Secrecy in Untrusted Networks

We investigate the protection of migrating agents against the untrusted sites they traverse. The resulting calculus provides a formal framework to reason about protection policies and security protocols over distributed, mobile infrastructures, and aims to stand to ambients as the spi calculus stands to ?. We present a type system that separates trusted and untrusted data and code, while allowing safe interactions with untrusted sites. We prove that the type system enforces a privacy property, and show the expressiveness of the calculus via examples and an encoding of the spi calculus

CODEWEAVE: exploring fine-grained mobility of code

This paper is concerned with an abstract exploration of code mobility constructs designed for use in settings where the level of granularity associated with the mobile units exhibits significant variability. Units of mobility that are both finer and coarser grained than the unit of execution are examined. To accomplish this, we take the extreme view that every line of code and every variable declaration are potentially mobile, i.e., it may be duplicated or moved from one program context to another on the same host or across the network. We also assume that complex code assemblies may move with equal ease. The result is CODEWEAVE, a model that shows how to develop new forms of code mobility, assign them precise meaning, and facilitate formal verification of programs employing them. The design of CODEWEAVE relies greatly on Mobile UNITY, a notation and proof logic for mobile computing. Mobile UNITY offers a computational milieu for examining a wide range of constructs and semantic alternatives in a clean abstract setting, i.e., unconstrained by compilation and performance considerations traditionally associated with programming language design. Ultimately, the notation offered by CODEWEAVE is given exact semantic definition by means of a direct mapping to the underlying Mobile UNITY model. The abstract and formal treatment of code mobility offered by CODEWEAVE establishes a technical foundation for examining competing proposals and for subsequent integration of some of the mobility constructs both at the language level and within middleware for mobility

Efficient compensation handling via subjective updates

Programming abstractions for compensation handling and dynamic update are crucial in specifying reliable interacting systems, such as Collective Adaptive Systems (CAS). Compensations and updates both specify how a system reacts in response to exceptional events. Prior work showed that different semantics for compensation handling can be encoded into a calculus of adaptable processes with objective updates, in which a process is reconfigured by its context. This paper goes further by considering subjective updates, in which, intuitively, a process reconfigures itself. A calculus of adaptable processes with subjective update its introduced, and its expressivity is assessed by encoding two semantics for compensation handling. The resulting encodings are more efficient than those using objective updates: they require less computational steps

Adaptable processes

We propose the concept of adaptable processes as a way of overcoming the limitations that process calculi have for describing patterns of dynamic process evolution. Such patterns rely on direct ways of controlling the behavior and location of running processes, and so they are at the heart of the adaptation capabilities present in many modern concurrent systems. Adaptable processes have a location and are sensible to actions of dynamic update at runtime; this allows to express a wide range of evolvability patterns for concurrent processes. We introduce a core calculus of adaptable processes and propose two verification problems for them: bounded and eventual adaptation. While the former ensures that the number of consecutive erroneous states that can be traversed during a computation is bound by some given number k, the latter ensures that if the system enters into a state with errors then a state without errors will be eventually reached. We study the (un)decidability of these two problems in several variants of the calculus, which result from considering dynamic and static topologies of adaptable processes as well as different evolvability patterns. Rather than a specification language, our calculus intends to be a basis for investigating the fundamental properties of evolvable processes and for developing richer languages with evolvability capabilities

Local area [pye]-calculus

All computers on the Internet are connected, but not all connections are equal. Hosts are grouped into islands of local communication. It is the agreed conventions and shared knowledge that connect these islands, just as much as the switches and wires that run between them. The power and limitation of these conventions and shared knowledge and hence their effectiveness can be investigated by an appropriate calculus. In this thesis I describe a development of the 7r-calculus that is particularly well suited to express such systems. The process calculus, which I call the local area n-calculus or Ian, extends the 7r-calculus so that a channel name can have within its scope several disjoint local areas. Such a channel name may be used for communication within an area or it may be sent between areas, but it cannot itself be used to transmit information from one area to another. Areas are arranged in a hierarchy of levels which distinguish, for example, between a single application, a machine, or a whole network. I present a semantics for this calculus that relies on several side-conditions which are essentially runtime level checks. I show that a suitable type system can provide enough static information to make most of these checks unnecessary. I examine the descriptive power of the /a7r-calculus by comparing it to the 7r-calculus. I find that, perhaps surprisingly, local area communication can be encoded into the 7T-calculus with conditional matching. The encoding works by replacing communication inside an area with communication on a new channel created just for that area. This is analogous to replacing direct communication between two points with a system that broadcasts packets over a background ether. I show a form of operational correspondence between the behaviour of a process in lan and its 7r-calculus translation. One of my aims in developing this calculus is to provide a convenient and ex¬ pressive framework with which to examine convention-laden, distributed systems. I offer evidence that the calculus has achieved this by way of an extended case study. I present a model of Internet communication based on Sockets and TCP over IP and then extend this system with Network Address Translation. I then 4 give a model of the File Transfer Protocol that uses TCP/IP to communicate between networks. Traces of the model show that FTP, run in its normal mode, will fail when the client is using Network Address Translation, whereas, an alternative mode of FTP will succeed. Moreover a normal run of the model over NAT fails in the same way as the real life system would, demonstrating that the model can pick up this failure and correctly highlight the reasons behind it

Multi labelled transition systems: a semantic framework for nominal calculi

Action Labelled transition systems (LTS) have proved to be a fundamental model for describing and proving properties of concurrent systems. In this paper, Multiple Labelled Transition Systems (MLTS) are introduced as generalizations of LTS that permit dealing also with systems features that are becoming more and more important when considering languages and models for network aware programming. MLTS permit describing not only the actions systems can perform but also system's resources usage and their handling (creation, revelation ...) of names. To show adeguacy of our proposal we show how MLTS can be used to describe the operational semantics of one of the most studied calculus for mobility: the asynchronous [pi]-calculus

Generativity and dynamic opacity for abstract types (extended version)

The standard formalism for explaining abstract types is existential quantification. While it provides a sufficient model for type abstraction in entirely statically typed languages, it proves to be too weak for languages enriched with forms of dynamic typing, where parametricity is violated. As an alternative approach to type abstraction that addresses this shortcoming we present a calculus for dynamic type generation. It features an explicit construct for generating new type names and relies on coercions for managing abstraction boundaries between generated types and their designated representation. Sealing is represented as a generalized form of these coercions. The calculus maintains abstractions dynamically without restricting type analysis

Dynamic opacity for abstract types

Existential types are the standard formalisation of abstract types. While this formulation is sufficient in entirely statically typed languages, it proves to be too weak for languages enriched with forms of dynamic typing: in the presence of operations performing type analysis, the abstraction barrier erected by the static typing rules for existential types is no longer impassable, because parametricity is violated. We present a light-weight calculus for polymorphic languages with abstract types that addresses this shortcoming. It features a variation of existential types that retains most of the simplicity of standard existentials. It relies on modified scoping rules and explicit coercions between the quantified variable and its witness type