154 research outputs found
Timed Automata Semantics for Analyzing Creol
We give a real-time semantics for the concurrent, object-oriented modeling
language Creol, by mapping Creol processes to a network of timed automata. We
can use our semantics to verify real time properties of Creol objects, in
particular to see whether processes can be scheduled correctly and meet their
end-to-end deadlines. Real-time Creol can be useful for analyzing, for
instance, abstract models of multi-core embedded systems. We show how analysis
can be done in Uppaal.Comment: In Proceedings FOCLASA 2010, arXiv:1007.499
Types for Location and Data Security in Cloud Environments
Cloud service providers are often trusted to be genuine, the damage caused by
being discovered to be attacking their own customers outweighs any benefits
such attacks could reap. On the other hand, it is expected that some cloud
service users may be actively malicious. In such an open system, each location
may run code which has been developed independently of other locations (and
which may be secret). In this paper, we present a typed language which ensures
that the access restrictions put on data on a particular device will be
observed by all other devices running typed code. Untyped, compromised devices
can still interact with typed devices without being able to violate the
policies, except in the case when a policy directly places trust in untyped
locations. Importantly, our type system does not need a middleware layer or all
users to register with a preexisting PKI, and it allows for devices to
dynamically create new identities. The confidentiality property guaranteed by
the language is defined for any kind of intruder: we consider labeled
bisimilarity i.e. an attacker cannot distinguish two scenarios that differ by
the change of a protected value. This shows our main result that, for a device
that runs well typed code and only places trust in other well typed devices,
programming errors cannot cause a data leakage.Comment: Short version to appear in Computer Security Foundations Symposium
(CSF'17), August 201
Local area [pye]-calculus
All computers on the Internet are connected, but not all connections are
equal. Hosts are grouped into islands of local communication. It is the agreed
conventions and shared knowledge that connect these islands, just as much as the
switches and wires that run between them.
The power and limitation of these conventions and shared knowledge and
hence their effectiveness can be investigated by an appropriate calculus. In this
thesis I describe a development of the 7r-calculus that is particularly well suited to
express such systems. The process calculus, which I call the local area n-calculus
or Ian, extends the 7r-calculus so that a channel name can have within its scope
several disjoint local areas. Such a channel name may be used for communication
within an area or it may be sent between areas, but it cannot itself be used to
transmit information from one area to another. Areas are arranged in a hierarchy
of levels which distinguish, for example, between a single application, a machine,
or a whole network. I present a semantics for this calculus that relies on several
side-conditions which are essentially runtime level checks. I show that a suitable
type system can provide enough static information to make most of these checks
unnecessary.
I examine the descriptive power of the /a7r-calculus by comparing it to the
7r-calculus. I find that, perhaps surprisingly, local area communication can be
encoded into the 7T-calculus with conditional matching. The encoding works by
replacing communication inside an area with communication on a new channel
created just for that area. This is analogous to replacing direct communication
between two points with a system that broadcasts packets over a background
ether. I show a form of operational correspondence between the behaviour of a
process in lan and its 7r-calculus translation.
One of my aims in developing this calculus is to provide a convenient and ex¬
pressive framework with which to examine convention-laden, distributed systems.
I offer evidence that the calculus has achieved this by way of an extended case
study. I present a model of Internet communication based on Sockets and TCP
over IP and then extend this system with Network Address Translation. I then
4
give a model of the File Transfer Protocol that uses TCP/IP to communicate
between networks.
Traces of the model show that FTP, run in its normal mode, will fail when
the client is using Network Address Translation, whereas, an alternative mode of
FTP will succeed. Moreover a normal run of the model over NAT fails in the
same way as the real life system would, demonstrating that the model can pick
up this failure and correctly highlight the reasons behind it
Short paper:making contactless EMV robust against rogue readers colluding with relay attackers
It is possible to relay signals between a contactless EMV card and a shop’s EMV reader and so make a fraudulent payment without the card-owner’s knowledge. Existing countermeasures rely on proximity checking: the reader will measure round trip times in message-exchanges, and rejects replies that take longer than expected (which suggests they have been relayed). However, it is the reader that would receive the illicit payment from any relayed transaction, so a rogue reader has little incentive to enforce the required checks. Furthermore, cases of malware targeting point-of-sales systems are common.We propose three novel proximity-checking protocols that use a trusted platform module (TPM) to ensure that the reader performs the time measurements correctly. After running one of our proposed protocols, the bank can be sure that the card and reader were in close proximity, even if the reader tries to subvert the protocol. Our first protocol makes changes to the cards and readers, our second protocol modifies the readers and the banking backend, and our third protocol allows the detection of relay attacks, after they have happened, with only changes to the readers
- …