Actor Network Procedures as Psi-calculi for Security Ceremonies

The actor network procedures of Pavlovic and Meadows are a recent graphical formalism developed for describing security ceremonies and for reasoning about their security properties. The present work studies the relations of the actor network procedures (ANP) to the recent psi-calculi framework. Psi-calculi is a parametric formalism where calculi like spi- or applied-pi are found as instances. Psi-calculi are operational and largely non-graphical, but have strong foundation based on the theory of nominal sets and process algebras. One purpose of the present work is to give a semantics to ANP through psi-calculi. Another aim was to give a graphical language for a psi-calculus instance for security ceremonies. At the same time, this work provides more insight into the details of the ANPs formalization and the graphical representation.Comment: In Proceedings GraMSec 2014, arXiv:1404.163

A coalgebraic semantics for causality in Petri nets

In this paper we revisit some pioneering efforts to equip Petri nets with compact operational models for expressing causality. The models we propose have a bisimilarity relation and a minimal representative for each equivalence class, and they can be fully explained as coalgebras on a presheaf category on an index category of partial orders. First, we provide a set-theoretic model in the form of a a causal case graph, that is a labeled transition system where states and transitions represent markings and firings of the net, respectively, and are equipped with causal information. Most importantly, each state has a poset representing causal dependencies among past events. Our first result shows the correspondence with behavior structure semantics as proposed by Trakhtenbrot and Rabinovich. Causal case graphs may be infinitely-branching and have infinitely many states, but we show how they can be refined to get an equivalent finitely-branching model. In it, states are equipped with symmetries, which are essential for the existence of a minimal, often finite-state, model. The next step is constructing a coalgebraic model. We exploit the fact that events can be represented as names, and event generation as name generation. Thus we can apply the Fiore-Turi framework: we model causal relations as a suitable category of posets with action labels, and generation of new events with causal dependencies as an endofunctor on this category. Then we define a well-behaved category of coalgebras. Our coalgebraic model is still infinite-state, but we exploit the equivalence between coalgebras over a class of presheaves and History Dependent automata to derive a compact representation, which is equivalent to our set-theoretical compact model. Remarkably, state reduction is automatically performed along the equivalence.Comment: Accepted by Journal of Logical and Algebraic Methods in Programmin

Choreography automata

Automata models are well-established in many areas of computer science and are supported by a wealth of theoretical results including a wide range of algorithms and techniques to specify and analyse systems. We introduce choreography automata for the choreographic modelling of communicating systems. The projection of a choreography automaton yields a system of communicating finite-state machines. We consider both the standard asynchronous semantics of communicating systems and a synchronous variant of it. For both, the projections of well-formed automata are proved to be live as well as lock- and deadlock-free

Protocol modelling : synchronous composition of data and behaviour

This thesis develops and explores a technique called Protocol Modelling, a mathematics for the description of orderings. Protocol Modelling can be viewed as a hybrid of object orientation, as it supports ideas of data encapsulation and object instantiation; and process algebra, as it supports a formally defined idea of process and process composition. The first half of the thesis focuses on describing and defining the Protocol Modelling technique. A formal denotational semantics for protocol machines is developed and used to establish various properties; in particular that composition is closed and preserves type safety. The formal semantics is extended to cover instantiation of objects. Comparison is made with other process algebras and an approach to unification of different formulations of the semantics of process composition is proposed. The second half of the thesis explores three applications of Protocol Modelling: Object Modelling. This explores the use of Protocol Modelling as a medium for object modelling, and the facility to execute protocol models is described. Protocol Modelling is compared with other object modelling techniques; in particular by contrasting its compositional style with traditional hierarchical inheritance. Protocol Contracts. This proposes the use of protocol models as a medium for expressing formal behavioural contracts. This is compared with more traditional forms of software contract in the generalization of the notion of contractual obligation as a mechanism for software specification. Choreographed Collaborations. In this application Protocol Modelling is used as a medium to describe choreographies for asynchronous multiparty collaborations. A compositional approach to choreography engineering, enabled by the synchronous semantics of Protocol Modelling, is explored and results established concerning sufficient conditions for choreography realizability. The results are extended to address choreographies that employ behavioural rules based on data

Behavioral types in programming languages

A recent trend in programming language research is to use behav- ioral type theory to ensure various correctness properties of large- scale, communication-intensive systems. Behavioral types encompass concepts such as interfaces, communication protocols, contracts, and choreography. The successful application of behavioral types requires a solid understanding of several practical aspects, from their represen- tation in a concrete programming language, to their integration with other programming constructs such as methods and functions, to de- sign and monitoring methodologies that take behaviors into account. This survey provides an overview of the state of the art of these aspects, which we summarize as the pragmatics of behavioral types

Composition and Declassification in Possibilistic Information Flow Security

Formal methods for security can rule out whole classes of security vulnerabilities, but applying them in practice remains challenging. This thesis develops formal verification techniques for information flow security that combine the expressivity and scalability strengths of existing frameworks. It builds upon Bounded Deducibility (BD) Security, which allows specifying and verifying fine-grained policies about what information may flow when to whom. Our main technical result is a compositionality theorem for BD Security, providing scalability by allowing us to verify security properties of a large system by verifying smaller components. Its practical utility is illustrated by a case study of verifying confidentiality properties of a distributed social media platform. Moreover, we discuss its use for the modular development of secure workflow systems, and for the security-preserving enforcement of safety and security properties other than information flow control

The Combinatorics of Causality

We introduce and explore the notion of "spaces of input histories", a broad family of combinatorial objects which can be used to model input-dependent, dynamical causal order. We motivate our definition with reference to traditional partial order- and preorder-based notions of causal order, adopted by the majority of previous literature on the subject, and we proceed to explore the novel landscape of combinatorial complexity made available by our generalisation of those notions. In the process, we discover that the fine-grained structure of causality is significantly more complex than we might have previously believed: in the simplest case of binary inputs, the number of available "causally complete" spaces grows from 7 on 2 events, to 2644 on 3 events, to an unknown number on 4 events (likely around a billion). For perspective, previous literature on non-locality and contextuality used a single one of the 2644 available spaces on 3 events, work on definite causality used 19 spaces, derived from partial orders, and work on indefinite causality used only 6 more, for a grand total of 25. This paper is the first instalment in a trilogy: the sheaf-theoretic treatment of causal distributions is detailed in Part 2, "The Topology of Causality" [arXiv:2303.07148], while the polytopes formed by the associated empirical models are studied in Part 3, "The Geometry of Causality" [arXiv:2303.09017]. An exhaustive classification of the 2644 causally complete spaces on 3 events with binary inputs is provided in the supplementary work "Classification of causally complete spaces on 3 events with binary inputs", together with the algorithm used for the classification and partial results from the ongoing search on 4 events.Comment: Originally Part 1 of "The Topology and Geometry of Causality" [arXiv:2206.08911v2], which it now replaces. Part 2 of the trilogy is now published as "The Topology of Causality" [arXiv:2303.07148] and Part 3 is now published as "The Geometry of Causality" [arXiv:2303.09017

Foundations of Session Types and Behavioural Contracts

International audienceBehavioural type systems, usually associated to concurrent or distributed computations, encompass concepts such as interfaces, communication protocols, and contracts, in addition to the traditional input/output operations. The behavioural type of a software component specifies its expected patterns of interaction using expressive type languages, so that types can be used to determine automatically whether the component interacts correctly with other components. Two related important notions of behavioural types are those of session types and behavioural contracts. This paper surveys the main accomplishments of the last twenty years within these two approaches