Security Policies as Membranes in Systems for Global Computing

We propose a simple global computing framework, whose main concern is code migration. Systems are structured in sites, and each site is divided into two parts: a computing body, and a membrane which regulates the interactions between the computing body and the external environment. More precisely, membranes are filters which control access to the associated site, and they also rely on the well-established notion of trust between sites. We develop a basic theory to express and enforce security policies via membranes. Initially, these only control the actions incoming agents intend to perform locally. We then adapt the basic theory to encompass more sophisticated policies, where the number of actions an agent wants to perform, and also their order, are considered

Full abstraction for expressiveness: history, myths and facts

Dieser Beitrag ist mit Zustimmung des Rechteinhabers aufgrund einer (DFG geförderten) Allianz- bzw. Nationallizenz frei zugänglich.This publication is with permission of the rights owner freely accessible due to an Alliance licence and a national licence (funded by the DFG, German Research Foundation) respectively.What does it mean that an encoding is fully abstract? What does it not mean? In this position paper, we want to help the reader to evaluate the real benefits of using such a notion when studying the expressiveness of programming languages. Several examples and counterexamples are given. In some cases, we work at a very abstract level; in other cases, we give concrete samples taken from the field of process calculi, where the theory of expressiveness has been mostly developed in the last years

A Distributed π-Calculus with Local Areas of Communication

AbstractThis paper introduces a process calculus designed to capture the phenomenon of names which are known universally but always refer to local information. Our system extends the π-calculus so that a channel name can have within its scope several disjoint local areas. Such a channel name may be used for communication within an area, it may be sent between areas, but it cannot itself be used to transmit information from one area to another. Areas are arranged in a hierarchy of levels, distinguishing for example between a single application, a machine, or a whole network. We give an operational semantics for the calculus, and develop a type system that guarantees the proper use of channels within their local areas. We illustrate with models of an internet service protocol and a pair of distributed agents

Local area [pye]-calculus

All computers on the Internet are connected, but not all connections are equal. Hosts are grouped into islands of local communication. It is the agreed conventions and shared knowledge that connect these islands, just as much as the switches and wires that run between them. The power and limitation of these conventions and shared knowledge and hence their effectiveness can be investigated by an appropriate calculus. In this thesis I describe a development of the 7r-calculus that is particularly well suited to express such systems. The process calculus, which I call the local area n-calculus or Ian, extends the 7r-calculus so that a channel name can have within its scope several disjoint local areas. Such a channel name may be used for communication within an area or it may be sent between areas, but it cannot itself be used to transmit information from one area to another. Areas are arranged in a hierarchy of levels which distinguish, for example, between a single application, a machine, or a whole network. I present a semantics for this calculus that relies on several side-conditions which are essentially runtime level checks. I show that a suitable type system can provide enough static information to make most of these checks unnecessary. I examine the descriptive power of the /a7r-calculus by comparing it to the 7r-calculus. I find that, perhaps surprisingly, local area communication can be encoded into the 7T-calculus with conditional matching. The encoding works by replacing communication inside an area with communication on a new channel created just for that area. This is analogous to replacing direct communication between two points with a system that broadcasts packets over a background ether. I show a form of operational correspondence between the behaviour of a process in lan and its 7r-calculus translation. One of my aims in developing this calculus is to provide a convenient and ex¬ pressive framework with which to examine convention-laden, distributed systems. I offer evidence that the calculus has achieved this by way of an extended case study. I present a model of Internet communication based on Sockets and TCP over IP and then extend this system with Network Address Translation. I then 4 give a model of the File Transfer Protocol that uses TCP/IP to communicate between networks. Traces of the model show that FTP, run in its normal mode, will fail when the client is using Network Address Translation, whereas, an alternative mode of FTP will succeed. Moreover a normal run of the model over NAT fails in the same way as the real life system would, demonstrating that the model can pick up this failure and correctly highlight the reasons behind it

On Depth-bounded Message Passing Systems

We explore the border between decidability and undecidability of verification problems related to message passing systems that admit unbounded creation of threads and name mobility. Inspired by use cases in real-life programs we introduce the notion of depth-bounded message passing systems. A configuration of a message passing system can be represented as a graph. In a depth-bounded system the length of the longest acyclic path in each reachable configuration is bounded by a constant. While the general reachability problem for depth-bounded systems is undecidable, we prove that control reachability is decidable. In our decidability proof we show that depth-bounded systems are well-structured transition systems to which a forward algorithm for the covering problem can be applied

Session-based concurrency: between operational and declarative views

Communication-based software is ubiquitous nowadays. From e-banking to e-shopping, online activities often involve message exchanges between software components. These interactions are often governed by protocols that explicitly describe the sequences of communication actions that should be executed by each component. Crucially, these protocols are not isolated from a program’s context: external conditions such as timing constraints or exceptional events that occur during execution can affect message exchanges. As an additional difficulty, individual components are typically developed in different programming languages. In this setting, certifying that a program conforms to its intended protocols is challenging. A widely studied program verification technique uses behavioral type systems, which exploit abstract representations of these protocols to check that the program executes communication actions as intended. Unfortunately, the abstractions offered by behavioral type systems may neglect the influence that external conditions have on the program. This thesis addresses this issue by considering programming languages with declarative features, in which the governing conditions of the program can be adequately described. Our work develops correct translations between programming languages to show that languages with declarative features can indeed articulate a unified view of communication-based programs. Specifically, these translations demonstrate that the operational features of communication-based programs can be correctly represented by languages with declarative features. An additional contribution is a hybrid language that combines the best of both worlds, enabling the analysis of operational and declarative features in communication-based programs

A Lexically Scoped Distributed π\pi-Calculus

We define the syntax, the operational semantics, and a type system for lsd-pi, an asynchronous and distributed $\pi$-calculus with local communication and process migration. The calculus follows a simple model of distribution for mobile calculi, with a lexical scoping mechanism that provides both for remote communication and for process migration, making explicit migration primitives superfluou

Formal verication of secure ad-hoc network routing protocols using deductive model-checking

Ad-hoc networks do not rely on a pre-installed infrastructure, but they are formed by end-user devices in a self-organized manner. A consequence of this principle is that end-user devices must also perform routing functions. However, end-user devices can easily be compromised, and they may not follow the routing protocol faithfully. Such compromised and misbehaving nodes can disrupt routing, and hence, disable the operation of the network. In order to cope with this problem, several secured routing protocols have been proposed for ad-hoc networks. However, many of them have design aws that still make them vulnerable to attacks mounted by compromised nodes. In this paper, we propose a formal verication method for secure ad-hoc network routing protocols that helps increasing the condence in a protocol by providing an analysis framework that is more systematic, and hence, less error-prone than the informal analysis. Our approach is based on a new process algebra that we specically developed for secure ad-hoc network routing protocols and a deductive proof technique. The novelty of this approach is that contrary to prior attempts to formal verication of secure ad-hoc network routing protocols, our verication method can be made fully automated, and provides expressiveness for explicitly modelling cryptography privitive