A unifying Petri net model of non-interference and non-deducibility information flow security

In this paper we introduce FIFO Information Flow Nets (FIFN) as a model for describing information flow security properties. The FIFN is based on Petri nets and has been derived from the work described in [Var89], [Var90] and [Rou86]. Using this new model, we present the information flow security properties Non-Interference between Places (which corresponds to Non-Interference) and Non-Deducibility on Views (which corresponds to Non-Deducibility on Inputs). Then we consider a very general composition operation and show that neither Non-Interference on Places nor Non-Deducibility on Views is preserved under this composition operation. This leads us to a new definition of information flow security referred to as the Feedback Non-Deducibility on Views. We then show that this definition is preserved under the composition operation. This leads us to a new definition of information flow security referred to as the Feedback Non-Deducibility on Views. We then show that this definition is preserved under the composition operation. We then show some similarities between this property and the notion of Non-Deducibility on Strategies

About Dynamical Systems Appearing in the Microscopic Traffic Modeling

Motivated by microscopic traffic modeling, we analyze dynamical systems which have a piecewise linear concave dynamics not necessarily monotonic. We introduce a deterministic Petri net extension where edges may have negative weights. The dynamics of these Petri nets are well-defined and may be described by a generalized matrix with a submatrix in the standard algebra with possibly negative entries, and another submatrix in the minplus algebra. When the dynamics is additively homogeneous, a generalized additive eigenvalue may be introduced, and the ergodic theory may be used to define a growth rate under additional technical assumptions. In the traffic example of two roads with one junction, we compute explicitly the eigenvalue and we show, by numerical simulations, that these two quantities (the additive eigenvalue and the growth rate) are not equal, but are close to each other. With this result, we are able to extend the well-studied notion of fundamental traffic diagram (the average flow as a function of the car density on a road) to the case of two roads with one junction and give a very simple analytic approximation of this diagram where four phases appear with clear traffic interpretations. Simulations show that the fundamental diagram shape obtained is also valid for systems with many junctions. To simulate these systems, we have to compute their dynamics, which are not quite simple. For building them in a modular way, we introduce generalized parallel, series and feedback compositions of piecewise linear concave dynamics.Comment: PDF 38 page

A Taxonomy of Workflow Management Systems for Grid Computing

With the advent of Grid and application technologies, scientists and engineers are building more and more complex applications to manage and process large data sets, and execute scientific experiments on distributed resources. Such application scenarios require means for composing and executing complex workflows. Therefore, many efforts have been made towards the development of workflow management systems for Grid computing. In this paper, we propose a taxonomy that characterizes and classifies various approaches for building and executing workflows on Grids. We also survey several representative Grid workflow systems developed by various projects world-wide to demonstrate the comprehensiveness of the taxonomy. The taxonomy not only highlights the design and engineering similarities and differences of state-of-the-art in Grid workflow systems, but also identifies the areas that need further research.Comment: 29 pages, 15 figure

Petri Games: Synthesis of Distributed Systems with Causal Memory

We present a new multiplayer game model for the interaction and the flow of information in a distributed system. The players are tokens on a Petri net. As long as the players move in independent parts of the net, they do not know of each other; when they synchronize at a joint transition, each player gets informed of the causal history of the other player. We show that for Petri games with a single environment player and an arbitrary bounded number of system players, deciding the existence of a safety strategy for the system players is EXPTIME-complete.Comment: In Proceedings GandALF 2014, arXiv:1408.556

On Modelling and Analysis of Dynamic Reconfiguration of Dependable Real-Time Systems

This paper motivates the need for a formalism for the modelling and analysis of dynamic reconfiguration of dependable real-time systems. We present requirements that the formalism must meet, and use these to evaluate well established formalisms and two process algebras that we have been developing, namely, Webpi and CCSdp. A simple case study is developed to illustrate the modelling power of these two formalisms. The paper shows how Webpi and CCSdp represent a significant step forward in modelling adaptive and dependable real-time systems.Comment: Presented and published at DEPEND 201

On the Decidability of Non Interference over Unbounded Petri Nets

Non-interference, in transitive or intransitive form, is defined here over unbounded (Place/Transition) Petri nets. The definitions are adaptations of similar, well-accepted definitions introduced earlier in the framework of labelled transition systems. The interpretation of intransitive non-interference which we propose for Petri nets is as follows. A Petri net represents the composition of a controlled and a controller systems, possibly sharing places and transitions. Low transitions represent local actions of the controlled system, high transitions represent local decisions of the controller, and downgrading transitions represent synchronized actions of both components. Intransitive non-interference means the impossibility for the controlled system to follow any local strategy that would force or dodge synchronized actions depending upon the decisions taken by the controller after the last synchronized action. The fact that both language equivalence and bisimulation equivalence are undecidable for unbounded labelled Petri nets might be seen as an indication that non-interference properties based on these equivalences cannot be decided. We prove the opposite, providing results of decidability of non-interference over a representative class of infinite state systems.Comment: In Proceedings SecCo 2010, arXiv:1102.516

A phenomenal basis for hybrid modelling

This work in progress extends the new mechanical philosophy from science to engineering. Engineering is the practice of organising the design and construction of artifices that satisfy needs in real-world contexts. This work shows how artifices can be described in terms of their mechanisms and composed through their observable phenomena. Typically, the engineering of real system requires descrip- tions in many different languages: software components will be described in code; sensors and actuators in terms of their physical and electronic characteristics; plant in terms of differ- ential equations, perhaps. Another aspect of this work, then, to construct a formal framework so that diverse description languages can be used to characterise sub-mechanisms. The work is situated in Problem Oriented Engineering, a design theoretic framework engineering defined by the first two authors