12 research outputs found
Security Policies as Membranes in Systems for Global Computing
We propose a simple global computing framework, whose main concern is code migration. Systems are structured in sites, and each site is divided into two parts: a computing body, and a membrane which regulates the interactions between the computing body and the external environment. More precisely, membranes are filters which control access to the associated site, and they also rely on the well-established notion of trust between sites. We develop a basic theory to express and enforce security policies via membranes. Initially, these only control the actions incoming agents intend to perform locally. We then adapt the basic theory to encompass more sophisticated policies, where the number of actions an agent wants to perform, and also their order, are considered
Full abstraction for expressiveness: history, myths and facts
Dieser Beitrag ist mit Zustimmung des Rechteinhabers aufgrund einer (DFG geförderten) Allianz- bzw. Nationallizenz frei zugänglich.This publication is with permission of the rights owner freely accessible due to an Alliance licence and a national licence (funded by the DFG, German Research Foundation) respectively.What does it mean that an encoding is fully abstract? What does it not mean? In this position paper, we want to help the reader to evaluate the real benefits of using such a notion when studying the expressiveness of programming languages. Several examples and counterexamples are given. In some cases, we work at a very abstract level; in other cases, we give concrete samples taken from the field of process calculi, where the theory of expressiveness has been mostly developed in the last years
A Distributed π-Calculus with Local Areas of Communication
AbstractThis paper introduces a process calculus designed to capture the phenomenon of names which are known universally but always refer to local information. Our system extends the π-calculus so that a channel name can have within its scope several disjoint local areas. Such a channel name may be used for communication within an area, it may be sent between areas, but it cannot itself be used to transmit information from one area to another. Areas are arranged in a hierarchy of levels, distinguishing for example between a single application, a machine, or a whole network. We give an operational semantics for the calculus, and develop a type system that guarantees the proper use of channels within their local areas. We illustrate with models of an internet service protocol and a pair of distributed agents
Local area [pye]-calculus
All computers on the Internet are connected, but not all connections are
equal. Hosts are grouped into islands of local communication. It is the agreed
conventions and shared knowledge that connect these islands, just as much as the
switches and wires that run between them.
The power and limitation of these conventions and shared knowledge and
hence their effectiveness can be investigated by an appropriate calculus. In this
thesis I describe a development of the 7r-calculus that is particularly well suited to
express such systems. The process calculus, which I call the local area n-calculus
or Ian, extends the 7r-calculus so that a channel name can have within its scope
several disjoint local areas. Such a channel name may be used for communication
within an area or it may be sent between areas, but it cannot itself be used to
transmit information from one area to another. Areas are arranged in a hierarchy
of levels which distinguish, for example, between a single application, a machine,
or a whole network. I present a semantics for this calculus that relies on several
side-conditions which are essentially runtime level checks. I show that a suitable
type system can provide enough static information to make most of these checks
unnecessary.
I examine the descriptive power of the /a7r-calculus by comparing it to the
7r-calculus. I find that, perhaps surprisingly, local area communication can be
encoded into the 7T-calculus with conditional matching. The encoding works by
replacing communication inside an area with communication on a new channel
created just for that area. This is analogous to replacing direct communication
between two points with a system that broadcasts packets over a background
ether. I show a form of operational correspondence between the behaviour of a
process in lan and its 7r-calculus translation.
One of my aims in developing this calculus is to provide a convenient and ex¬
pressive framework with which to examine convention-laden, distributed systems.
I offer evidence that the calculus has achieved this by way of an extended case
study. I present a model of Internet communication based on Sockets and TCP
over IP and then extend this system with Network Address Translation. I then
4
give a model of the File Transfer Protocol that uses TCP/IP to communicate
between networks.
Traces of the model show that FTP, run in its normal mode, will fail when
the client is using Network Address Translation, whereas, an alternative mode of
FTP will succeed. Moreover a normal run of the model over NAT fails in the
same way as the real life system would, demonstrating that the model can pick
up this failure and correctly highlight the reasons behind it
On Depth-bounded Message Passing Systems
We explore the border between decidability and undecidability of verification problems related to message passing systems that admit unbounded creation of threads and name mobility. Inspired by use cases in real-life programs we introduce the notion of depth-bounded message passing systems. A configuration of a message passing system can be represented as a graph. In a depth-bounded system the length of the longest acyclic path in each reachable configuration is bounded by a constant. While the general reachability problem for depth-bounded systems is undecidable, we prove that control reachability is decidable. In our decidability proof we show that depth-bounded systems are well-structured transition systems to which a forward algorithm for the covering problem can be applied
Session-based concurrency: between operational and declarative views
Communication-based software is ubiquitous nowadays. From e-banking to e-shopping, online activities often involve message exchanges between software components. These interactions are often governed by protocols that explicitly describe the sequences of communication actions that should be executed by each component. Crucially, these protocols are not isolated from a program’s context: external conditions such as timing constraints or exceptional events that occur during execution can affect message exchanges. As an additional difficulty, individual components are typically developed in different programming languages. In this setting, certifying that a program conforms to its intended protocols is challenging. A widely studied program verification technique uses behavioral type systems, which exploit abstract representations of these protocols to check that the program executes communication actions as intended. Unfortunately, the abstractions offered by behavioral type systems may neglect the influence that external conditions have on the program. This thesis addresses this issue by considering programming languages with declarative features, in which the governing conditions of the program can be adequately described. Our work develops correct translations between programming languages to show that languages with declarative features can indeed articulate a unified view of communication-based programs. Specifically, these translations demonstrate that the operational features of communication-based programs can be correctly represented by languages with declarative features. An additional contribution is a hybrid language that combines the best of both worlds, enabling the analysis of operational and declarative features in communication-based programs
A Lexically Scoped Distributed -Calculus
We define the syntax, the operational semantics, and a type system for lsd-pi, an asynchronous and distributed -calculus with local communication and process migration. The calculus follows a simple model of distribution for mobile calculi, with a lexical scoping mechanism that provides both for remote communication and for process migration, making explicit migration primitives superfluou
Formal verication of secure ad-hoc network routing protocols using deductive model-checking
Ad-hoc networks do not rely on a pre-installed infrastructure, but they
are formed by end-user devices in a self-organized manner. A consequence
of this principle is that end-user devices must also perform routing functions.
However, end-user devices can easily be compromised, and they
may not follow the routing protocol faithfully. Such compromised and
misbehaving nodes can disrupt routing, and hence, disable the operation
of the network. In order to cope with this problem, several secured routing
protocols have been proposed for ad-hoc networks. However, many of
them have design
aws that still make them vulnerable to attacks mounted
by compromised nodes. In this paper, we propose a formal verication
method for secure ad-hoc network routing protocols that helps increasing
the condence in a protocol by providing an analysis framework that
is more systematic, and hence, less error-prone than the informal analysis.
Our approach is based on a new process algebra that we specically
developed for secure ad-hoc network routing protocols and a deductive
proof technique. The novelty of this approach is that contrary to prior
attempts to formal verication of secure ad-hoc network routing protocols,
our verication method can be made fully automated, and provides
expressiveness for explicitly modelling cryptography privitive