A theory of monitors

We develop a behavioural theory for monitors — software entities that passively analyse the runtime behaviour of systems so as to infer properties about them. First, we extend the monitor language and instrumentation relation of [17] to handle piCalculus process monitoring. We then identify contextual behavioural preorders that allow us to re-late monitors according to criteria defined over monitored executions of piCalculus processes. Subsequently, we develop alternative monitor pre-orders that are more tractable, and prove full-abstraction for the latter alternative preorders with respect to the contextual preorders.peer-reviewe

Secured Information Flow for Asynchronous Sequential Processes

We present in this article a precise security model for data confidentiality in the framework of ASP (Asynchronous Sequential Processes). ASP is based on active objects, asynchronous communications, and data-flow synchronizations. We extend it with security levels attached to activities (active objects) and transmitted data. We design a security model that guarantees data confidentiality within an application; this security model takes advantages of both mandatory and discretionary access models. We extend the semantics of ASP with predicate conditions that provide a formal security framework, dynamically checking for unauthorized information flows. As a final result, all authorized communication paths are secure: no disclosure of information can happen. This theoretically-founded contribution may have a strong impact on distributed object-based applications, that are more and more present and confidentiality-demanding on the Internet, it also arises a new issue in data confidentiality: authorization of secured information flow transiting (by the mean of futures) through an unsecured Component

FLACOS’08 Workshop proceedings

The 2nd Workshop on Formal Languages and Analysis of Contract-Oriented Software (FLACOS’08) is held in Malta. The aim of the workshop is to bring together researchers and practitioners working on language-based solutions to contract-oriented software development. The workshop is partially funded by the Nordunet3 project “COSoDIS” (Contract-Oriented Software Development for Internet Services) and it attracted 25 participants. The program consists of 4 regular papers and 10 invited participant presentations

DeepSec: Deciding Equivalence Properties for Security Protocols -- Improved theory and practice

Automated verification has become an essential part in the security evaluation of cryptographic protocols. In this context privacy-type properties are often modelled by indistinguishability statements, expressed as behavioural equivalences in a process calculus. In this paper we contribute both to the theory and practice of this verification problem. We establish new complexity results for static equivalence, trace equivalence and labelled bisimilarity and provide a decision procedure for these equivalences in the case of a bounded number of protocol sessions. Our procedure is the first to decide trace equivalence and labelled bisimilarity exactly for a large variety of cryptographic primitives -- those that can be represented by a subterm convergent destructor rewrite system. We also implemented the procedure in a new tool, DeepSec. We showed through extensive experiments that it is significantly more efficient than other similar tools, while at the same time raises the scope of the protocols that can be analysed.Comment: 104 page

On implicit program constructs

Session types are a well-established approach to ensuring protocol conformance and the absence of communication errors such as deadlocks in message passing systems. Implicit parameters, introduced by Haskell and popularised in Scala, are a mechanism to improve program readability and conciseness by allowing the programmer to omit function call arguments, and have the compiler insert them in a principled manner at compile-time. Scala recently gave implicit types first-class status (implicit functions), yielding an expressive tool for handling context dependency in a type-safe manner. DOT (Dependent Object Types) is an object calculus with path-dependent types and abstract type members, developed to serve as a theoretical foundation for the Scala programming language. As yet, DOT does not model all of Scala’s features, but a small subset. Among those features of Scala not yet modelled by DOT are implicit functions. We ask: can type-safe implicit functions be generalised from Scala’s sequential setting to message passing computation, to improve readability and conciseness of message passing programs? We answer this question in the affirmative by generalising the concept of an implicit function to an implicit message, its concurrent analogue, a programming language construct for session-typed concurrent computation. We explore new applications for implicit program constructs by integrating theminto four novel calculi, each demonstrating a new use case or theoretical result for implicits. Firstly, we integrate implicit functions and messages into the concurrent functional language LAST, Gay and Vasconcelos’s calculus of linear types for asynchronous sessions. We demonstrate their utility by example, and explore use cases for both implicit functions and implicit messages. We integrate implicit messages into two pi calculi, further demonstrating the robustness of our approach to extending calculi with implicits. We show that implicit messages are possible in the absence of lambda calculus, in languages with concurrency primitives only, and that they are sound not only in binary session-typed computation, but also in multi-party context. Finally we extend DOT to include implicit functions. We show type safety of the resulting calculus by translation to DOT, lending a higher degree of confidence to the correctness of implicit functions in Scala. We demonstrate that typical use cases for implicit functions in Scala are typably expressible in DOT when extended with implicit functions

Software Engineering with Incomplete Information

Information may be the common currency of the universe, the stuff of creation. As the physicist John Wheeler claimed, we get ``it from bit''. Measuring information, however, is a hard problem. Knowing the meaning of information is a hard problem. Directing the movement of information is a hard problem. This hardness comes when our information about information is incomplete. Yet we need to offer decision making guidance, to the computer or developer, when facing this incompleteness. This work addresses this insufficiency within the universe of software engineering. This thesis addresses the first problem by demonstrating that obtaining the relative magnitude of information flow is computationally less expensive than an exact measurement. We propose ranked information flow, or RIF, where different flows are ordered according to their FlowForward, a new measure designed for ease of ordering. To demonstrate the utility of FlowForward, we introduce information contour maps: heatmapped callgraphs of information flow within software. These maps serve multiple engineering uses, such as security and refactoring. By mixing a type system with RIF, we address the problem of meaning. Information security is a common concern in software engineering. We present OaST, the world's first gradual security type system that replaces dynamic monitoring with information theoretic risk assessment. OaST now contextualises FlowForward within a formally verified framework: secure program components communicate over insecure channels ranked by how much information flows through them. This context helps the developer interpret the flows and enables security policy discovery, adaptation and refactoring. Finally, we introduce safestrings, a type-based system for controlling how the information embedded within a string moves through a program. This takes a structural approach, whereby a string subtype is a more precise, information limited, subset of string, ie a string that contains an email address, rather than anything else

GAMES AND STRATEGIES IN ANALYSIS OF SECURITY PROPERTIES

Information security problems typically involve decision makers who choose and adjust their behaviors in the interaction with each other in order to achieve their goals. Consequently, game theoretic models can potentially be a suitable tool for better understanding the challenges that the interaction of participants in information security scenarios bring about. In this dissertation, we employ models and concepts of game theory to study a number of subjects in the field of information security. In the first part, we take a game-theoretic approach to the matter of preventing coercion in elections. Our game models for the election involve an honest election authority that chooses between various protection methods with different levels of resistance and different implementation costs. By analysing these games, it turns out that the society is better off if the security policy is publicly announced, and the authorities commit to it. Our focus in the second part is on the property of noninterference in information flow security. Noninterference is a property that captures confidentiality of actions executed by a given process. However, the property is hard to guarantee in realistic scenarios. We show that the security of a system can be seen as an interplay between functionality requirements and the strategies adopted by users, and based on this we propose a weaker notion of noninterference, which we call strategic noninterference. We also give a characterisation of strategic noninterference through unwinding relations for specific subclasses of goals and for the simplified setting where a strategy is given as a parameter. In the third part, we study the security of information flow based on the consequences of information leakage to the adversary. Models of information flow security commonly prevent any information leakage, regardless of how grave or harmless the consequences the leakage can be. Even in models where each piece of information is classified as either sensitive or insensitive, the classification is “hardwired” and given as a parameter of the analysis, rather than derived from more fundamental features of the system. We suggest that information security is not a goal in itself, but rather a means of preventing potential attackers from compromising the correct behavior of the system. To formalize this, we first show how two information flows can be compared by looking at the adversary’s ability to harm the system. Then, we propose that the information flow in a system is effectively secure if it is as good as its idealized variant based on the classical notion of noninterference. Finally, we shift our focus to the strategic aspect of information security in voting procedures. We argue that the notions of receipt-freeness and coercion resistance are underpinned by existence (or nonexistence) of a suitable strategy for some participants of the voting process. In order toback the argument formally, we provide logical “transcriptions” of the informal intuitions behind coercion-related properties that can be found in the existing literature. The transcriptions are formulatedin the modal game logic ATL*, well known in the area of multi-agent systems