Tracking CSP computations

[EN] Tracing is one of the most important techniques for program understanding and debugging. A trace gives the user access to otherwise hidden information about a computation. In the context of concurrent languages, computations are particularly complex due to the non-deterministic execution order of processes and to the restrictions imposed on this order by synchronizations; hence, a tracer is a powerful tool to explore, understand and debug concurrent computations. In CSP, traces are sequences of events that define a particular execution. This notion of trace is completely different to the one used in other paradigms where traces are formed by those source code expressions evaluated during a particular execution. We refer to this second notion of traces as tracks. In this work, we introduce the theoretical basis for tracking concurrent and explicitly synchronized computations in process algebras such as CSP. Tracking computations in this kind of systems is a difficult task due to the subtleties of the underlying operational semantics which combines concurrency, non-determinism and non-termination. We define an instrumented operational semantics that generates as a side-effect an appropriate data structure (a track) which can be used to track computations. The formal definition of a tracking semantics improves the understanding of the tracking process, but also, it allows us to formally prove the correctness of the computed tracks. (C) 2018 Elsevier Inc. All rights reserved.This work has been partially supported by the EU (FEDER) and the Spanish Ministerio de Ciencia, Innovacion y Universidades/AEI under grant TIN2016-76843-C4-1-R and by the Generalitat Valenciana under grant PROMETEO-II/2015/013 (SmartLogic). The authors acknowledge a partial support of European COST Action IC1405 on Reversible Computation - extending horizons of computing. Salvador Tamarit was partially supported by the Conselleria de Educacion, Investigacion, Cultura y Deporte de la Generalitat Valenciana under the grant APOSTD/2016/036.Llorens Agost, ML.; Oliver Villarroya, J.; Silva, J.; Tamarit Muñoz, S. (2019). Tracking CSP computations. Journal of Logical and Algebraic Methods in Programming. 102:138-175. https://doi.org/10.1016/j.jlamp.2018.10.002S13817510

A Structured Approach to Network Security Protocol Implementation

The implementation of network security protocols has not received the same level of attention in the literature as their analysis. Security protocol analysis has successfully used inference logics, like GNY and BAN, and attack analysis, employing state space examination techniques such as model checking and strand spaces, to verify security protocols. Tools, such as the multi-dimensional analysis environment SPEAR II, exist to help automate security protocol specification and verification, however actual implementation of the specification in executable code is a task still largely left to human programmers. Many vulnerabilities have been found in implementations of security protocols such as SSL, PPTP and RADIUS that are incorporated into widely used operating system software, web servers and other network aware applications. While some of these vulnerabilities may be a result of flawed or unclear specifications, many are the result of the failure of programmers to correctly interpret and implement them. The above indicates a gap between security protocol specifications and their concrete implementations, in that there are methodologies and tools that have been established for developing the former, but not the latter. This dissertation proposes an approach to bridging this gap, describes our implementation of that approach and attempts to evaluate its success. The approach is three-fold, providing different measures to improve current ad-hoc implementation approaches: 1. From Informal to Formal Specifications: If a security protocol has been specified using informal standard notation, it can be converted, using automatic translation, to a formal specification language with well defined semantics. The formal protocol specification can then be analysed using formal techniques, to verify that the desired security properties hold. The precise specification of the protocol behaviour further serves to facilitate the concrete implementation of the protocol in code. 2. Separate Implementation Concerns: When implementing security protocols, the what and the when of protocol actions are abstracted from the how. That is, protocol logic implementation concerns, such as when and what actions should be performed on messages, should be clearly and cleanly separated from the cryptographic and network communication implementation details that implement how the actions are performed. Such high level modularity allows code implementing protocol logic to be re-used with different cryptographic algorithm implementations and network communication protocols. It also allows errors in the implementation of the cryptography to be addressed by swapping cryptographic implementations without changing the protocol logic code. The abstraction of cryptographic and network implementation is analogous to the adoption of the Dolev-Yao style models by many analysis techniques, where the cryptography itself is viewed as a black box and assumed perfect, allowing the analysis to focus on the protocol logic. Finally, this separation allows the correctness of the protocol logic implementation and cryptographic primitives implementation to be addressed separately. 3. Automated Implementation Using Code Generation We use code generation to automate the security protocol implementation process, avoiding the risk of human error in interpreting the sometimes subtle semantics of security protocol specifications. The precise nature of formal specification languages provides a base from which to specify and implement an automatic code generation tool. Our approach follows requirements identified for high integrity code generation - where feasible - to give a high level of confidence in the correctness of the generated code. In implementing the approach, we adopt the Spi Calculus for the role of formal specification language. The Spi Calculus was developed by extending the -calculus, a process algebra for describing concurrent communicating systems, to cater for the special case of network security protocols. Spi Calculus specifications can be analysed manually, by developing correctness proofs by hand, and automatically, by using model checkers such as MMC. As Spi Calculus specifications explicitly describe the actions of a security protocol, they are also particularly suitable for use as input for code generation. The implementation of the approach is split across three components that correspond to each of the parts of the approach: 1. Sn2Spi is a translator that converts an informal standard notation specification to a Spi Calculus specification, thus implementing part 1 of our approach. The converted specification can be analysed using any of the formal techniques applicable to the Spi Calculus. Once verified, the specification can be used to generate a concrete implementation using Spi2Java. 2. The Security Protocol Primitives API abstracts cryptographic and network communication operations, decoupling code that implements protocol logic from code that implements cryptographic and network operations. It provides the basic cryptographic and network communications functionality required to implement a security protocol, including: symmetric and asymmetric encryption, message digest, nonce and timestamp generation, marshalling message component data and sending and receiving messages over a network. A provider model, much like that used in the Java Cryptography Extensions API, is employed to allow different implementations to be swapped without changing the SPP client code. 3. Spi2Java is a code generator, essentially implementing a compiler from the Spi Calculus to Java code. Spi2Java uses Prolog to implement a defined mapping from Spi Calculus constructs, i.e. terms and process actions, to Java code segments. These code segments call the SPP API to access cryptographic and network functionality where needed. The mapping was developed by refining Spi constructs to Java code segments that preserve the semantics of the Spi constructs In addition, assertions are made in the code segments to ensure certain conditions are met before the implementation can continue running. Part of evaluating the effectiveness of this automated approach to security protocol implementation, involved a case study where manual implementations of the CCITT Three Message X.509 Protocol, developed by 4th year Computer Science students, and a Spi2Java generated implementation are compared. The outcome of the study favoured the automatically generated implementation, indicating the potential of the approach. Further to demonstrating the utility of code generation, we describe an SPP provider implementation developed to allow a security protocol run, including legitimate and attacker roles, to be simulated in a controlled environment. Spi2Java allows the protocol engineer to quickly and automatically generate code for protocol roles. The code can be executed using this implementation allowing the protocol engineer to step through execution of all roles, both legitimate and attacker, to gain insight into the behaviour of the protocol. The approach is evaluated in terms of the class of attacks it prevents and how it meets the identified requirements for high integrity code generation. It is also compared to existing and current work in the field. Attack classes that exploit faulty protocol logic implementation, vulnerability to type flaws and buffer overflows are prevented. The Spi2Java code generator fully meets three of the five high integrity code generation requirements: formally defined source and target languages are used; the translation software is validated; and the generated code is well structured and documented and can be traced back to the specification. Spi2Java partially meets the requirement that the mapping from source to target language constructs be formally proven to preserve the specification semantics. However the arguments given are not strictly formal. The requirement related to rigorous testing are not met due to practical resource constraints. However, Spi2Java has been used to generate real world protocol implementations that have been verified by manual inspection. Sprite, incorporating the Sn2Spi translator and Spi2Java code generator, provides a structured approach to network security protocol implementation by implementing automated translation from informal to formal security protocol specifications, and by being able to automatically generate Java implementations of network security protocols in which the security protocol engineer can have a high degree of confidence

Constraint-based graphical layout of multimodal presentations

When developing advanced multimodal interfaces, combining the characteristics of different modalities such as natural language, graphics, animation, virtual realities, etc., the question of automatically designing the graphical layout of such presentations in an appropriate format becomes increasingly important. So, to communicate information to the user in an expressive and effective way, a knowledge-based layout component has to be integrated into the architecture of an intelligent presentation system. In order to achieve a coherent output, it must be able to reflect certain semantic and pragmatic relations specified by a presentation planner to arrange the visual appearance of a mixture of textual and graphic fragments delivered by mode-specific generators. In this paper we will illustrate by the example of LayLab, the layout manager of the multimodal presentation system WIP, how the complex positioning problem for multimodal information can be treated as a constraint satisfaction problem. The design of an aesthetically pleasing layout is characterized as a combination of a general search problem in a finite discrete search space and an optimization problem. Therefore, we have integrated two dedicated constraint solvers, an incremental hierarchy solver and a finite domain solver, in a layered constraint solver model CLAY, which is triggered from a common metalevel by rules and defaults. The underlying constraint language is able to encode graphical design knowledge expressed by semantic/pragmatic, geometrical/topological, and temporal relations. Furthermore, this mechanism allows one to prioritize the constraints as well as to handle constraint solving over finite domains. As graphical constraints frequently have only local effects, they are incrementally generated by the system on the fly. Ultimately, we will illustrate the functionality of LayLab by some snapshots of an example run

Automata learning algorithms and processes for providing more complete systems requirements specification by scenario generation, CSP-based syntax-oriented model construction, and R2D2C system requirements transformation

Systems, methods and apparatus are provided through which in some embodiments, automata learning algorithms and techniques are implemented to generate a more complete set of scenarios for requirements based programming. More specifically, a CSP-based, syntax-oriented model construction, which requires the support of a theorem prover, is complemented by model extrapolation, via automata learning. This may support the systematic completion of the requirements, the nature of the requirement being partial, which provides focus on the most prominent scenarios. This may generalize requirement skeletons by extrapolation and may indicate by way of automatically generated traces where the requirement specification is too loose and additional information is required

Type Inference in Flexible Model-Driven Engineering

Model-driven Engineering (MDE) is an approach to software development that promises increased productivity and product quality. Domain models that conform to metamodels, both of which are the core artefacts in MDE approaches, are manipulated to perform different development processes using specific MDE tools. However, domain experts, who have detailed domain knowledge, typically lack the technical expertise to transfer this knowledge using MDE tools. Flexible or bottom-up Model-driven Engineering is an emerging approach to domain and systems modelling that tackles this challenge by promoting the use of simple drawing tools to increase the involvement of domain experts in MDE processes. In this approach, no metamodel is created upfront but instead the process starts with the definition of example models that will be used to infer a draft metamodel. When complete knowledge of the domain is acquired, a final metamodel is devised and a transition to traditional MDE approaches is possible. However, the lack of a metamodel that encodes the semantics of conforming models and of tools that impose these semantics bears some drawbacks, among others that of having models with nodes that are unintentionally left untyped. In this thesis we propose the use of approaches that use algorithms from three different research areas, that of classification algorithms, constraint programming and graph similarity to help with the type inference of such untyped nodes. We perform an evaluation of the proposed approaches in a number of randomly generated example models from 10 different domains with results suggesting that the approaches could be used for type inference both in an automatic or a semi-automatic style