Separability in the Ambient Logic

The \it{Ambient Logic} (AL) has been proposed for expressing properties of process mobility in the calculus of Mobile Ambients (MA), and as a basis for query languages on semistructured data. We study some basic questions concerning the discriminating power of AL, focusing on the equivalence on processes induced by the logic $(=_L>)$. As underlying calculi besides MA we consider a subcalculus in which an image-finiteness condition holds and that we prove to be Turing complete. Synchronous variants of these calculi are studied as well. In these calculi, we provide two operational characterisations of $_=L$: a coinductive one (as a form of bisimilarity) and an inductive one (based on structual properties of processes). After showing $_=L$ to be stricly finer than barbed congruence, we establish axiomatisations of $_=L$ on the subcalculus of MA (both the asynchronous and the synchronous version), enabling us to relate $_=L$ to structural congruence. We also present some (un)decidability results that are related to the above separation properties for AL: the undecidability of $_=L$ on MA and its decidability on the subcalculus.Comment: logical methods in computer science, 44 page

LFTOP: An LF based approach to domain specific reasoning

Specialized vocabulary, notations and inference rules tailored for the description, analysis and reasoning of a domain is very important for the domain. For domain-specific issues researchers focus mainly on the design and implementation of domain-specific languages (DSL) and pay little attention to the reasoning aspects. We believe that domain-specific reasoning is very important to help the proofs of some properties of the domains and should be more concise, more reusable and more believable. It deserves to be investigated in an engineering way. Type theory provides good support for generic reasoning and verification. Many type theorists want to extend uses of type theory to more domains, and believe that the methods, ideas, and technology of type theory can have a beneficial effect for computer assisted reasoning in many domains. Proof assistants based on type theory are well known as effective tools to support reasoning. But these proof assistants have focused primarily on generic notations for representation of problems and are oriented towards helping expert type theorists build proofs efficiently. They are successful in this goal, but they are less suitable for use by non-specialists. In other words, one of the big barriers to limit the use of type theory and proof assistant in domain-specific areas is that it requires significant expertise to use it effectively. We present LFTOP ― a new approach to domain-specific reasoning that is based on a type-theoretic logical framework (LP) but does not require the user to be an expert in type theory. In this approach, users work on a domain-specific interface that is familiar to them. The interface presents a reasoning system of the domain through a user-oriented syntax. A middle layer provides translation between the user syntax and LF， and allows additional support for reasoning (e.g. model checking). Thus, the complexity of the logical framework is hidden but we also retain the benefits of using type theory and its related tools, such as precision and machine-checkable proofs. The approach is being investigated through a number of case studies. In each case study, the relevant domain-specific specification languages and logic are formalized in Plastic. The relevant reasoning system is designed and customized for the users of the corresponding specific domain. The corresponding lemmas are proved in Plastic. We analyze the advantages and shortcomings of this approach, define some new concepts related to the approach, especially discuss issues arising from the translation between the different levels. A prototype implementation is developed. We illustrate the approach through many concrete examples in the prototype implementation. The study of this thesis shows that the approach is feasible and promising, the relevant methods and technologies are useful and effective

Action Refinement in End-Based Choice Settings

The choice operator is essential for the description of action-based reactive systems. If the atomicity of actions is dropped (e.g. by action refinement), one has to decide when the choice is triggered. The standard approach is to trigger the choice when actions start. This thesis examine the alternative approach that the choice is triggered when actions terminate. This end-based choice is motivated and a process algebra, which contains an end-based choice and an action refinement operator, is established. Consistent semantics (operational, denotational, axiomatical) are given. Furthermore, the difference between the start-based and the end-based choice are examined, in particular with respect to equivalence notions. New equivalence are established, since the standard equivalences are not preserved by the end-based action refinement operator

Verification of LOTOS Specifications Using Term Rewriting Techniques

Recently the use of formal methods in describing and analysing the behaviour of (computer) systems has become more common. This has resulted in the proliferation of a wide variety of different specification formalisms, together with analytical techniques and methodologies for specification development. The particular specification formalism adopted for this study is LOTOS, an ISO standard formal description technique. Although there are many works dealing with how to write LOTOS specifications and how to develop a LOTOS specification from the initial abstract requirements specification to concrete implementation, relatively few works are concerned with the problems of expressing and proving the correctness of LOTOS specifications, i.e. verification. The main objective of this thesis is to address this shortfall by investigating the meaning of verification as it relates to concurrent systems in general, and in particular to those systems described using LOTUS. Further goals are to automate the verification process using equational reasoning and term rewriting, and also to attempt to make the results of this work, both theoretical and practical, as accessible to LOTOS practitioners as possible. After introducing the LOTUS language and related formalisms, the thesis continues with a survey of approaches to verification of concurrent systems with a view to identifying those approaches suitable for use in verification of properties of systems specified using LOTOS. Both general methodology and specific implementation techniques are considered. As a result of this survey, two useful approaches are identified. Both are based on the technique of expressing the correctness of a LOTUS specification by comparison with another, typically more abstract, specification. The second approach, covered later in the thesis, uses logic for the more abstract specification. The main part of the thesis is concerned with the first approach, in which both specifications are described in LOTUS, and the comparison is expressed by a behavioural equivalence or preorder relation. This approach is further explored by means of proofs based on the paradigm of equational reasoning, implemented by term rewriting. Initially, only Basic LOTUS (i.e. the process algebra) is considered. A complete (i.e. confluent and terminating) rule set for weak bisimulation congruence over a subset of Basic LOTOS is developed using RRL (Rewrite Rule Laboratory). Although fully automatic, this proof technique is found to be insufficient for anything other than finite toy examples. In order to give more power, the rule set is supplemented by an incomplete set of rules expressing the expansion law. The incompleteness of the rule set necessitates the use of a strategy in applying the rules, as indiscriminate application of the rules may lead to non-termination of the rewriting. A case study illustrates the use of these rules, and also the effect of different interpretations of the verification requirement on the outcome of the proof. This proof technique, as a result of the deficiencies of the tool on which it is based, has two major failings: an inability to handle recursion, and no opportunity for user control in the proof. Moving to a different tool, PAM (Process Algebra Manipulator), allows correction of these faults, but at the cost of automation. The new implementation acts merely as computerised pencil and paper, although tactics can be defined which allow some degree of automation. Equations may be applied in either direction, therefore completion is no longer as important. (Note that the tactic language could be used to describe a a complete set of rules which would give an automatic proof technique, therefore some effort towards completion is still desirable. However, since LOTOS weak bisimulation congruence is undecidable, there can never be a complete rule set for deciding equivalence of terms from the full LOTUS language.) The composition of the rule set is re-considered, with a. view to using alternative axiomatisations of weak bisimulation congruence: two main axiomatisations are described and their relative merits compared. The axiomatisation of other LOTUS relations is also considered. In particular, we consider the pitfalls of axiomatising the cred preorder relation. In order to demonstrate the use of the PAM proof system developed, the case study, modified to use recursion, is re-examined. Four other examples taken from the literature, one substantial, the others fairly small, are also investigated to further demonstrate the applicability of the PAM proof system to a variety of examples. The above approach considers Basic LOTUS only; to be more generally applicable the verification of properties of full LOTOS specifications (i.e. including abstract data types) must also be studied. Methods for proving the equivalence of full LOTUS specifications are examined, including a modification of the technique used successfully above. The application of this technique is illustrated via proofs of the equivalence of three variants of the well-known stack example

A Language-based Approach to Distributed Resources

Modern computing paradigms for distributed applications advocate a strong control on shared resources available on demand in order to guarantee their correct usages. An illustrative example of such paradigms is Cloud Computing. In this dissertation, we study formal models for distributed applications, paying particular attention to resource usage analysis. Formal methods for specifying and analysing different aspects of resource management could play an important role for the widespread usages of distributed resources. They provide not only the theoretical framework to understand the stages underlying the design and implementation issues, but also the mathematically-based techniques for the specification and verifications of properties of such systems. In this dissertation, we introduce two models, called lambda clouds and G-Local pi calculus, which are extensions of the lambda calculus and pi calculus respectively. The lambda clouds is an extension of concurrent lambda calculus enriched with suitable mechanisms to express and enforce application-level security policies governing usages of resources available on demand in the clouds. We focus on the server side of cloud systems, by adopting a pro-active approach, where explicit security policies, which are expressed as a set of execution traces, regulate server's behaviour. By providing an abstract cloud semantics, we ensure that enforcing security policies embedded in cloud applications is sound. The G-Local pi calculus is built on top of the standard pi calculus by introducing new primitives to manage resources. Unlike the previous model, where resources are highly abstract, resources in this approach are modelled as stateful entities with local states and global policies. A high degree of loose coupling among applications and resources is achieved through the publish/subscribe model. Furthermore, we develop two static, language-based techniques, namely Control Flow Analysis (CFA) and Type and Effect Systems, to reason about resource usages and therefore able to predict \textit{bad} usages of resources. The CFA mainly focuses on reachability properties related to resource usages. It computes an over-approximation of resource usages of applications. As a result, if the approximation does not contain bad usages, then it guarantees that applications correctly use resources. The type and effect system provides a closer view of resource behaviour. Resource behaviour is extracted in the form of side effect of the type system. We exploit side effect to verify regular linear time properties, expressed by Linear Time Logic formulas, of resource usages

Programming Languages and Systems

This open access book constitutes the proceedings of the 28th European Symposium on Programming, ESOP 2019, which took place in Prague, Czech Republic, in April 2019, held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2019

Session-based concurrency: between operational and declarative views

Communication-based software is ubiquitous nowadays. From e-banking to e-shopping, online activities often involve message exchanges between software components. These interactions are often governed by protocols that explicitly describe the sequences of communication actions that should be executed by each component. Crucially, these protocols are not isolated from a program’s context: external conditions such as timing constraints or exceptional events that occur during execution can affect message exchanges. As an additional difficulty, individual components are typically developed in different programming languages. In this setting, certifying that a program conforms to its intended protocols is challenging. A widely studied program verification technique uses behavioral type systems, which exploit abstract representations of these protocols to check that the program executes communication actions as intended. Unfortunately, the abstractions offered by behavioral type systems may neglect the influence that external conditions have on the program. This thesis addresses this issue by considering programming languages with declarative features, in which the governing conditions of the program can be adequately described. Our work develops correct translations between programming languages to show that languages with declarative features can indeed articulate a unified view of communication-based programs. Specifically, these translations demonstrate that the operational features of communication-based programs can be correctly represented by languages with declarative features. An additional contribution is a hybrid language that combines the best of both worlds, enabling the analysis of operational and declarative features in communication-based programs