Quantitative testing semantics for non-interleaving

This paper presents a non-interleaving denotational semantics for the ?-calculus. The basic idea is to define a notion of test where the outcome is not only whether a given process passes a given test, but also in how many different ways it can pass it. More abstractly, the set of possible outcomes for tests forms a semiring, and the set of process interpretations appears as a module over this semiring, in which basic syntactic constructs are affine operators. This notion of test leads to a trace semantics in which traces are partial orders, in the style of Mazurkiewicz traces, extended with readiness information. Our construction has standard may- and must-testing as special cases

Safe Session-Based Concurrency with Shared Linear State

Publisher Copyright: © 2023, The Author(s).We introduce CLASS, a session-typed, higher-order, core language that supports concurrent computation with shared linear state.publishersversionpublishe

Order algebras: a quantitative model of interaction

International audienceA quantitative model of concurrent interaction is introduced. The basic objects are linear combinations of partial order relations, acted upon by a group of permutations that represents potential non-determinism in synchronisation. This algebraic structure is shown to provide faithful interpretations of finitary process algebras, for an extension of the standard notion of testing semantics, leading to a model that is both denotational (in the sense that the internal workings of processes are ignored) and non-interleaving. Constructions on algebras and their subspaces enjoy a good structure that make them (nearly) a model of differential linear logic, showing that the underlying approach to the representation of non-determinism as linear combinations is the same

A Calculus of Mobile Processes, I

AbstractWe present the π-calculus, a calculus of communicating systems in which one can naturally express processes which have changing structure. Not only may the component agents of a system be arbitrarily linked, but a communication between neighbours may carry information which changes that linkage. The calculus is an extension of the process algebra CCS, following work by Engberg and Nielsen, who added mobility to CCS while preserving its algebraic properties. The π-calculus gains simplicity by removing all distinction between variables and constants; communication links are identified by names, and computation is represented purely as the communication of names across links. After an illustrated description of how the π-calculus generalises conventional process algebras in treating mobility, several examples exploiting mobility are given in some detail. The important examples are the encoding into the π-calculus of higher-order functions (the λ-calculus and combinatory algebra), the transmission of processes as values, and the representation of data structures as processes. The paper continues by presenting the algebraic theory of strong bisimilarity and strong equivalence, including a new notion of equivalence indexed by distinctions—i.e., assumptions of inequality among names. These theories are based upon a semantics in terms of a labeled transition system and a notion of strong bisimulation, both of which are expounded in detail in a companion paper. We also report briefly on work-in-progress based upon the corresponding notion of weak bisimulation, in which internal actions cannot be observed

Modelling Socio-Technical Aspects of Organisational Security

Identification of threats to organisations and risk assessment often take into consideration the pure technical aspects, overlooking the vulnerabilities originating from attacks on a social level, for example social engineering, and abstracting away the physical infrastructure. However, attacks on organisations are far from being purely technical. After all, organisations consist of employees. Often the human factor appears to be the weakest point in the security of organisations. It may be easier to break through a system using a social engineering attack rather than a pure technological one. The StuxNet attack is only one of the many examples showing that vulnerabilities of organisations are increasingly exploited on different levels including the human factor. There is an urgent need for integration between the technical and social aspects of systems in assessing their security. Such an integration would close this gap, however, it would also result in complicating the formal treatment and automatic identification of attacks. This dissertation shows that applying a system modelling approach to sociotechnical systems can be used for identifying attacks on organisations, which exploit various levels of the vulnerabilities of the systems. In support of this claim we present a modelling framework, which combines many features. Based on a graph, the framework presents the physical infrastructure of an organisation, where actors and data are modelled as nodes in this graph. Based on the semantics of the underlying process calculus, we develop a formal analytical approach that generates attack trees from the model. The overall goal of the framework is to predict, prioritise and minimise the vulnerabilities in organisations by prohibiting the overall attack or at least increasing the difficulty and cost of fulfilling it. We validate our approach using scenarios from IPTV and Cloud Infrastructure case studies

Dynamic UNITY

Dynamic distributed systems, where a changing set of communicating processes must interoperate to accomplish particular computational tasks, are becoming extremely important. Designing and implementing these systems, and verifying the correctness of the designs and implementations, are difficult tasks. The goal of this thesis is to make these tasks easier. This thesis presents a specification language for dynamic distributed systems, based on Chandy and Misra's UNITY language. It extends the UNITY language to enable process creation, process deletion, and dynamic communication patterns. The thesis defines an execution model for systems specified in this language, which leads to a proof logic similar to that of UNITY. While extending UNITY logic to correctly handle systems with dynamic behavior, this logic retains the familiar UNITY operators and most of the proof rules associated with them. The thesis presents specifications for three example dynamic distributed systems to demonstrate the use of the specification language, and full correctness proofs for two of these systems and a partial correctness proof for the third to demonstrate the use of the proof logic. The thesis details a method for determining whether a system in the specification language can be transformed into an implementation in a standard programming language, as well as a method for performing this transformation on those specifications that can. This guarantees a correct implementation for any specification that can be so transformed

CLASS: A Logical Foundation for Typeful Programming with Shared State

Software construction depends on imperative state sharing and concurrency, which are naturally present in several application domains and are also exploited to improve the structure and efficiency of computer programs. However, reasoning about concurrency and shared mutable state is hard, error-prone and the source of many programming bugs, such as memory leaks, data corruption, deadlocks and non-termination. In this thesis, we develop CLASS: a core session-based language with a lightweight substructural type system, that results from a principled extension of the propositions-astypes correspondence with second-order classical linear logic. More concretely, CLASS offers support for session-based communication, mutex-protected first-class reference cells, dynamic state sharing, generic polymorphic algorithms, data abstraction and primitive recursion. CLASS expresses and types significant realistic programs, that manipulate memoryefficient linked data structures (linked lists, binary search trees) with support for updates in-place, shareable concurrent ADTs (counters, stacks, functional and imperative queues), resource synchronisation methods (fork-joins, barriers, dining philosophers, generic corecursive protocols). All of these examples are guaranteed to be safe, a result that follows by the logical approach. The linear logical foundations guarantee that well-typed CLASS programs do not go wrong: they never deadlock on communication or reference cell acquisition, do not leak memory and always terminate, even if they share complex data structures protected by synchronisation primitives. Furthermore, since we follow a propositions-as-types approach, we can reason about the behaviour of concurrent stateful processes by algebraic program manipulation. The feasibility of our approach is witnessed by the implementation of a type checker and interpreter for CLASS, which validates and guides the development of many realistic programs. The implementation is available with an open-source license, together with several examples.A construção de software depende de estado partilhado imperativo e concorrência, que estão naturalmente presentes em vários domínios de aplicação e que também são explorados para melhorar o a estrutura e o desempenho dos programas. No entanto, raciocinar sobre concorrência e estado mutável partilhado é difícil e propenso à introdução de erros e muitos bugs de programação, tais como fugas de memória, corrupção de dados, programas bloqueados e programas que não terminam a sua execução. Nesta tese, desenvolvemos CLASS: uma linguagem baseada em sessões, com um sistema de tipos leve e subestrutural, que resulta de uma extensão metodológica da correspondência proposições-como-tipos com a lógica linear clássica de segunda ordem. Mais concretamente, a linguagem CLASS oferece suporte para comunicação baseada em sessões, células de memória protegidas com mutexes de primeira classe, partilha dinâmica de estado, algoritmos polimórficos genéricos, abstração de dados e recursão primitiva. A linguagem CLASS expressa e tipifica programas realistas significativos, que manipulam estruturas de dados ligadas eficientes (listas ligadas, árvores de pesquisa binária) suportando actualização imperativa local, TDAs partilhados e concorrentes (contadores, pilhas, filas funcionais e imperativas), métodos de sincronização e partilha de recursos (bifurcar-juntar, barreiras, jantar de filósofos, protocolos genéricos corecursivos). Todos estes exemplos são seguros, uma garantia que resulta da nossa abordagem lógica. Os fundamentos, baseados na lógica linear, garantem que programas em CLASS bem tipificados não incorrem em erros: nunca bloqueiam, quer na comunicação, quer na aquisição de células de memória, nunca causam fugas de memória e terminam sempre, mesmo que compartilhem estruturas de dados complexas protegidas por primitivas de sincronização. Além disso, uma vez que seguimos uma abordagem de proposições-comotipos, podemos raciocinar sobre o comportamento de processos concorrentes, que usam estado, através de manipulação algébrica. A viabilidade da nossa abordagem é evidenciada pela implementação de um verificador de tipos e interpretador para a linguagem CLASS, que valida e orienta o desenvolvimento de vários programs realistas. A implementação está disponível com uma licença de acesso livre, juntamente com inúmeros exemplos

DynamiTE:A 21st-Century Framework for Concurrent Component-Based Design

The free ride for software developers is over. In the past, computer programs have increased in performance simply by running on new hardware with ever increasing clock speeds. Now, however, this line of development has reached its end and chip designers are producing new processors, not with faster clocks, but with more cores. To take advantage of the speed increases offered by these new products, applications need to be redesigned with parallel processing firmly in mind. The problem is that mainstream designs are still inherently sequential. Concurrency tends to be an afterthought that may be useful to gain a performance boost, not an essential part of the design process. The current vogue for object-oriented designs tends to also have the side-effect of making them heavily data-oriented which doesn't scale well; each shared element of data has to be protected from simultaneous access, resulting in operations becoming sequential again. In addition, the usual methods for protecting data tend to be very low-level and error-prone. In this thesis, we introduce a new design method whereby applications are constructed from small sequential tasks connected by intercommunication primitives. Our approach is based on a two-stage process; first, the individual tasks are created as independent entities and tested with appropriate inputs, then secondly, the communication infrastructure between them is developed. We provide support for the latter via the DynamiTE framework, which allows the interactions to be defined using the terms of a process calculus. Depending on the developer's background, they can treat this as just another API, as a design pattern or as an algebraic expression which can be property checked for issues such as deadlocks. Either way, the communication layer can be developed, tested and evaluated separately from the tasks once it is known how the tasks will interface with one another. To supplement DynamiTE, we define our own process calculus, Nomadic Time, using a carefully chosen novel selection of constructs. Among the features of the calculus are the ability to perform communication both locally (one-to-one) and globally (one-to-many), and the flexibility to change the location of tasks during execution. Security is paramount to the design of Nomadic Time and migratory operations can be limited in two ways; by simple enumeration of possibilities or by the optional typing of constructs to allow restriction on a task-by-task basis. While it can't eradicate all the problems inherent in designing concurrent applications, DynamiTE can make things easier by reducing the dependency on shared resources and enhancing the reusability of concurrent components

An algebraic process calculus

International audienceWe present an extension of the πI-calculus with formal sums of terms. A study of the properties of this sum reveals that its neutral element 0 can be used to make assumptions about the behaviour of the environment of a process. From this observation we derive an enriched calculus that enjoys a confluent reduction which preserves the testing semantics of processes. This system is shown to be strongly normalising for terms without replication, and the study of its normal forms provides fully abstract trace semantics for testing of πI processes