Model checking usage policies

We study usage automata, a formal model for specifying policies on the usage of resources. Usage automata extend finite state automata with some additional features, parameters and guards, that improve their expressivity. We show that usage automata are expressive enough to model policies of real-world applications. We discuss their expressive power, and we prove that the problem of telling whether a computation complies with a usage policy is decidable. The main contribution of this paper is a model checking technique for usage automata. The model is that of usages, i.e. basic processes that describe the possible patterns of resource access and creation. In spite of the model having infinite states, because of recursion and resource creation, we devise a polynomial-time model checking technique for deciding when a usage complies with a usage policy

Secure multi-party contracts for web-services

We consider two complementary formal approaches for describing services and their interactive behaviour. The first approach is based on the notion of contracts. Contracts are CCS-like processes that contain a description of the external observable behavior of a service. A notion of compliace has been introduced allowing to check whether the interaction between two parties terminate or gets stuck. The second proposal is based on λ-req, a core calculus for services, with primitives for expressing security policies and for composing services in a call-by-contract fashion. In the dissertation we express CCS contracts via λ-req expressions and we prove that the proposed transformation preserves compliance of contracts, by exploiting the security mechanism of λ-req. The transformation enjoys further properties. Multi-party and secure contracts are naturally handled. Moreover, the resulting notion of compliance is compositional: one can substitute a service with an equivalent one without breaking the security of the composition

Context-aware security: Linguistic mechanisms and static analysis

Adaptive systems improve their efficiency by modifying their behaviour to respond to changes in their operational environment. Also, security must adapt to these changes and policy enforcement becomes dependent on the dynamic contexts. We study these issues within MLCoDa, (the core of) an adaptive declarative language proposed recently. A main characteristic of MLCoDa is to have two components: a logical one for handling the context and a functional one for computing. We extend this language with security policies that are expressed in logical terms. They are of two different kinds: context and application policies. The first, unknown a priori to an application, protect the context from unwanted changes. The others protect the applications from malicious actions of the context, can be nested and can be activated and deactivated according to their scope. An execution step can only occur if all the policies in force hold, under the control of an execution monitor. Beneficial to this is a type and effect system, which safely approximates the behaviour of an application, and a further static analysis, based on the computed effect. The last analysis can only be carried on at load time, when the execution context is known, and it enables us to efficiently enforce the security policies on the code execution, by instrumenting applications. The monitor is thus implemented within MLCoDa, and it is only activated on those policies that may be infringed, and switched off otherwise

Security issues in adaptive programming

Adaptive systems improve their efficiency by modifying their behaviour to respond to changes of their operational environment. Also security must adapt to these changes and enforcing policies becomes dependent on the dynamic contexts. We address some issues of context-aware security from a language-based perspective, by extending a core adaptive functional language, with primitives to enforce security policies on the code execution. We then accordingly extend an existing static analysis in order to insert checks in a program so to guarantee that no violation of the required security policies occurs at runtime

Adaptivity: Linguistic Mechanisms and Static Analysis Techniques

Adaptive systems modify their behaviour in order to run always and everywhere. Their structure is therefore subject to continuous changes, which however could compromise the correct behaviour of applications and break the guarantees on their non-functional requirements. Effective mechanisms are thus required to adapt software to the new added functionalities and to changes of the operational environment, namely the context in which applications are plugged in. These mechanisms must also maintain the applications properties after adaptation occurs. Consequently, a shift in programming technologies and methodologies is needed to manage adaptivity successfully. Since every system, be it adaptive or not, has to be programmed, programming languages need to natively support adaptivity. Furthermore, having adaptivity as a linguistic construct enables us to design and to develop more adequate verification tools that can help to prevent system failures due to erroneous or unexpected changes. This thesis addresses adaptivity, adopting an approach firmly based on programming languages and formal methods. In particular, we have two main concerns. The first one consists of introducing appropriate linguistic primitives to describe the context and to express adaptation. The second one is about the design of verification tools, based on static analysis techniques, in order to ensure that the software maintains its consistency after adaptation

Specification and Verification of Contract-Based Applications

Nowadays emerging paradigms are being adopted by several companies, where applications are built by assembling loosely-coupled distributed components, called services. Services may belong to possibly mutual distrusted organizations and may have conflicting goals. New methodologies for designing and verifying these applications are necessary for coping with new scenarios in which a service does not adhere with its prescribed behaviour, namely its contract. The thesis tackles this problem by proposing techniques for specifying and verifying distributed applications. The first contribution is an automata-based model checking technique for ensuring both service compliance and security requirements in a composition of services. We further develop the automata-based approach by proposing a novel formal model of contracts based on tailored finite state automata, called contract automata. The proposed model features several notions of contract agreement described from a language-theoretic perspective, for characterising the modalities in which the duties and requirements of services are fulfilled. Contract automata are equipped with different composition operators, to uniformly model both single and composite services, and techniques for synthesising an orchestrator to enforce the properties of agreement. Algorithms for verifying these properties are introduced, based on control theory and linear programming techniques. The formalism assumes the existence of possible malicious components trying to break the overall agreement, and techniques for detecting and banning eventually liable services are described. We study the conditions for dismissing the central orchestrator in order to generate a distributed choreography of services, analysing both closed and open choreographed systems, with synchronous or asynchronous interactions. We relate contract automata with different intutionistic logics for contracts, introduced for solving mutual circular dependencies between the requirements and the obligations of the parties, with either linear or non-linear availability of resources. Finally, a prototypical tool implementing the theory developed in the thesis is presented

Graphs and Graph Transformations for Object-Oriented and Service-Oriented Systems

Theories of graphs and graph transformations form an important part of the mathematical foundations of computing, and have been applied in a wide range of areas from the design and analysis of algorithms to the formalization of various computer systems and programs. In this thesis, we study how graphs and graph transformations can be used to model the static structure and dynamic behavior of object-orientated and service-oriented systems. Our work is mainly motivated by the difficulty in understanding and reasoning about objectorientated and service-oriented programs, which have more sophisticated features compared with traditional procedural programs. We show that the use of graphs and graphs transformations provides both an intuitive visualization and a formal representation of object-orientated and serviceoriented programs with these features, improving people’s understanding of the execution states and behaviors of these programs. We provide a graph-based type system, operational semantics and refinement calculus for an object-oriented language. In this framework, we define class structures and execution states of oo programs as directed and labeled graphs, called class graphs and state graphs, respectively. The type system checks whether a program is well-typed based on its class graph, while the operational semantics defines each step of program execution as a simple graph transformations between state graphs. We show the operational semantics is type-safe in that the execution of a well-typed program does not “go wrong”. Based on the operational semantics, we study the notion of structure refinement of oo programs as graph transformations between their class graphs. We provide a few groups of refinement rules for various purposes such as class expansion and polymorphism elimination and prove their soundness and relative completeness. We also propose a graph-based representation of service-oriented systems specified in a serviceoriented process calculus. In this framework, we define states of service-oriented systems as hier- archical graphs that naturally capture the hierarchical nature of service structures. For this, we exploit a suitable graph algebra and set up a hierarchical graph model, in which graph transformations are studied following the well-known Double-Pushout approach. Based on this model, we provide a graph transformation system with a few sets of graph transformation rules for various purposes such as process copy and process reduction. We prove that the graph transformation system is sound and complete with respect to the reduction semantics of the calculus

Planning and verifying service composition

A static approach is proposed to study secure composition of services. We extend the λ-calculus with primitives for selecting and invoking services that respect given security requirements. Security-critical code is enclosed in policy framings with a possibly nested, local scope. Policy framings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system. Types are standard, and effects include the actions with possible security concerns — as well as information about which services may be invoked at run-time. An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand.

Planning and verifying service composition

A static approach is proposed to study secure composition of services. We extend the λ-calculus with primitives for selecting and invoking ser- vices that respect given security requirements. Security-critical code is en- closed in policy framings with a possibly nested, local scope. Policy fram- ings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system. Types are standard, and effects include the actions with possible security concerns — as well as information about which services may be invoked at run-time. An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand