A template-based approach for the generation of abstractable and reducible models of featured networks

We investigate the relationship between symmetry reduction and inductive reasoning when applied to model checking networks of featured components. Popular reduction techniques for combatting state space explosion in model checking, like abstraction and symmetry reduction, can only be applied effectively when the natural symmetry of a system is not destroyed during specification. We introduce a property which ensures this is preserved, open symmetry. We describe a template-based approach for the construction of open symmetric Promela specifications of featured systems. For certain systems (safely featured parameterised systems) our generated specifications are suitable for conversion to abstract specifications representing any size of network. This enables feature interaction analysis to be carried out, via model checking and induction, for systems of any number of featured components. In addition, we show how, for any balanced network of components, by using a graphical representation of the features and the process communication structure, a group of permutations of the underlying state space of the generated specification can be determined easily. Due to the open symmetry of our Promela specifications, this group of permutations can be used directly for symmetry reduced model checking. The main contributions of this paper are an automatic method for developing open symmetric specifications which can be used for generic feature interaction analysis, and the novel application of symmetry detection and reduction in the context of model checking featured networks. We apply our techniques to a well known example of a featured network – an email system

Data Minimisation in Communication Protocols: A Formal Analysis Framework and Application to Identity Management

With the growing amount of personal information exchanged over the Internet, privacy is becoming more and more a concern for users. One of the key principles in protecting privacy is data minimisation. This principle requires that only the minimum amount of information necessary to accomplish a certain goal is collected and processed. "Privacy-enhancing" communication protocols have been proposed to guarantee data minimisation in a wide range of applications. However, currently there is no satisfactory way to assess and compare the privacy they offer in a precise way: existing analyses are either too informal and high-level, or specific for one particular system. In this work, we propose a general formal framework to analyse and compare communication protocols with respect to privacy by data minimisation. Privacy requirements are formalised independent of a particular protocol in terms of the knowledge of (coalitions of) actors in a three-layer model of personal information. These requirements are then verified automatically for particular protocols by computing this knowledge from a description of their communication. We validate our framework in an identity management (IdM) case study. As IdM systems are used more and more to satisfy the increasing need for reliable on-line identification and authentication, privacy is becoming an increasingly critical issue. We use our framework to analyse and compare four identity management systems. Finally, we discuss the completeness and (re)usability of the proposed framework

On Termination for Faulty Channel Machines

A channel machine consists of a finite controller together with several fifo channels; the controller can read messages from the head of a channel and write messages to the tail of a channel. In this paper, we focus on channel machines with insertion errors, i.e., machines in whose channels messages can spontaneously appear. Such devices have been previously introduced in the study of Metric Temporal Logic. We consider the termination problem: are all the computations of a given insertion channel machine finite? We show that this problem has non-elementary, yet primitive recursive complexity

Applying Formal Methods to Networking: Theory, Techniques and Applications

Despite its great importance, modern network infrastructure is remarkable for the lack of rigor in its engineering. The Internet which began as a research experiment was never designed to handle the users and applications it hosts today. The lack of formalization of the Internet architecture meant limited abstractions and modularity, especially for the control and management planes, thus requiring for every new need a new protocol built from scratch. This led to an unwieldy ossified Internet architecture resistant to any attempts at formal verification, and an Internet culture where expediency and pragmatism are favored over formal correctness. Fortunately, recent work in the space of clean slate Internet design---especially, the software defined networking (SDN) paradigm---offers the Internet community another chance to develop the right kind of architecture and abstractions. This has also led to a great resurgence in interest of applying formal methods to specification, verification, and synthesis of networking protocols and applications. In this paper, we present a self-contained tutorial of the formidable amount of work that has been done in formal methods, and present a survey of its applications to networking.Comment: 30 pages, submitted to IEEE Communications Surveys and Tutorial

Information Security as Strategic (In)effectivity

Security of information flow is commonly understood as preventing any information leakage, regardless of how grave or harmless consequences the leakage can have. In this work, we suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary's ability to harm the system. Then, we propose that the information flow in a system is effectively information-secure if it does not allow for more harm than its idealized variant based on the classical notion of noninterference

A generic approach for the automatic verification of featured, parameterised systems

A general technique is presented that allows property based feature analysis of systems consisting of an arbitrary number of components. Each component may have an arbitrary set of safe features. The components are defined in a guarded command form and the technique combines model checking and abstraction. Features must fulfill certain criteria in order to be safe, the criteria express constraints on the variables which occur in feature guards. The main result is a generalisation theorem which we apply to a well known example: the ubiquitous, featured telephone system

The natural algorithmic approach of mixed trigonometric-polynomial problems

The aim of this paper is to present a new algorithm for proving mixed trigonometric-polynomial inequalities by reducing to polynomial inequalities. Finally, we show the great applicability of this algorithm and as examples, we use it to analyze some new rational (Pade) approximations of the function $\cos^2(x)$, and to improve a class of inequalities by Z.-H. Yang. The results of our analysis could be implemented by means of an automated proof assistant, so our work is a contribution to the library of automatic support tools for proving various analytic inequalities

The WTO Comes to Dinner: U.S. Implementation of Trade Rules Bypasses Food Safety Requirements

A Special Report By Public Citizen's Global Trade Watch and Critical Mass Energy and Environment Program. A review of U.S. government "system" audits of five nations (Brazil, Mexico, Argentina, Australia and Canada) reveals that the U.S. Department of Agriculture (USDA)'s Food Safety and Inspection Service (FSIS) deemed "equivalent" systems with sanitary measures that differ from FSIS policy, and in some cases, violate the express language of U.S. laws and regulations. Because FSIS has refused to respond to Public Citizen Freedom of Information Act requests for correspondence and other documentation regarding these equivalency decisions, it is impossible to determine what is the current status of these issues and whether they have been resolved by regulators. - The U.S. law requiring meat to be inspected by independent government officials was violated by Brazil and Mexico and they retained their eligibility to export to the United States. - The USDA's zero tolerance policy for contamination by feces was repeatedly violated by Australia, Canada and Mexico. - U.S. regulations requiring monthly supervisory reviews of plants eligible to export be conducted on behalf of USDA by foreign government officials were violated by Argentina, Brazil, Canada and Mexico, several of whom are seeking to avoid this core requirement of U.S. regulation. Monthly reviews are vitally important to remind the meat industry that the meat inspector who works the line in the plant is backed by the weight of the government and to double-check the work of meat inspectors on a regular basis. - Even though U.S. regulations requiring that a government official -- not a company employee -- sample meat for salmonella microbial contamination, the USDA approved company employees performing this task as part of an equivalency determination with Brazil and Canada. - Even though U.S. regulations require certain microbial testing to be performed at government labs, the U.S. approved testing by private labs as part of the equivalency determination with Brazil, Canada and Mexico. - Unapproved and/or improper testing procedures and sanitation violations have been re-identified by FSIS year after year for Australia, Brazil, Canada and Mexico, but the countries have retained their eligibility to export to the United States. - After its regulatory systems was designated "equivalent," Mexico began using alternative procedures for salmonella and E. coli that had never been evaluated by FSIS, yet the country retained its eligibility to import to the United States. - Australia and Canada were allowed to export to the United States while using their own methods and procedures for such matters as E. coli testing, postmortem inspection, monthly supervisory reviews and pre-shipment reviews while awaiting an equivalency determination from FSIS. - FSIS auditors and Canadian food safety officials continue to disagree about whether particular measures have already been found "equivalent" by FSIS, yet Canadian imports remained uninterrupted. - The regulatory systems of Brazil and Mexico have been rated equivalent even though the countries plead insufficient personnel and monetary resources to explain their inability to carry out all required functions