Relational Reasoning - Constraint Solving, Deduction, and Program Verification

This dissertation exploits the formal methods paradigm in which the software system and its specification are transformed to a logical formula, such that the formula is valid iff the specification is correct. The thesis provides a reasoning framework for the verification of software systems against relational specifications written in a first-order relational logic. The system description can be given either at the abstract relational level or at the detailed implementation level

A Dual-Engine for Early Analysis of Critical Systems

This paper presents a framework for modeling, simulating, and checking properties of critical systems based on the Alloy language -- a declarative, first-order, relational logic with a built-in transitive closure operator. The paper introduces a new dual-analysis engine that is capable of providing both counterexamples and proofs. Counterexamples are found fully automatically using an SMT solver, which provides a better support for numerical expressions than the existing Alloy Analyzer. Proofs, however, cannot always be found automatically since the Alloy language is undecidable. Our engine offers an economical approach by first trying to prove properties using a fully-automatic, SMT-based analysis, and switches to an interactive theorem prover only if the first attempt fails. This paper also reports on applying our framework to Microsoft's COM standard and the mark-and-sweep garbage collection algorithm.Comment: Workshop on Dependable Software for Critical Infrastructures (DSCI), Berlin 201

On Preserving Secrecy in Mobile Social Networks

Location-based services are one of the most important services offered by mobile social networks. Offering this kind of services requires accessing the physical position of users together with the access authorizations, i.e., who is authorized to access what information. However, these physical positions and authorizations are sensitive information which have to be kept secret from any adversary, including the service providers. As far as we know, the problem of offering location-based services in mobile social networks with a revocation feature under collusion assumption, i.e., an adversary colludes with the service provider, has not been studied. In this paper, we show how to solve this problem in the example of range queries. Specifically, we guarantee any adversary, including the service provider, is not able to learn (1) the physical position of the users, (2) the distance between his position and that of the users, and (3) whether two users are allowed to learn the distance between them. We propose two approaches namely two-layer symmetric encryption and two-layer attribute-based encryption. The main difference between the first and the second approach is that they use, among other encryption schemes, symmetric and attribute-based encryption, respectively. Next, we prove the secrecy guarantees of both approaches, analyze their complexity and provide experiments to evaluate their performance in practice

On Mutual Authorizations: Semantics, Integration Issues, and Performance

reciprocity is a powerful determinant of human behavior. None of the existing access control models however captures this reciprocity phenomenon. In this paper, we introduce a new kind of grant, which we call mutual, to express authorizations that actually do this, i.e., users grant access to their resources only to users who allow them access to theirs. We define the syntax and semantics of mutual authorizations and show how this new grant can be included in the Role-Based Access Control model, i.e., extend RBAC with it. We use location-based services as an example to deploy mutual authorizations, and we propose two approaches to integrate them into these services. Next, we prove the soundness and analyze the complexity of both approaches. We also study how the ratio of mutual to allow and to deny authorizations affects the number of persons whose position a given person may read. These ratios may help in predicting whether users are willing to use mutual authorizations instead of deny or allow. Experiments confirm our complexity analysis and shed light on the performance of our approaches

On Preserving Secrecy in Mobile Social Networks

Location-based services are one of the most important services offered by mobile social networks. Offering this kind of services requires accessing the physical position of users together with the access authorizations, i.e., who is authorized to access what information. However, these physical positions and authorizations are sensitive information which have to be kept secret from any adversary, including the service providers. As far as we know, the problem of offering location-based services in mobile social networks with a revocation feature under collusion assumption, i.e., an adversary colludes with the service provider, has not been studied. In this paper, we show how to solve this problem in the example of range queries. Specifically, we guarantee any adversary, including the service provider, is not able to learn (1) the physical position of the users, (2) the distance between his position and that of the users, and (3) whether two users are allowed to learn the distance between them. We propose two approaches namely two-layer symmetric encryption and two-layer attribute-based encryption. The main difference between the first and the second approach is that they use, among other encryption schemes, symmetric and attribute-based encryption, respectively. Next, we prove the secrecy guarantees of both approaches, analyze their complexity and provide experiments to evaluate their performance in practice

On Secrecy and Performance Models for Query Processing on Outsourced Graph Data

Database outsourcing is a challenging task concerning data secrecy. Even if an adversary, including the service provider, accesses the data, she should not be able to learn any information from the accessed data. In this paper we address this problem for graph-structured data. First, we define a secrecy notion for graph-structured data based on the concept of indistinguishability. The notion ensures that an adversary can learn the edges existing between the nodes only with negligible probability. To address this problem, we propose an approach based on bucketization. Next to bucketization, it makes use of obfuscated indexes and encryption. We show that finding an optimal bucketization tailored to graph-structured data is NP-hard; therefore we come up with a heuristic. We prove that the proposed bucketization approach fulfills our secrecy notion. In addition, we present a performance model which consists of (1) a number of buckets model that estimates the number of buckets obtained after applying our bucketization approach and (2) a query-cost model. Finally, we demonstrate with a set of experiments (1) the accuracy of our number of buckets model for scale-free networks and (2) the efficiency of our approach with respect to query processing