11 research outputs found
Model checking usage policies
We study usage automata, a formal model for specifying policies on the usage of resources. Usage automata extend finite state automata with some additional features, parameters and guards, that improve their expressivity. We show that usage automata are expressive enough to model policies of real-world applications. We discuss their expressive power, and we prove that the problem of telling whether a computation complies with a usage policy is decidable. The main contribution of this paper is a model checking technique for usage automata. The model is that of usages, i.e. basic processes that describe the possible patterns of resource access and creation. In spite of the model having infinite states, because of recursion and resource creation, we devise a polynomial-time model checking technique for deciding when a usage complies with a usage policy
Secure multi-party contracts for web-services
We consider two complementary formal approaches for describing services and their interactive behaviour.
The first approach is based on the notion of contracts. Contracts are
CCS-like processes that contain a description of the external observable behavior of a service. A notion of compliace has been introduced allowing
to check whether the interaction between two parties terminate or gets stuck. The second proposal is based on λ-req, a core calculus for services, with primitives for expressing security policies and for composing services in a call-by-contract fashion.
In the dissertation we express CCS contracts via λ-req expressions and we prove that the proposed transformation preserves compliance of contracts, by exploiting the security mechanism of λ-req.
The transformation enjoys further properties.
Multi-party and secure contracts are naturally handled. Moreover, the resulting notion of compliance is compositional: one can substitute a service with an equivalent one without breaking the security of the composition
Context-aware security: Linguistic mechanisms and static analysis
Adaptive systems improve their efficiency by modifying their behaviour to respond to changes in their operational
environment. Also, security must adapt to these changes and policy enforcement becomes dependent on the dynamic contexts.
We study these issues within MLCoDa, (the core of) an adaptive declarative language proposed recently. A main characteristic
of MLCoDa is to have two components: a logical one for handling the context and a functional one for computing. We extend
this language with security policies that are expressed in logical terms. They are of two different kinds: context and application
policies. The first, unknown a priori to an application, protect the context from unwanted changes. The others protect the
applications from malicious actions of the context, can be nested and can be activated and deactivated according to their scope.
An execution step can only occur if all the policies in force hold, under the control of an execution monitor. Beneficial to this is
a type and effect system, which safely approximates the behaviour of an application, and a further static analysis, based on the
computed effect. The last analysis can only be carried on at load time, when the execution context is known, and it enables us to
efficiently enforce the security policies on the code execution, by instrumenting applications. The monitor is thus implemented
within MLCoDa, and it is only activated on those policies that may be infringed, and switched off otherwise
Security issues in adaptive programming
Adaptive systems improve their efficiency by modifying their behaviour to respond to changes of their operational environment. Also security must adapt to these changes and enforcing policies becomes dependent on the dynamic contexts.
We address some issues of context-aware security from a language-based perspective, by extending a core adaptive functional language, with primitives to enforce security policies on the code execution. We then accordingly extend an existing static analysis in order to insert checks in a program so to guarantee that no violation of the required security policies occurs at runtime
Adaptivity: Linguistic Mechanisms and Static Analysis Techniques
Adaptive systems modify their behaviour in order to run always and everywhere. Their
structure is therefore subject to continuous changes, which however could compromise
the correct behaviour of applications and break the guarantees on their non-functional
requirements. Effective mechanisms are thus required to adapt software to the new
added functionalities and to changes of the operational environment, namely the context in which applications are plugged in. These mechanisms must also maintain the
applications properties after adaptation occurs.
Consequently, a shift in programming technologies and methodologies is needed to manage adaptivity successfully. Since every system, be it adaptive or not, has to be programmed, programming languages need to natively support adaptivity. Furthermore, having adaptivity as a linguistic construct enables us to design and to develop more
adequate verification tools that can help to prevent system failures due to erroneous or
unexpected changes.
This thesis addresses adaptivity, adopting an approach firmly based on programming languages and formal methods. In particular, we have two main concerns. The first one consists of introducing appropriate linguistic primitives to describe the context and to express adaptation. The second one is about the design of verification tools, based on static analysis techniques, in order to ensure that the software maintains its consistency after adaptation
Specification and Verification of Contract-Based Applications
Nowadays emerging paradigms are being adopted by several companies, where applications
are built by assembling loosely-coupled distributed components, called services.
Services may belong to possibly mutual distrusted organizations and may have conflicting
goals. New methodologies for designing and verifying these applications are
necessary for coping with new scenarios in which a service does not adhere with its
prescribed behaviour, namely its contract.
The thesis tackles this problem by proposing techniques for specifying and verifying
distributed applications. The first contribution is an automata-based model checking technique
for ensuring both service compliance and security requirements in a composition of
services. We further develop the automata-based approach by proposing a novel formal
model of contracts based on tailored finite state automata, called contract automata.
The proposed model features several notions of contract agreement described from a
language-theoretic perspective, for characterising the modalities in which the duties and
requirements of services are fulfilled. Contract automata are equipped with different
composition operators, to uniformly model both single and composite services, and techniques
for synthesising an orchestrator to enforce the properties of agreement. Algorithms
for verifying these properties are introduced, based on control theory and linear programming
techniques. The formalism assumes the existence of possible malicious components
trying to break the overall agreement, and techniques for detecting and banning eventually
liable services are described. We study the conditions for dismissing the central
orchestrator in order to generate a distributed choreography of services, analysing both
closed and open choreographed systems, with synchronous or asynchronous interactions.
We relate contract automata with different intutionistic logics for contracts, introduced
for solving mutual circular dependencies between the requirements and the obligations of
the parties, with either linear or non-linear availability of resources. Finally, a prototypical tool implementing the theory developed in the thesis is presented
Graphs and Graph Transformations for Object-Oriented and Service-Oriented Systems
Theories of graphs and graph transformations form an important part of the mathematical foundations
of computing, and have been applied in a wide range of areas from the design and analysis
of algorithms to the formalization of various computer systems and programs. In this thesis, we
study how graphs and graph transformations can be used to model the static structure and dynamic
behavior of object-orientated and service-oriented systems.
Our work is mainly motivated by the difficulty in understanding and reasoning about objectorientated
and service-oriented programs, which have more sophisticated features compared with
traditional procedural programs. We show that the use of graphs and graphs transformations provides
both an intuitive visualization and a formal representation of object-orientated and serviceoriented
programs with these features, improving people’s understanding of the execution states
and behaviors of these programs.
We provide a graph-based type system, operational semantics and refinement calculus for an
object-oriented language. In this framework, we define class structures and execution states of oo
programs as directed and labeled graphs, called class graphs and state graphs, respectively. The
type system checks whether a program is well-typed based on its class graph, while the operational
semantics defines each step of program execution as a simple graph transformations between state
graphs. We show the operational semantics is type-safe in that the execution of a well-typed
program does not “go wrong”. Based on the operational semantics, we study the notion of structure
refinement of oo programs as graph transformations between their class graphs. We provide a
few groups of refinement rules for various purposes such as class expansion and polymorphism
elimination and prove their soundness and relative completeness.
We also propose a graph-based representation of service-oriented systems specified in a serviceoriented
process calculus. In this framework, we define states of service-oriented systems as hier-
archical graphs that naturally capture the hierarchical nature of service structures. For this, we
exploit a suitable graph algebra and set up a hierarchical graph model, in which graph transformations
are studied following the well-known Double-Pushout approach. Based on this model, we
provide a graph transformation system with a few sets of graph transformation rules for various
purposes such as process copy and process reduction. We prove that the graph transformation
system is sound and complete with respect to the reduction semantics of the calculus
Planning and verifying service composition
A static approach is proposed to study secure composition of services. We extend the λ-calculus with primitives for selecting and invoking services that respect given security requirements. Security-critical code is enclosed in policy framings with a possibly nested, local scope. Policy framings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system. Types are standard, and effects include the actions with possible security concerns — as well as information about which services may be invoked at run-time. An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand.
Planning and verifying service composition
A static approach is proposed to study secure composition of services. We extend the λ-calculus with primitives for selecting and invoking ser- vices that respect given security requirements. Security-critical code is en- closed in policy framings with a possibly nested, local scope. Policy fram- ings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system. Types are standard, and effects include the actions with possible security concerns — as well as information about which services may be invoked at run-time. An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand