, associated with the modality, and r, in the model, is the ambient resource.The modalities are read as asserting that φ is possibly (respectively, necessarily) true at the world (w, r) subject to the availability of additional resource s.
Note that two other pairs of modalities are derivable from these: -The basic additive modalities: w, r |= ♦φ iff there exist w ∈ W and r ∈ R such that (w, r)R(w , r ) and w , r |= φ w, r |= φ iff for all w ∈ W and all r ∈ R, if (w, r)R(w , r ) then w , r |= φ.
-Multiplicative modalities with undetermined additional resource parameters: w, r |= ♦ • φ iff there exist w ∈ W and s, r ∈ R such that r • s ↓, (w, r • s)R(w , r ), and w , r |= M φ w, r |= • φ iff for all w ∈ W and all s, r ∈ R, if (r • s ↓ and (w, r • s)R(w , r )) then w , r |= φ.
Full details of the derivations of these modalities may be found in [15] (Lemma 6), where the conservativity of LSM over S4 is also established (in Section 5).The key feature of BI as a modelling tool (and hence of its specific model Separation Logic) is its control of the representation and handling of resources provided by the resource semantics and the associated proof systems.Notice that, in the semantics given above, the components of the additive conjunction, ∧, share resources whereas the truth condition for the multiplicative conjunction, * , requires separate resources for each component.Notice also that this interpretation extends to the multiplicative implication as follows: − * can be seen as (the type of) a function that combines the resource required to support itself with the resource required to support its argument to give the resource required to support the application of the function to its argument (see [30,31]).Finally, notice also that we do not assume (in the manner of hybrid logic) the existence of an atomic proposition for each element 's' of the set Res with r |= s iff r = s: from the perspective of resource semantics, such an assumption -the motivations for which would be somewhat technical and essentially syntactic -is not well supported.In particular, we would argue that such an assumption obscures the natural structure of the modalities that we wish to explore and.moreover, imposes a constraint on the relationship between worlds and their properties that we do not wish to take in general.We will return to this point briefly in Section 2. BI's sequent proof systems employ bunches, with two context-building operations: one for the additives -characterized by ∧, which admits weakening and contractionand one for the multiplicatives -characterized by * , which admits neither weakening nor contraction.Bunches are not finite sequences of formulae, but rather are finite trees, with formulae at the leaves and the context building operations at the internal vertices.For the details of the set-up, see [30,31,36].
In this set-up, we have the following right rules for the conjunctions and their corresponding implications, → and − * : Again, details may be found in the references given above.In this setting, the structural rules of Weakening and Contraction arise as follows: In the former rule, the leaf φ is replaced by the bunch φ ; ψ and, in the latter rule, the sub-bunch (in the evident sense) φ ; φ is replaced by the formula φ.In both cases, ; (rather than , ) is used.Again, details may be found in the references given above.The soundness and completeness of BI's proof systems for the semantics given above is established in [30,36] and elsewhere and via labelled tableaux in [21], and the completeness of BBI for the partial monoid semantics described above is discussed comprehensively in [27].
The idea of resource semantics as it derives from BI and its models and its use as modelling tool is discussed extensively in [35], in an article that is intended to be widely accessible to logicians and computer scientists.
Girard's Linear Logic (LL) [23] also decomposes the logical connectives into additive and multiplicative forms (for classical and intuitionistic conjunction and disjunction, but not for intuitionistic implication).However, it does so in a very different way from BI. Instead of employing bunches to allow control of the structural rules, LL introduces the so-called exponentials ! and ?-modalities, similar to S4's and )which have the following left and right rules: Then the structural rules of Weakening and Contraction arise as Restricting to a single-conclusioned calculus for intuitionistic LL, we have just the ! .
At this point, we may ask what is the relationship between BI and LL.The short answer is that they are essentially incomparable.This is explained in detail in the references given above (e.g., [30,34,35]), but the essential point can be seen in terms of their differing treatments of intuitionistic implication.In BI, which can be considered to freely combines intuitionistic propositional logic and multiplicative propositional linear logic, intuitionistic implication is present directly.In LL, intuitionistic implication, φ ⊃ ψ, is represented using Girard's translation Such a representation does not exist in BI.This can be seen, as described in [30,34,35], using an argument based on category-theoretic models of BI's proofs.Specifically, BI's proofs are modelled by bi-cartesian doubly closed categories, and there is no endofunctor ! on such a category that satisfies (the interpretation of) Equation (1).
Returning briefly to truth-functional semantics and its resource interpretation, we remark that LL's recently developed Kripke semantics [12] does not, as it stands, admit a direct resource interpretation of the kind outline above.The possibility of such interpretations is an interesting issue.
Modal extensions of BI, such as MBI [1,9], DBI, and DMBI [13], have been proposed to introduce dynamics into resource semantics.In recent work, the idea of introducing agents, together with their knowledge, into the resource semantics has led to an Epistemic Separation Logic, called ESL, in which epistemic possible worlds are considered as resources [14].This logic corresponds to an extension of Boolean BI with a knowledge modality, K a , such that K a φ means that the agent a knows that φ holds.
Various previous works on epistemic logics consider the concept of resource, using a variety of approaches.They include [3,24,29].Here we aim to explore more deeply the idea of epistemic reasoning [16] in the context of resource semantics, and its associated logic, by taking the basic epistemic modality K a and parametrizing it with a resource s, with the associated introduction of relations not only between resources, according to an agent, but also between composition of resources in different ways.The parametrizing resource may be thought of as being associated with, or local to, the agent.This approach leads to the definition of two new modalities L s a and M s a , and, consequently, to a new logic in which, as a leading example, we can obtain an account of access to resources and its control, whether they be pieces of knowledge, locations, or other entities.We call this logic Epistemic Resource Logic or ERL.
In Section 2, we set up the logic ERL by a semantic definition and, in Section 3, we give the key conservative extension properties of the logic and also introduce a useful sublogic, ERL * .In Section 4, we explain how to use the logic to model and reason about the relationship between a security policy -in the context of access control -and the system to which it is applied (cf.Schneier's Gate problem [38]).Our application to systems security policy stands in contrast to other work (e.g., [33]) in which epistemic logic has been applied to the analysis of cryptographic protocols.We complete this section with other examples, including joint access and semaphores, which illustrate the applicability of ERL in these perspectives.In Section 5, we set up a labelled tableaux calculus for ERL, and establish soundness with respect to ERL's semantic definition and also completeness from a countermodel extraction method.Let us note that we apply the approach and techniques already used for designing such labelled tableaux for other modal extensions of BBI [13][14][15].Details of the arguments are provided in the appendices.Our arguments encompass also the sublogic ERL * .Further work will be devoted to further study of the logic and its variants, including intuitionistic and dynamic systems, to local reasoning for resource-carrying agents [25,37], to connections with other approaches to modelling the relationship between policy and implementation in system management [39], and to approaches involving logics for layered graphs [1,10].The work presented here builds upon and strongly develops early ideas presented in [20].

An epistemic resource logic
Epistemic logic is the logic of knowledge and belief.It is concerned with what agents know and believe.The knowledge and beliefs of agents are represented using modalities which assert the truth of propositions relative to agents' judgements of the relationship between worlds [16].In the setting of resource semantics, worlds are interpreted as representing available resources and agents make judgements about the equivalence of resources.
The language L of the epistemic resource logic, or ERL, is obtained by adding two new modal operators L and M to the BI language.In order to define the language of ERL, we introduce the following structures: a finite set of agents A; a finite set of resources Res, with a particular element, e; an internal composition operator • on Res (• : Res × Res Res); a countable set of propositional symbols Prop.The language L of ERL is defined as follows: where p ∈ Prop, a ∈ A and s ∈ Res.
In this context we call s the agent's local resource.We also define the following operators: M s a φ ≡ ¬M s a ¬φ and L s a φ ≡ ¬L s a ¬φ.The meanings of these connectives are defined in the sequence of definitions that follow below.For simplicity, we write rs instead of r • s and so write L rs a φ instead of L r•s a φ.Note that we introduce modalities that depend on agents and resources, and compare them with previous work on an epistemic extension of Boolean BI [14].With a slight abuse of notation, we have explicit resources in the language syntax: just as in [15], we must assume that the resource elements present in the syntax of the modalities have counterparts in the partial resource monoid semantics.This design choice has consequences both for the expressivity of the logic and for the formulation of the tableaux calculus.In the sequel, ↓ denotes definedness and ↑ undefinedness.
Definition 1 (Partial resource monoid).A partial resource monoid (PRM) is a structure R = (R, •) such that -R is a set of resources such that Res ⊆ R (which notably means that e ∈ R), and -• : R × R R is an operator on R such that, for all r 1 , r 2 , We call e the unit resource and • the resource composition.Henceforth, ℘(R) denotes the powerset of R.
Note that we implicitly consider that the resource composition • is compatible with equality between resources.That means that if r 1 = r 2 and r 1 • r 3 ↓, then r 2 • r 3 ↓ and r 2 • r 3 = r 1 • r 3 (right-composition property of •).We also have the left-composition since • is commutative.
for all a ∈ A, ∼ a ⊆ R × R is an equivalence relation, and We can place this logic in the context of our previous work on modal [9,10] and epistemic extensions of (Boolean) BI [13,14].In [14], an epistemic extension of Boolean BI, called ESL, is introduced.In this logic, there is just one epistemic modality, K a , which allows the knowledge of an agent a to be expressed.The modalities employed in this system and those employed in the system presented herein stand in contrast to the modalities of the system LSM described in Section 1 in that they make essential use of the notion of agent in their definition.
More formally, the semantics of this modality is defined by r |= M K a φ if and only if, for all r such that r ∼ a r , r |= M φ, where r and r are semantic worlds (or resources) and ∼ a is a relation between worlds that expresses that they are equivalent from the point of view of the agent a.The parametrization of modalities on resources derives from ideas that are conveniently expressed in, for example, [9,10].
In this paper, we aim to develop the idea in order to consider a modality like K a and to parametrize it on a resource s, requiring the world relation to be of the form r • s ∼ a r or r ∼ a r • s or even r • s ∼ a r • s.Then, in the spirit of ESL, we define a new logic from Boolean BI that allows us to model not only relations between resources according to an agent, but also how those relations are restricted by resources.We can also consider the resources upon which the agent's relation are parametrized to be local to the agent.
In this spirit, we define two new modalities L s a φ and M s a φ, with the notation building on the usual one in epistemic logic, for which we have the following semantics expressing two forms of the agent's contingency for truth in the presence of composable resources: 1. L s a φ expresses that the agent, a, can establish the truth of φ using a given resource whenever the ambient resource, r, can be combined with the agent's local resource, s, to yield a resource that a judges to be equivalent to that given resource.
In other words L s a φ is true relative to the ambient resource, r, iff for a's views of the combination of the ambient resource, r, and its local resource, s, φ is true.More formally we have a φ expresses that the agent, a, can establish the truth of φ if there exists a resource that can be combined with its local resource, s, such that a judges the combined resource to be equivalent to the ambient resource, r.
In other words M s a φ is true relative to the ambient resource, r, iff for a's views, the ambient resource is the combination of the local resource, s, with another resource that makes φ true.More formally we have r |= M M s a φ iff there exists r ∈ R such that r • s ↓ and r ∼ a r • s and r • s |= M φ ERL can thus be seen as a particular epistemic logic that provides new modalities which model access to resources, whether they are interpreted as pieces of knowledge, locations, or otherwise.
Note that we could obtain operators with similar semantics by taking the epistemic separation logic ESL [14] and adding it the hybrid operators of the hybrid logic HyBBI [4].Such a new logical framework would allow us to use symbols, called nominals, that force a formula to be valid for a specific resource.Namely, if we consider a nominal n s forcing the resource s, we then could define the modality L s a φ by L s a φ ≡ n s − * K a φ and we recover the semantics given in this section for this modality.Moreover, we could also define the modality M s a φ by M s a φ ≡ K a (( * n s ) ∧ φ).Observations like this are quite common for logics of the kinds considered heren but our view is that conceptual clarity, rather than syntactic ingenuity, should drive the design choices.
This hybrid approach based on nominals represents a significant technical addition to our semantic assumptions that is not justified by the motivations of resource semantics, adding a confusion between resources and propositions that we consider to be inconvenient for our intended modelling applications.Moreover, we would argue that the identities between the modalities that are induced obscures rather than elucidates their meaning -although we would concede that the identities may be of use in mechanical implementations -and leads to a less elegant analysis.Furthermore, working with the hybrid semantics requires additional work in setting the tableaux-based metatheory for the logic, as discussed in Section 5.
It therefore seems appropriate to add the epistemic operators systematically in a clean semantic setting.

Definition 3 (Satisfaction and validity)
A formula φ is valid, denoted φ, if and only if, for any model W and any resource r, we have r |= M φ.
Proposition 1 (Satisfaction for the secondary modalities).Let M = (R , {∼ a } a∈A ,V ) be a model, and let r ∈ R. The following statements hold: Proof.Consider the first part, 1.
More intuitively, we can see that L s a φ expresses that the agent, a, can establish the truth of φ if there exists a resource such that the combination of the ambient resource, r, and the local resource, s, is judged by a to be equivalent to that resource.Similarly, M s a φ expresses that the agent, a, can establish the truth of φ using a resource that is the combination of its local resource, s, with any resource such that a judges the combined resource to be equivalent to the ambient resource, r.We shall see later that these dual modalities can be also useful for modelling systems.
Returning to the possible representation of the modalities in an hybrid version of ESL, we could then define these modalities as follows: L s a φ ≡ ( * n s )∧ K a φ and M s a φ ≡ K a (( * n s ) → φ), with n s being a nominal forcing the resource s.As we have previously explained, here we aim at avoiding confusion between resources (which are part of the model) and propositions (which are part of the language) that we consider to be inconvenient for our intended modelling applications.
Note that the first point of the definition of •, in Definition 1, implies that the three other definitions (neutral element, commutativity, and associativity) extend to •, so that the following are semantically equivalent (i.e., every valid formula in the one is valid in the other) for any agent a and any resources r, s, and t: L re a φ ≡ L r a φ, L rs a ≡ L sr a , and L r(st) a ≡ L (rs)t a .Of course, such equivalences also hold for Mφ, Lφ, and Mφ.

Some properties of ERL
We show that ERL is a conservative extension of Boolean BI (BBI) and Epistemic Logic (EL) and that, in the presence of additional properties of the partial resource monoid (Definition 1), there are some noteworthy relationships between modalities.
We consider two fragments of ERL.First, ERL BBI -corresponding to BBI [25] -with A = / 0 on the language L |BBI defined as L excluding the L s a and M s a operators.Second, ERL EL -corresponding to the epistemic logic EL consisting of classical propositional additives and the basic epistemic operator K a [16] -with Res = {e}, on the language L |EL defined as L excluding I, * , and − * and with L s a and M s a , replaced by the operator K a , which is defined, for all agents a, by Proposition 2 (ERL is a conservative extension of BBI and EL).If, in every model of BBI, the neutral element of the composition is the element e of Res, then ERL BBI is semantically equivalent to Boolean BI (BBI).If the agent sets are the same for the two languages, ERL EL is semantically equivalent to the epistemic logic EL.
We now consider some properties of ERL; specifically, the way in which the different operators behave when they are used together in formulae.One interesting property we might require in our semantics, which is based on monoidal structure, is the compatibility of ∼ a and •.More precisely, we might require that if two resources are equivalent for an agent a, then the composition with a third resource be transferred through this equivalence.
Although such a property can be very useful, it introduces, from the modelling perspective, some quite strong properties: the transmission of properties of resources through agent-dependent equivalence is a strong assertion regarding agents' private accesses, and should be avoided when modelling some security properties.
Considering these concerns, we take this extra property to be optional, and identify it in a sublogic of ERL which we call ERL * .Definition 4. The logic ERL * is defined as ERL with the addition of the following property to the partial resource monoid (Definition 1): For any agent a and any resources r, r ∈ R, if r • s ↓ and r ∼ a r , then r Note that we use the logic ERL * in the security modelling examples that we develop in the next section.
Lemma 1.Let a ∈ A be an agent, s,t ∈ Res be resources and φ be a formula of ERL * .We have the following properties: Proof.First consider 1.Let W be a model and r be a resource.Suppose that r |= M L s a (L t a φ).Then we have r • s ↓ and, for any a φ, and we can deduce that Let r be such that r • t ∼ a r .Then, by transitivity, we have r • s • t ∼ a r .Then, with r = r , we have r |= M φ.We obtain r • s ↓ and, for any r ∈ R such that r • s ∼ a r , r • t ↓ and for any r ∈ R such that r • t ∼ a r , we have r |= M φ.Then we have r |= M L s a (L t a φ), and then we can deduce Now consider 6.Let W be a model and r be a resource.Suppose that r |= M M s a φ.Then, for any r such that r • s ↓ and r ∼ a r • s, we have r • s |= M φ.Let r such that r • t ↓ and r ∼ a r • t and r such that r • s ↓ and r • t ∼ a r • s.By transitivity we deduce that r ∼ a r • s and if we fix r = r we have r • s |= M φ.As it is true for any r such that r • s ↓ and r •t ∼ a r • s, we have r |= M M s a φ.As it is true that, for any r such that r • t ↓ and r ∼ a r • t, we have r |= M M t a ( M s a φ), then for any resource r in Note that the reverse implication, M t a ( M s a φ) → M s a φ, is not valid.In fact, if r |= M M t a ( M s a φ), φ is validated by all r • s such that r ∼ a r • t and r • t ∼ a r • s.But to have r |= M M s a φ, we must have r • s |= M φ for all r such that r ∼ a r • s, and not only for those for which the equivalence by ∼ a is built from t. Then there is no equivalence between M s a φ and M t a ( M s a φ).All of the other cases are proved in similar ways.
We can complete our language with another modality N s a φ that could be also helpful for our modelling perspectives.From this modality, that is a variant of L s a φ, we can also derive N s a φ such that N s a φ ≡ ¬N s a ¬φ.N s a φ expresses that the agent, a, can establish the truth of φ using any resource combined with its local resource, s, provided a judges that combination to be equivalent to the combination of the local resource , s, with the ambient resource, r.In other words N s a φ is true relative to the ambient resource r iff for a's views of the combination of the ambient resource r and its local resource s, φ is true.More formally we have: We can built N s a φ from the previous main modalities as follows.
Proposition 3. We have N s a φ ≡ L s a ( M s a φ).
4 Modelling access control with the logic ERL * In this section, we illustrate how to use ERL, and its special sublogic ERL * , in modelling access control situations.Security policies, such as those for access control, are often formulated separately from the architectural context in which they are intended to be applied.This can lead to the existence of vulnerabilities.Specifically, when a particular security policy is applied to a particular system, the security properties of the resulting system may not be as intended.
We aim to illustrate that the new operators L s a and M s a are appropriate for modelling situations where the access to resources (whether they are locations or pieces of data) is central.Indeed, both operators can be used to specify (in a slight different flavour) whether a resource verifies a property in agent's a perspective, granted that the local resource s is present.
Before developing our examples, we recall that there exists a body of work based on Linear Logic (LL) and multiset rewriting for modelling some access control problems in specific situations.For example, multiset rewriting has been used to characterize security protocols [7].Our aim here, however, is to provide a more general framework that can be a modelling tool in many situations rather than be an ad hoc creation specific to a context.Even if such a framework based on Linear Logic and modalities for authorization and knowledge exists [22], we consider the differences between LL and BBI that make the later a more convenient tool for modelling.Both are able to model aspects of the properties of resources, but in LL propositions represent resources while in BBI (and, indeed, in BI) propositions represent properties of resources that can be expressed within the Kripke structures supporting resource semantics.LL focuses on the production and consumption -essentially counting -of resources while BBI focuses on separation and sharing of properties on resources.Modal extensions of BBI extend this view to incorporate the production and consumption of resources via the effects of actions in action modalities [13,15].
Because -as explained in the introduction and in a substantial body of literature [34] -the semantics of BBI can be interpreted as being a theory of resources and their properties, we can directly use resources as tokens in our modelling of systems [8].Of particular note in this paper is the use of local resources.For example, s in r L s a is of the same nature, but doesn't have the same role, as the ambient resource r.This allows a simple integration of new actors of a system into a modelling using ERL and avoids the creation of new formal elements of a more ad hoc nature.

Modelling distributed systems
The construction of mathematical models always involves design choices.Our approach is guided the approach to modelling distributed systems articulated in [1,9].This approach builds upon the observation that, from a slightly abstract yet convenient point of view, the key structural components of a distributed systems are the following: -Locations.The basic architecture of the system is considered to be described by a collection of connected places.Mathematically, we need some topological structure, with directed graphs be perhaps the most commonly useful set-up.-Resources.Resources are situated at the locations identified in the system's architecture.They are the components of the system that are manipulated -that is, consumed, created, moved, and so on -as the system evolves in order to the deliver the services that it is intended to provide.Mathematically, we take the 'resource monoids' adopted in, for example, the semantics of BI, in Separation Logic and, indeed, in ERL.In the intuitionistic versions of these logics, we take a partially ordered (or sometimes preordered) partial monoid of resources.As we have seen in Section 1, the monoidal composition then captures the combination of resource elements and the ordering captures the comparison of resource elements.In the classical versions, we drop the ordering and work just with combination.-Processes.The services that a system provides are delivered by the execution of processes, during which resources are manipulated.Mathematically, in formal generality, we can describe processes using an algebraic calculus of processes.In [8], we have employed a variation of Milner's basic system, SCCS [28], adapted to capture the interaction with resources and locations.
In addition, we require the following concept: -Environment.When a system is modelled, it is necessary to decide what is its boundary.Things that are outside of the boundary are not represented in detail within the model.Nevertheless, the model must interact with its environment.Mathematically, this can be represented stochastically, using specified probability distributions to capture events at the boundary.
The structural components collectively represent the state of a system and can be used to define a process algebra with an operational semantics that defines their coevolution as actions occur [1,8,9]: When building models in this style, it is necessary to set up a notion of signature for a model.For basic actions a and locations L, we define an evolution that specifies the effect of a on the resource R at this L. We call µ a modification function.
In this setting, there is an associated modal logic with a satisfaction relation of the form L, R, E |= φ, which includes both additive and multiplicative action modalities [1,8,9].Additive action modalities yield formulae of the form [a] φ, with a truth condition along the following lines: where we need the condition, part of the signature of the model, to the effect that the occurrence of the action a causes the evolution of L to L and R to R [1,8,9].The multiplicative modalities allow actions to carry around local resources that can be combined with the ambient resource -so we consider L, R, E |= [a] S φ and form R • S in the definiens of the satisfaction clause -to enable the evolution [1,8,9].The logic is used both to constrain the model, through situation-specific logical properties, and to express desired or undesired properties of the system that are to be checked.
In the setting of modelling access control using ERL, locations, resources, and processes can all be represented, although we can make some simplifications.
-Locations.The examples we consider implicitly employ location architectures, but they are sufficiently simple that they can also be handled implicitly in the formalization, often through the treatment of resources.-Resources.The resource elements considered carry the structure of resource monoids, and we make essential use of this in the models.-Processes.Our examples only deal with the actions that are required to instantiation the epistemic modalities.Nevertheless, we provide discussions of how our examples can be understood in the location-resource-process context.
In this setting, we elide the modelling of environment: since we are not seeking to build executable models, this simplification is of little or no consequence for our present purposes.In these senses, we are making use of a fairly pure version of resource semantics.
We employ a range of examples of security modelling using this approach.We begin, in Section 4.2, with 'Schneier's Gate', which illustrates the policy-architecture gap, and then consider a core systems-security situations of joint access control, in Section 4.3, and semaphores, in Section 4.4.

The 'Schneier's Gate' problem
Consider the example of 'Schneier's gate' [38], wherein a security system is ineffective because of the existence of a side-channel that allows a control to be circumvented.Here a facility that is intended to be secured is protected by a barrier that prevents cars from entering into the facility.The barrier may be controlled by a token -such as a card, a remote, or a code -the holding of which distinguishes authorized personnel from intruders.If, however, the barrier itself is surrounded by ground that can be traversed by a vehicle, without any kind of fence or wall, then any car can drive around it (whether it's with a malicious intent or just by laziness of getting through the security procedure) and the access control policy, as implemented by the barrier and the tokens, is undermined.So, the access control policy -that only authorized personnel, in possession of a token, may take vehicles into the facility -is undermined by the architecture of the system to which it is applied.
We show how ERL * can be used to model, and so reason about, the situation described above (following [38]), illustrating how such situations can be identified by logical analysis.Related analyses, employing logical models of layered graphs, can be found in [11].
We follow the approach to distributed systems modelling sketched in Section 4.1 and elaborated in [1,8,9].We start with a simple model, depicted in Figure 2, and gradually refine it.We model just a facility protected by an access barrier.We will need the following key components: -Locations.We assume, for what is an architecturally simple model, just three locations: outside and inside of the area guarded by the barrier, and the barrier itself.In this simple setting, there is no need to incorporate an explicit representation of locations into our model's worlds.-Resources.There are just three types of resource: vehicles (cars), access tokens, which are required to operate the barrier, and a marker for the presence of the barrier.-Processes.In this simple setting, we do not need to employ the full, quite complex, structure of a process algebra; rather, the actions of a logic with action modalities -in particular, the action modalities of ERL * , with their epistemic semantics, will suffice.
In fact, our treatment of resource in this epistemic-logic setting is a little more subtle.
From the modelling perspective, the resources we have exposed here are diverse in nature: there is is a material token (key or card for instance), there are cars, and a just a marker for the presence and well-functioning of the barrier.This diversity raises the question of the meaning and value of the unit resource, e.We finesse this problem by accepting that resources encompass a variety of different objects, but we can also employ the epistemic nature of our logic and consider that resources represent not objects as such but rather the knowledge that a given object is in our system.A vehicle having the appropriate access token should be able to get inside.We consider the following sets of resources, agents, and logical properties of resources/system Here we have the following: the atomic propositions O and J, respectively, express the state of being outside and inside the facility -we use J instead of I to avoid confusion with I, the unit operator; a resource element b is taken as a marker for the presence and well-functioning of the barrier; a token, required to operate the barrier, is denoted by a resource element t and vehicles (cars) are denoted by resource elements c, c , etc.; for simplicity we are assuming that all resource elements are of the same sort; that is, are elements of the same resource monoid; this will cause no formal difficulty in this simple setting, though richer examples might require more care in this respect; u |= M O means that u is outside the facility, and v |= M J means that v is inside.
the agent α is a generic one that represents a user of the system; that is, say, the vehicle/driver that approaches the access control point.The resources b and t represent tokens that stand respectively for the barrier and the access token of the users.
So, c can be viewed as an abstract token marking the presence of a car, and t the presence of the required access device in this car.Thus resources act as an abstraction layer of our system.In this view, it follows that it is easy to see e as the absence of information (nothing is known of the system).
We have the following property: O → L bt α J.According to the semantics, based on a resource monoid R, c Thus the combination of the two tokens grants access to the inside.The use of the token b for the presence of the barrier helps in modelling a situation in which the barrier is completely shut or is broken (in which case entering wouldn't be possible).Note that the formulae O → L t α J, O → L b α J, and O → L e α J are not valid because we cannot enter if the barrier is shut, if we have no access token, or both.
The use of the operator L s α in this situation is illustrative.First, consider what differences the use of other operators would make.If we were to state O → M bt α J, then it would mean that anyone outside can get (without condition) inside and acquire the two access tokens.This is of course not what we expect.On the other hand, using N s α has an interesting effect.O → N bt α J requires not only that an entering agent have the expected tokens, but also that those tokens remain active once they are inside.This is slightly different from our first approach: we don't know if the tokens are still active once the agent is inside.
We can also consider which of the additive implication, →, and the multiplicative, − * , would be the better modelling choice in this example.For a first approach, → seems quite sufficient.Indeed, if we assert O → L bt α J as valid, then any resource satisfies it.So, if we have a car c such that c |= M O, we also have c |= M O → L bt α J, and then we get the expected c |= M L bt α J.However, if we consider more complex properties, the situation is different.Imagine, for example, an environment that is composed not only of the car c, but also another entity, or piece of information, o.So, the use of − * instead of → is much more useful in more complex systems, as it allows us to set aside, as with Separation Logic's Frame Rule, some of the entities of our system and still apply the property.Now we introduce agents to the model (see Figure 3).The first model may seem crude, because a single resource is used to model the access of any agent.So, we seek to benefit from the logic that allows us to take agents into account.
We change the model by defining a detailed set of agents, A = {α, β, γ} and now take three agents or users, α, β, and γ.Each user should have its own access token, and the resource set is modified accordingly: Res = {e, b,t α ,t β ,t γ , c}.Now the slightly different formula O → L bt a a J is valid for any agent a ∈ A. So, for example, O → L bt α α J is valid, which means that α can get inside with his own token, but O → L bt β α J is not, which means α cannot use β's token.Now consider the case in which the access is controlled and the agents are supposed to cross the barrier only if they have the appropriate access device.We want to capture the fact that the system can actually be flawed (as mentioned in the problem presentation).It is actually quite easy to do, because being able to circumvent the barrier just means being able to access inside of the complex without any token.We could be a little more specific by imagining that some agents know the shortcut (or dare to use it) and others don't (See Figure 4).In the previous setting, suppose that the agent β is aware of the shortcut and is disposed to use it.Our new set of properties should now be the following: The unit resource e expresses a direct access (with no resource needed).Note how the use of agents can help us to express different security policies in the same model.
We can reasonably suppose that such a flawed system would be quickly dealt with; for example, by installing a fence that would prevent going around the barrier (See Figure 5).We could, of course, just model that by removing our last addition and get back to the intended policy, but it is more interesting to encode it by a formula.For example, we might then also describe a fault in the fence (or its removal).To do so, we can simply add a propositional formula F that is valid for any resource provided there is a fence preventing the passage of 'rogue' agents.Our system then becomes Having established a system of formulae that describes our modelling situation quite clearly, we can seek to some properties of the model.The idea is to establish a property of the system that goes beyond its basic definition.For example, we may want to check that every agent inside the facility has passed the barrier and has in its possession its access token.This means that we must prove that, for every agent a ∈ A, J → M bt a a J. Indeed, if c |= M J → M bt a a J, this means that if c |= M J, then there exists c ∈ R such that c ∼ a c • b •t a and c • b •t a |= M J, which expresses that every resource representing a car that is inside must in fact be equivalent, for an agent a ∈ A, to a resource that is inside and is composed with both the appropriate token t a and the barrier token b.This is exactly what we wanted to capture.
Notice that this particular property is not verified by the system we described in our set up.Indeed, noted previously, specifying entrance with r |= M O → L bt a a J makes J be satisfied by any resource r such that r • b • t a ∼ a r .We can see that r does not contain b and t a .The use of N bt a a instead solves this problem: we then have r So far, we have considered only simple situations, mainly one car crossing the barrier in various situations.Of course, we may wish to consider more complex models and establish similar properties.For example, we may want to see what happen if several cars are modelled together in the system.
We have the sets of properties in the form of implications stated before.To state there is a car in the system, we just assert that the formula O is valid.Then, by looking at the semantics of our formulae, we create a resource c which satisfies that formula.In order to have several cars, we might at first be tempted to assert something like O ∧ O ∧ O (for three cars).However, given our semantics, we have trivially that O ∧ O ∧ O ≡ O, which is inconvenient for our modelling purpose.It is better to state O * O * O, using the multiplicative conjunction, instead.Then, to satisfy this formula, we need indeed three resources c 1 , c 2 , c 3 and we have is, for each car to gain access, a a token is required for that car.Then, using − * as described above, we can see the system evolve as cars are allowed inside.Thus, the use of * is particularly relevant to model several instances of a same object.
Of course, we could easily enrich this model to make more distinctions between different cars and their different properties, but the essentials of the model would remain the same.

Joint access
One of the most common problems of access control is joint access and we propose to model a very simple example with our logic.The background for this example can be found in many films about the cold war era: the situation is that a critical systemsuch as one that controls the release of nuclear weapons, as in 'Crimson Tide' [5] is secured by two different keys, each one held by a different operator.For the system to unlock, it is necessary that both operators activate their keys simultaneously.We provide a logical analysis of this situation.
From our systems modelling perspective, we can set this up quite simply, as depicted in Figure 6.
Fig. 6.Joint access Some of the modelling choices made here are quite obvious: we need two agents, and two associated resources representing their keys.So, we take A = { α, β } and Res = { k 1 , k 2 , e }.Implicitly, the formulae will express that α is associated to k 1 and β to k 2 .Also implicitly, we are employing four locations, l 1 -l 4 , so that we can sketch a system model as where l 3 • l 3 def = l 3 , and where the modification function of the model, which describes how the keys move from location to location, is given by Focussing on our logical modelling, and suppressing for now the location architecture, we must express the fact that each agent -representing here a simplified notion of process -must use its key.Of course, as the whole point of the example is to illustrate how two separate accesses unlock the system, thus each use of key must be modelled with a different formula.We propose the following formulae for this purpose: We use the atomic formula since we don't need to access any property -rather we need only to update α and β's accessible worlds to express that k 1 and k 2 are now activated.If we consider M k 1 α for instance, then if r |= M M k 1 α , then there exists a resource r such that r ∼ α r • k 1 and r • k 1 |= M .Given this last statement, we have that there exists r such that r ∼ α r • k 1 .Thus, with this formula we have stated that α can reach a state in which k 1 is activated.The second formula states the same for b and k 2 .
We must express that whenever both keys are present, the system can be unlocked.We could consider using a formula such as M k 1 k 2 α U, where U is an atomic formula expressing that the system is unlocked.However, we can see at once that this choice is problematic.Indeed, this formula is dependent on α, but the point of joint access is that none of the agents involved is responsible on its own for the activation of the device.Moreover, should we decide to proceed with such a formula, it would fail to do the required job -k 2 is brought in the system by β and only α is present in the formula.Obviously, using β instead of α raises the same problems (symmetrically).
It seems, therefore, that our model lacks (at least) an agent.We introduce an omnipotent agent o (and thus A = {α, β, o}).The idea is to have an agent that can see and use whatever α and β can, without the two sharing knowledge or potential action.This agent can be interpreted either as a global authority or just as a modelling of the device itself (the computer that accepts the keys and executes the order).Now, with this extra agent, M k 1 k 2 o U seems to be an acceptable candidate for modelling the unlocking of the system.This states that whichever state reachable for o that contains k 1 and k 2 triggers the unlocking.However, we still need to express o's capability.To do that, we introduce the following set of formulae: This expresses that any access to a resource by an agent through the modality M can be transferred to o.Of course, in a more general setting, we could state similar things for the other operators, but, in this very particular example, only M will be useful.
Finally, in order to the system to work, we need to activate both keys simultaneously.A first approach could be to append the two key-activation with an ∧: This doesn't produce the desired result.Indeed, if r β , then we get r ∼ α r • k 1 and r ∼ β r • k 2 and we intended to have the combination of k 1 and k 2 , which is here not obvious.Thus, the best way is in fact to use β .More than the simple correctness of our modelling, this use of * is quite convincing, as we aimed to model the separated use of two keys.
Thus we have modelled our situation as follows: We can check that this has the desired effect; that is, that whenever both keys are present, the system can be unlocked.Consider a resource r that forces ( 2) and ( 3).The forcing of (3), unpacked, means for all r such that r On the other side, unpacking of (2) gives We can then instantiate (1) twice, with ag = α, s = k 1 , and φ = , then with ag = β, s = k 2 , and φ = to get there exist r 1 , r 2 such that r = r 1 • r 2 and Unpacking this, we get there exist r 1 , r 2 , r 1 , r 2 such that r = r 1 • r 2 and By the compatibility of • and ∼, we obtain that r

Semaphores
Another important example of modelling in access control is concerned with concurrency in parallel programming.We have described in the introduction how Separation Logic, built on BI, is a powerful and efficient tool to model memory management.We propose, in this section, an example of a similar work with ERL* in which we use it to model programs accessing memory and the particular example of simple concurrency with semaphores.First, we establish the general basis of our modelling approach.We consider a multiprocessor (or a set of different systems) which is seeking to run multiple programs or tasks with a limited amount of memory space.
-The set R of resources will represent the memory of the system, Res being a subset of the memory specified for each problem.e always denotes an empty set of information in the memory.Thus, in this example, we again suppress location, conflating it with resource.-The set of agents A represents all the different threads or processes which are running the tasks.-Two parts, m and m , of the memory are linked by the relationship ∼ α if the access to m is equivalent to the access to m for the process α. -Finally, we use propositions of ERL* to model programs run by the thread.Thus, when we write m |= M P, we mean that the memory stored in m is used to run the program P.
Just as in the example of joint access, we can set up our modelling of semaphores in the context of our general approach to systems modelling.We suppress the details here, preferring to use the simplified approach afforded by the logical tools introduced in this paper, but see [15] for examples of similar models that more closely following the system modelling approach.So, consider how to model semaphores in this context.Recall that semaphores are simple bits of program which use flags or tokens to ensure that a specific portion of program, called critical section, is always accessed by at most one process.We use an arbitrary set of agents A, and the set of resources Res = {e,t}, where t is a token marking the entrance into the critical section.We also have two propositions C and NC, the former being the critical section of code, the latter being all the non-critical part of the code.Note that, here, the agents correspond to processes.
We consider the following formulae, which constrain the model, for any arbitrary process α ∈ A: ).The Guard formulae, true for any two different processes α and α , ensure that two processes cannot enter a critical section together.Indeed, if, for any Guard formula, we have that m |= M Guard, then, if there is m such that m • t ∼ α m , there is no m such that m • t ∼ α m .That is, for any process p which has the token t in memory, no other process p can get the token.
The In formula specifes that the process α enters the critical section.If we have that m |= M In, then, if m |= M NC, then, for any m such that m • t ∼ α m , we have that m |= M C. That is, if a process is running the non-critical section, the addition of the token t gives it access to a memory state sufficient to run the critical section.
Symmetrically, the Out formula expresses the exit of p from a critical section.If This allows us to delete t from the memory accessible by α.The second part of the formula, M e α NC, states that there is a state m such that m ∼ α m and m |= M NC; that is, α gets back into non-critical section.
No memory state that satisfies NC after C has been executed, can have t in it.So, once this formula is taken into account, either p can continue to execute C or go into NC and release the token t.We can now see whether the guard we proposed is sufficient to ensure us that no two processes can get the critical section together.We do that in a simple way, by introducing the (new) formula NC * NC.If we have m |= M NC * NC, then we have m = m 1 • m 2 , with m 1 |= M NC and m 2 |= M NC.This is a fair representation of two processes running the non-critical section in parallel, each one using a different part of the memory (cf. the treatment of concurrent composition in [1,9] and in Concurrent Separation Logic [32]).Now consider a process α 1 and suppose it has access to the token; that is, there exists m 1 such that m 1 • t ∼ α 1 m 1 .If In is valid, then we have in particular that m 1 |= M In and thus we have m 1 |= M C. Now, α 1 is executing the critical section with m 1 .Could another process α 2 access the critical section with m 2 ?The guard should avoid it.Indeed, if Guard is valid, then we have m |= M Guard.Yet, we have established that m 1 • t ∼ α 1 m 1 .We also have that m = m 1 • m 2 and, by right composition, we have By applying m |= M Guard with α = α 1 and α = α 2 , we have that there is no m such that m • t ∼ α 2 m .Now, if α 2 were to access the critical section with m 2 , then we should have Then we should have that m • t ∼ α 2 m 2 • m 1 which would contradict what we stated before.Thus α 2 cannot enter the critical section.
However, once in this situation, as we have m 1 |= M C, we can use Out to let α 1 out of the critical section.As The first tells us that there is no m such that m 1 ∼ α 1 m •t.But, in our premiss, we have that m 1 ∼ α 1 m 1 • t.Those two facts are contradictory.Thus, if we want to use this formula, we have to delete the relation deleted, the guard ceases to be applicable, and nothing prevents α 2 from entering the critical section this time.

Evolution in LL, BI, and ERL
It is perhaps worthwhile pausing at this point to compare the representation of system evolution that is available here with that which is available in Linear Logic (LL).First, we should note that the nature of the system model employed here is quite different from that which would derive from a representation based on LL.Second, in our setting, as we have explained, we employ a truth-functional instantiation of the general distributed systems modelling approach based on concepts of location, resource, and process.In the examples of this paper, the account of process is very limited, being restricted to the actions of epistemic agents (with no rich process-theoretic structure).Third, as a result of these design choices, the readily available account of evolution requires unpacking the truth-functional semantics, which can be see in terms of tableaux proofs (as presented in Section 5).Experience from, for example, Separation Logic [37] suggests that the presence (as in Boolean BI and ERL and ERL * ) of a negation with the standard classical semantics is a very useful modelling tool.
In contrast, representations using LL's sequent calculus, such as the logic programming approach described in [2,26], employ a less rich modelling perspective -restricted to proofs of sequences of resource manipulations -but then give a very direct operational reading of evolution in this restricted setting.A proof-theoretic treatment of some underlying ideas in LL may be found in [6].Note, however, that BI includes MILL as a fragment (as we have seen) and that the basic propositional systems for BI can be presented as sequent calculi with well-understood relationships with LL.Within the multiplicative fragment of BI, the same readings of resource evolution can, of course, be obtained -we do not consider it worthwhile to rehearse these readings in the context of our examples, which are intended to illustrate resource semantics.We conjecture, therefore, that it is possible to give (perhaps labelled) sequent calculi for ERL and ERL * that would provide a similar operational reading of evolution (see the remarks at the beginning of Section 5) to that which is available in LL or the multiplicative fragment of BI.
To set up a precise correspondence between these evolutions and the semantic representation of resource is an interesting issue.
A brief comparison with 'epistemic linear logic' [22] -which is about modelling access control in LL -is perhaps also worthwhile.Again, this work benefits from the syntactic structures of LL as basis for representing evolution in the setting of the restricted model of systems that is naturally treated syntactically by LL.Again, in contrast, we begin from a more comprehensive systems semantics -which accommodates a very general notion of resource, including ambient system resources and resources that are local to agents -and treat similar examples in this restricted instance.Again, we might expect sequent calculi for ERL and ERL * to capture a similar treatment of evolution to that provided by LL.

A tableaux calculus for ERL
In this section, we provide a labelled calculus for ERL in the spirit of the calculi previously developed for BI [21] and BBI [27] that are based on labels and label constraints allowing the capture of the semantics of these logics inside the corresponding calculus.In the case of BBI, a specific completeness proof, based on an oracle, has been developed in [27].
Similar labelled calculi have been proposed also for some modal and epistemic extensions of BI and BBI [13][14][15].In these cases, the calculus design, used for BBI, is applied with specific labels and constraints issued from a semantic analysis of the considered logic.In the case of the labelled calculus for ESL [14], which is an epistemic extension of BBI, we deal with constraints that are parametrized by agents, but do not handle the presence of resources in the scope of the modal operators (the local resources).
While herein provide a tableaux calculus in the continuation of previous works on modal bunched logics, we note also that we could design a labelled sequent calculus for ERL and ERL * that would also be used to provide an operational reading of evolution through proof construction as in some LL fragments.However, our aim in this section is only to provide, by applying an approach and some proof methods already developed for other modal bunched logics, a labelled tableaux calculus for our logic -both in order to establish its metatheory and as a general reasoning tool.
For the present work, we must introduce labels that correspond to the local resources embedded in operators.As we shall see, we do that through a subset Λ r of labels that is in bijection with the set of local resources Res.Similar techniques have been used with the logic LSM [15], which extends BBI with resource-parametrized S4 modalities.Likewise, the proofs of soundness and completeness of the calculus with respect to the semantics introduced in Section 2 are similar to the ones for ESL, mainly addressing the need to take the set Λ r into account.Revisiting the remarks in Section 2 about the possibility of working with a hybrid semantics and then relating ERL to a hybrid version of ESL, we remark that the of a hybrid tableau calculus would require some specific work about using nominals and formulas to replace labels and constraints -and this replacement introduces more complexity and undermines the strong links with the resource semantics that is central in our approach.
First, we introduce labels and constraints that correspond, respectively, to resources and to the equality and equivalence relations on resources and agents.Next, we develop labelled tableaux for ERL.Then, we establish soundness with respect to the resource semantics, giving the details of the proof in the appendix.Finally, we consider countermodel extraction and completeness, again giving the details of the proof in the appendix.

Labels and constraints
We consider a finite set of constants Λ r such that |Λ r | = |Res| − 1.On it we build an infinite countable set of (resource) constants γ r such that Λ r ⊂ γ r , and then γ r = Λ r ∪ {c 1 , c 2 , . ..}. Concatenation of lists is denoted by ⊕; denotes the empty list.A resource label is a word built on γ r , where the order of letters is not taken into account; that is, a finite multiset γ r and by ε the empty word.For example, xy is the composition of the resource labels x and y.We say that x is a resource sublabel of y if and only if there exists z such that xz = y.The set of resource sublabels of x is denoted E(x).
Note that λ is trivially a bijection between Res and Λ r ∪ {ε}.

Definition 5 (Constraints).
A resource constraint is an expression of the form x y, where x and y are resource labels.An agent constraint is an expression of the form x u y, where x and y are resource labels and u belongs to the set of agents A.
A set of constraints is any set C that contains resource constraints and agent constraints.Let C be a set of constraints.The (resource) domain of C is the set of all resource sublabels that appear in C ; that is, Let C be a set of constraints.The (resource) alphabet A r (C ) of C is the set of resource constants that appear in C .In particular, A r (C ) = γ r ∩ D r (C ).Now we introduce, Rules for resource constraints: There are six rules ( ε , s r , d r , t r , c r , and k r ) that produce resource constraints and four rules ( r a , s a , t a , and k a ) that produce agent constraints.We note that v, introduced in the rule r a , must belong to the set of agents A. Lemma 2 (Compactness).Let C be a (possibly infinite) set of constraints.
1.If x y ∈ C , then there is a finite set C f such that C f ⊆ C and x y ∈ C f .2. If x u y ∈ C , then there is a finite set C f such that C f ⊆ C and x u y ∈ C f .

Labelled tableaux for ERL
We now define a labelled tableaux calculus for ERL in the spirit of previous works [14,17,21,27] by using similar definitions and results but based on the specific label and contraints definitions.
Proof.By induction on the number of labelled formulae of F f and by Lemma 2.
Figure 8 presents the rules of tableaux calculus for ERL.Note that 'c i and c j are new label constants' means Definition 8 (Tableau for ERL).Let F 0 , C 0 be a finite CSS.A tableau for F 0 , C 0 is a list of CSSs, called branches, inductively built according the following rules: A tableau for the formula φ is a tableau for {(Fφ : c 1 )}, {c 1 c 1 } .
We remark that a tableau for a formula φ verifies the property (P css ) of Definition 7 (by the rule r a ) and any application of a rule of Figure 8 provides also a tableau that verifies the property (P css ) (in particular, by Corollary 1).
In this calculus, we have two particular set of rules.The first set is composed by the rules TI , T * , F− * , FL , F M , FN , T L , TM , and T N , that introduce new label constants (c i and c j ) and new constraints, except for TI that only introduces a new constraint.The second set is composed of the rules F * , T− * , TL , T M , TN , F L , FM , and F N , that have a condition on the closure of constraints.To apply one of these rules we choose a label which satisfies the condition and then apply the corresponding rule.Otherwise, we cannot apply the rule.Definition 9 (Closure conditions).A CSS F , C is closed if one of the following conditions holds, where φ ∈ L: A CSS is open if it is not closed.A tableau for φ is closed if all its branches (that is, all of its CSSs) are closed and a tableaux proof for φ is a closed tableau for φ.
Closed branches are marked with × and open branches are marked with •.
Example.Let us consider the formula M s a φ → M r a ( M s a φ).To build the corresponding tableau, we start with the CCS {(F M s a φ → M r a ( M s a φ) : c 1 )}, {c 1 c 1 } and with the following representation of the formula set F and the constraints set C : We then apply the rules of our tableaux method, respecting the priority order, and we obtain the tableau of Figure 9.We omit the λ and write r for λ(r), for any resource.Note that we mark with √ the steps of the tableau construction.The main steps are the following: first apply the rule F → ( √ 1 ) and then obtain two formulae both with M as operator.According to the priority rules, first apply the F M rule ( √ 2 ), which generates a new formula, a new resource label c 2 , and the constraint c 1 a c 2 r.Then apply the F M rule again ( √ 3 ), which generates a new formula, a new resource label c 3 , and the constraint c 2 r a c 3 s.We must now apply the T M rule ( √ 4 ) and then we need a resource label z such that c 1 a zs ∈ C .Now, having closure by rule t a with agent a, we generate the constraint c 1 a c 3 s, and thus apply the rule with z = c 1 and generate (Tφ : c 3 s).As we also have (Fφ : c 3 s), we have a closed branch and thus a closed tableau.

Soundness of the calculus
We start by proving the soundness property of the tableaux calculus.The proof is similar to the soundness proof developed for BI tableaux and some recent extensions [13,14,17,21].We remind here the key notions and more detailed proofs are given in Appendix A.
The main point is the notion of realizability of a CSS F , C , meaning that there exists a model M and an embedding (|.|) from the resource labels to the resource set of M such that if (Tφ : x) ∈ F , then |x| M φ ,and if (Fφ : x) ∈ F , then |x| M φ.
We say that a CSS is realizable if there exists a realization of this CSS.We say that a tableau is realizable if at least one of its branches is realizable.Proposition 7. Let F , C be a CSS and R = (M , |.|) be a realization of it.R is also a realization of F , C , and then

Countermodel generation and Completeness of the calculus
Before proceeding to establish completeness, we consider a countermodel extraction method for our calculus that is adapted from a method proposed in [27].
Countermodel generation.The method transforms the sets of resource and agent constraints of a branch F , C into a model M such that, if (Tφ : x) ∈ F , then ρ x M φ and, if (Fφ : x) ∈ F , then ρ x M φ, where ρ x is the representative of the equivalence class of x.
The method is based mainly on the definition on a particular CSS F , C , called a Hintikka CSS.For more details, see Appendix B. This approach for countermodel extraction is proposed and illustrated for other bunched logics in [13][14][15]17,21] and adapted to our ERL logic.
Example.We give an example of countermodel extraction by considering A = {a} and Res = {e, r} and the formula L s a φ → L r a L s a φ, which is not valid.By applications of the tableaux rules, we obtain the tableau of Fig 10.
We see that, in step 4, we can only find c 2 as suitable label for c 1 s a x and thus the tableau is not closed.The only branch of this tableau is a Hintikka CSS and we extract this countermodel using Definition 13.
We have M = (R , {∼ a } a∈A ,V ), where We can easily verify that we have a countermodel of L s a φ → L s a (L r a φ). 1.As ρ c 2 ∈ V (φ), we have ρ c 2 |= φ. a (L r a φ). 6.By (2) and ( 5), we conclude that ρ c 1 |= M L s a φ → L s a (L r a φ).Completeness.The proof of completeness is an extension of the corresponding proof proposed for BBI [27] to the epistemic connectives of our logic.It consists in building, using a fair strategy, a Hintikka CSS from a formula for which there is no tableaux proof that is a sequence of labelled formulae in which all labelled formulae occur infinitely many times, and also an oracle that is a set of non-closed CSS with some specific properties.Then, assuming there is no tableaux proof for φ, we build a Hintikka CSS, and deduce from it that φ is not valid.
Theorem 2 (Completeness).Let φ be an ERL formula.If φ is valid, then there exists a tableaux proof for φ.
Proof.The proof is an extension of the corresponding proof proposed for BBI [27] to the epistemic connectives of our logic.More details are given in Appendix C.
To complete this section, we show how we can define a tableaux calculus for the sublogic ERL * .Definition 11 (Tableaux for ERL * ).The tableaux calculus for ERL * is defined exactly as the tableaux calculus for ERL, with the addition of the following rule to Definition 6: x u y yk yk c a xk u yk Proposition 8.The tableaux calculus for ERL * is sound and complete with respect to the semantics given in Sections 2 and 3.
Proof.The proof is the same as the one for ERL except that the new rule c a must be considered each time the closure of constraints is concerned.This addition does not cause any difficulties with proofs since this rule is a direct translation of the specific property of ERL * as described in Definition 4.

Conclusions
We have presented a substructural epistemic logic, based on Boolean BI, in which the epistemic modalities, which extend the usual epistemic modalities, are parametrized on the agent's local resource.The logic represents a first step in developing an epistemic resource semantics.This step is illustrated through examples that explore the gap between policy and implementation in access control.We have also provided a system of labelled tableaux for the logic, and established soundness and completeness.
Much further work is suggested.First, the theory, pragmatics, and interpretation of the epistemic modalities with resource semantics, including aspects of local reasoning for resource-carrying agents [25,37], concurrency [32].Second, logical theory, including proof systems, model-theoretic properties, and complexity.Connections with other approaches to modelling the relationship between policy and implementation in system management, such as those discussed in [39] and approaches involving logics for layered graphs [1,10] should be explored.
Conditions 1 to 4 ensure that a Hintikka CSS is not closed and conditions 5 to 29 ensure that it is saturated (no new tableaux rule can be applied).
To extract countermodels, we must manipulate equivalence classes.Lemma 8. Let F , C be a Hintikka CSS such that (Fφ : x) ∈ F .The formula φ is not valid and Ω( F , C ) is a countermodel of φ.
Proof.Let F , C be a Hintikka CSS such that (Fφ : x) ∈ F .Let K = Ω( F , C ).By Lemma 6, K is a model.As F , C is a CSS, then by (P css ) and Corollary 2, x ∈ D r (C ).Thus, by Lemma 7, we have ρ x |= M φ.Therefore, K is a countermodel of the formula φ and we can conclude that φ is not valid.

C Proof of completeness
This proof is an extension of the proof for BBI [27] to the epistemic connectives of our logic.It consists in identifying two things.First, a Hintikka CSS, using a fair strategy, from a formula for which there is no tableaux proof; that is, a sequence of labelled formulae in which all labelled formulae occur infinitely many times.Second, an oracle; that is, a set of non-closed CSSs with some specific properties.Definition 14 (Fair strategy).A fair strategy is a sequence of labelled formulae and agent constraints (S i ) i∈N in ({T, F} × L × Λ r ) ∪ (Λ r × A × Λ r ) such that all labelled formulae and all agent constraints occur infinitely many times in this sequence; that is, {i ∈ N | S i ≡ (SF : x)} and {i ∈ N | S i ≡ xλ(r) u y} are infinite, for any (SF : x) ∈ {T, F} × L × Λ r and any xλ(r) u y ∈ Λ r × A × Λ r .Proposition 9.There exists a fair strategy.

Fig. 4 .FFig. 5 .
Fig. 4. Barrier problem with a shortcut Our epistemic context is thus o • c.If we have c |= M O and if O → L bt α J is valid, then we get c |= M L bt α J.As we do not have o • c |= M O, we cannot deduce that o • c |= M L bt α J.If instead we assume that the property O − * L bt α J is valid, then we have, in particular, o |= M O − * L bt α J and, together with c |= M O, we can deduce o • c |= M L bt α J, as desired.

Proposition 4 .Corollary 1 .
The following rules can be derived from the rules of constraint closure: Let C be a set of constraints and u ∈ A be an agent.1.x ∈ D r (C ) iff x x ∈ C iff x u x ∈ C . 2. If xy ∈ D r (C ), x x ∈ C ,and y y ∈ C , then xy x y ∈ C .Proposition 5. Let C be a set of constraints.We have A r (C ) = A r (C ).

Definition 10 (
Realization).Let F , C be a CSS.A realization of it is a pair (M , |.|) where M = (R , {∼ a } a∈A ,V ) is a model and |.| : D r (C ) → R such that for any r ∈ Res, we have |λ(r)| = r, -|ε| = e, -|.| is a total function (for all x ∈

Definition 15 . 2 .
Let ℘ be a set of CSS.1.℘ is -closed if F , C ∈ ℘ holds whenever F , C F , C and F , C ∈ ℘ holds.℘ is of finite character if F , C ∈ ℘ holds whenever F f , C f ∈ ℘ holds for every F f , C f f F , C . 3. ℘is saturated if, for any F , C ∈ ℘and any instance cond(F , C ) F 1 , C 1 | . . .| F k , C k Definition 7. A labelled formula is a 3-tuple of the form (Sφ : x) such that S ∈ {T, F}, φ ∈ L is a formula and x ∈ Λ r is a resource label.A constrained set of statements (CSS) is a pair F , C , where F is a set of labelled formulae and C is a set of constraints, satisfying the following property, denoted P css , if (Sφ : x) ∈ F , then x x ∈ C (P css ).A CSS F , C is finite if F and C are finite.The relation is defined by