Combining behavioural types with security analysis

Today's software systems are highly distributed and interconnected, and they increasingly rely on communication to achieve their goals; due to their societal importance, security and trustworthiness are crucial aspects for the correctness of these systems. Behavioural types, which extend data types by describing also the structured behaviour of programs, are a widely studied approach to the enforcement of correctness properties in communicating systems. This paper offers a unified overview of proposals based on behavioural types which are aimed at the analysis of security properties

Life of occam-Pi

This paper considers some questions prompted by a brief review of the history of computing. Why is programming so hard? Why is concurrency considered an “advanced” subject? What’s the matter with Objects? Where did all the Maths go? In searching for answers, the paper looks at some concerns over fundamental ideas within object orientation (as represented by modern programming languages), before focussing on the concurrency model of communicating processes and its particular expression in the occam family of languages. In that focus, it looks at the history of occam, its underlying philosophy (Ockham’s Razor), its semantic foundation on Hoare’s CSP, its principles of process oriented design and its development over almost three decades into occam-? (which blends in the concurrency dynamics of Milner’s ?-calculus). Also presented will be an urgent need for rationalisation – occam-? is an experiment that has demonstrated significant results, but now needs time to be spent on careful review and implementing the conclusions of that review. Finally, the future is considered. In particular, is there a future

CLASS: A Logical Foundation for Typeful Programming with Shared State

Software construction depends on imperative state sharing and concurrency, which are naturally present in several application domains and are also exploited to improve the structure and efficiency of computer programs. However, reasoning about concurrency and shared mutable state is hard, error-prone and the source of many programming bugs, such as memory leaks, data corruption, deadlocks and non-termination. In this thesis, we develop CLASS: a core session-based language with a lightweight substructural type system, that results from a principled extension of the propositions-astypes correspondence with second-order classical linear logic. More concretely, CLASS offers support for session-based communication, mutex-protected first-class reference cells, dynamic state sharing, generic polymorphic algorithms, data abstraction and primitive recursion. CLASS expresses and types significant realistic programs, that manipulate memoryefficient linked data structures (linked lists, binary search trees) with support for updates in-place, shareable concurrent ADTs (counters, stacks, functional and imperative queues), resource synchronisation methods (fork-joins, barriers, dining philosophers, generic corecursive protocols). All of these examples are guaranteed to be safe, a result that follows by the logical approach. The linear logical foundations guarantee that well-typed CLASS programs do not go wrong: they never deadlock on communication or reference cell acquisition, do not leak memory and always terminate, even if they share complex data structures protected by synchronisation primitives. Furthermore, since we follow a propositions-as-types approach, we can reason about the behaviour of concurrent stateful processes by algebraic program manipulation. The feasibility of our approach is witnessed by the implementation of a type checker and interpreter for CLASS, which validates and guides the development of many realistic programs. The implementation is available with an open-source license, together with several examples.A construção de software depende de estado partilhado imperativo e concorrência, que estão naturalmente presentes em vários domínios de aplicação e que também são explorados para melhorar o a estrutura e o desempenho dos programas. No entanto, raciocinar sobre concorrência e estado mutável partilhado é difícil e propenso à introdução de erros e muitos bugs de programação, tais como fugas de memória, corrupção de dados, programas bloqueados e programas que não terminam a sua execução. Nesta tese, desenvolvemos CLASS: uma linguagem baseada em sessões, com um sistema de tipos leve e subestrutural, que resulta de uma extensão metodológica da correspondência proposições-como-tipos com a lógica linear clássica de segunda ordem. Mais concretamente, a linguagem CLASS oferece suporte para comunicação baseada em sessões, células de memória protegidas com mutexes de primeira classe, partilha dinâmica de estado, algoritmos polimórficos genéricos, abstração de dados e recursão primitiva. A linguagem CLASS expressa e tipifica programas realistas significativos, que manipulam estruturas de dados ligadas eficientes (listas ligadas, árvores de pesquisa binária) suportando actualização imperativa local, TDAs partilhados e concorrentes (contadores, pilhas, filas funcionais e imperativas), métodos de sincronização e partilha de recursos (bifurcar-juntar, barreiras, jantar de filósofos, protocolos genéricos corecursivos). Todos estes exemplos são seguros, uma garantia que resulta da nossa abordagem lógica. Os fundamentos, baseados na lógica linear, garantem que programas em CLASS bem tipificados não incorrem em erros: nunca bloqueiam, quer na comunicação, quer na aquisição de células de memória, nunca causam fugas de memória e terminam sempre, mesmo que compartilhem estruturas de dados complexas protegidas por primitivas de sincronização. Além disso, uma vez que seguimos uma abordagem de proposições-comotipos, podemos raciocinar sobre o comportamento de processos concorrentes, que usam estado, através de manipulação algébrica. A viabilidade da nossa abordagem é evidenciada pela implementação de um verificador de tipos e interpretador para a linguagem CLASS, que valida e orienta o desenvolvimento de vários programs realistas. A implementação está disponível com uma licença de acesso livre, juntamente com inúmeros exemplos

Polymorphic Typestate for Session Types

Session types provide a principled approach to typed communication protocols that guarantee type safety and protocol fidelity. Formalizations of session-typed communication are typically based on process calculi, concurrent lambda calculi, or linear logic. An alternative model based on context-sensitive typing and typestate has not received much attention due to its apparent restrictions. However, this model is attractive because it does not force programmers into particular patterns like continuation-passing style or channel-passing style, but rather enables them to treat communication channels like mutable variables. Polymorphic typestate is the key that enables a full treatment of session-typed communication. Previous work in this direction was hampered by its setting in a simply-typed lambda calculus. We show that higher-order polymorphism and existential types enable us to lift the restrictions imposed by the previous work, thus bringing the expressivity of the typestate-based approach on par with the competition. On this basis, we define PolyVGR, the system of polymorphic typestate for session types, establish its basic metatheory, type preservation and progress, and present a prototype implementation.Comment: 29 pages. Short version appears in PPDP 202

Regulating Data Exchange in Service Oriented Applications

We define a type system for COWS, a formalism for specifying and combining services, while modelling their dynamic behaviour. Our types permit to express policies constraining data exchanges in terms of sets of service partner names attachable to each single datum. Service programmers explicitly write only the annotations necessary to specify the wanted policies for communicable data, while a type inference system (statically) derives the minimal additional annotations that ensure consistency of services initial configuration. Then, the language dynamic semantics only performs very simple checks to authorize or block communication. We prove that the type system and the operational semantics are sound. As a consequence, we have the following data protection property: services always comply with the policies regulating the exchange of data among interacting services. We illustrate our approach through a simplified but realistic scenario for a service-based electronic marketplace

Multi-modal meaning – An empirically-founded process algebra approach

Humans communicate with different modalities. We offer an account of multi-modal meaning coordination, taking speech-gesture meaning coordination as a prototypical case. We argue that temporal synchrony (plus prosody) does not determine how to coordinate speech meaning and gesture meaning. Challenging cases are asynchrony and broadcasting cases, which are illustrated with empirical data. We propose that a process algebra account satisfies the desiderata. It models gesture and speech as independent but concurrent processes that can communicate flexibly with each other and exchange the same information more than once. The account utilizes the psi-calculus, allowing for agents, input-output-channels, concurrent processes, and data transport of typed lambda-terms. A multi-modal meaning is produced integrating speech meaning and gesture meaning into one semantic package. Two cases of meaning coordination are handled in some detail: the asynchrony between gesture and speech, and the broadcasting of gesture meaning across several dialogue contributions. This account can be generalized to other cases of multi-modal meaning

CaSPiS: A Calculus of Sessions, Pipelines and Services

Service-oriented computing is calling for novel computational models and languages with well disciplined primitives for client-server interaction, structured orchestration and unexpected events handling. We present CaSPiS, a process calculus where the conceptual abstractions of sessioning and pipelining play a central role for modelling service-oriented systems. CaSPiS sessions are two-sided, uniquely named and can be nested. CaSPiS pipelines permit orchestrating the flow of data produced by different sessions. The calculus is also equipped with operators for handling (unexpected) termination of the partner’s side of a session. Several examples are presented to provide evidence of the flexibility of the chosen set of primitives. One key contribution is a fully abstract encoding of Misra et al.’s orchestration language Orc. Another main result shows that in CaSPiS it is possible to program a “graceful termination” of nested sessions, which guarantees that no session is forced to hang forever after the loss of its partner