Honesty by typing

We propose a type system for a calculus of contracting processes. Processes may stipulate contracts, and then either behave honestly, by keeping the promises made, or not. Type safety guarantees that a typeable process is honest - that is, the process abides by the contract it has stipulated in all possible contexts, even those containing dishonest adversaries

Composing Communicating Systems, Synchronously

Communicating systems are nowadays part of everyday life, yet programming and analysing them is difficult. One of the many reasons for this difficulty is their size, hence compositional approaches are a need. We discuss how to ensure relevant communication properties such as deadlock freedom in a compositional way. The idea is that communicating systems can be composed by taking two of their participants and transforming them into coupled forwarders connecting the two systems. It has been shown that, for asynchronous communications, if the participants are \u201ccompatible\u201d then composition satisfies relevant communication properties provided that the single systems satisfy them. We show that such a result changes considerably for synchronous communications. We also discuss a different form of composition, where a unique forwarder is used

Choreography automata

Automata models are well-established in many areas of computer science and are supported by a wealth of theoretical results including a wide range of algorithms and techniques to specify and analyse systems. We introduce choreography automata for the choreographic modelling of communicating systems. The projection of a choreography automaton yields a system of communicating finite-state machines. We consider both the standard asynchronous semantics of communicating systems and a synchronous variant of it. For both, the projections of well-formed automata are proved to be live as well as lock- and deadlock-free

Synthesis of graphical choreographies

Graphical choreographies, or global graphs, are general multiparty session specifications featuring expressive constructs such as forking, merging, and joining for representing application-level protocols. Global graphs can be directly translated into modelling notations such as BPMN and UML. This paper presents an algorithm whereby a global graph can be synthesised from asynchronous buffered behaviours represented by communicating finite state machines (CFSMs). Our results include: a sound and complete characterisation of a subset of safe CFSMs from which global graphs can be synthesised; a synthesis algorithm to translate CFSMs to global graphs; a time complexity analysis; and an implementation of our theory, as well as an experimental evaluation

On Composing Communicating Systems

Communication is an essential element of modern software, yet programming and analysing communicating systems are difficult tasks. A reason for this difficulty is the lack of compositional mechanisms that preserve relevant communication properties. This problem has been recently addressed for the well-known model of communicating systems, that is sets of components consisting of finite-state machines capable of exchanging messages. The main idea of this approach is to take two systems, select a participant from each of them, and derive from those participants a pair of coupled gateways connecting the two systems. More precisely, a message directed to one of the gateways is forwarded to the gateway in the other system, which sends it to the other system. It has been shown that, under some suitable compatibility conditions between gateways, this composition mechanism preserves deadlock freedom for asynchronous as well as symmetric synchronous communications (where sender and receiver play the same part in determining which message to exchange). This paper considers the case of asymmetric synchronous communications where senders decide independently which message should be exchanged. We show here that preservation of lock freedom requires sequentiality of gateways, while this is not needed for preservation of either deadlock freedom or strong lock freedom

Security Issues in Component-based Design

Abstract We propose a behavioural extension of the concept of interface of components. We aim to uniformly reason about correctness properties of both closed and open component-based systems. The characterizing feature of our approach is that we perform a local analysis over finite fragments of interactions naturally modeling mobility and coordination aspects. We present a semi-automatic technique that reduces the verification of security properties of protocols to the verification of correctness in component-based systems

Design-By-Contract for Flexible Multiparty Session Protocols

Choreographic models support a correctness-by-construction principle in distributed programming. Also, they enable the automatic generation of correct message-based communication patterns from a global specification of the desired system behaviour. In this paper we extend the theory of choreography automata, a choreographic model based on finite-state automata, with two key features. First, we allow participants to act only in some of the scenarios described by the choreography automaton. While this seems natural, many choreographic approaches in the literature, and choreography automata in particular, forbid this behaviour. Second, we equip communications with assertions constraining the values that can be communicated, enabling a design-by-contract approach. We provide a toolchain allowing to exploit the theory above to generate APIs for TypeScript web programming. Programs communicating via the generated APIs follow, by construction, the prescribed communication pattern and are free from communication errors such as deadlocks

MoCheQoS: Automated Analysis of Quality of Service Properties of Communicating Systems

We present MoCheQoS, a tool to analyse quality of service (QoS) properties of message-passing systems. Building on the logic and the choreographic model we defined in recently published work, MoCheQoS implements a bounded model checking algorithm. We discuss strengths and weaknesses of MoCheQoS through some case studies.Comment: 29 page

Contract-Oriented Computing in CO2

We present CO2, a parametric calculus for contract-based computing in distributed systems. By abstracting from the actual contract language, our calculus generalises both the contracts-as-processes and contracts-as-formulae paradigms. The calculus features primitives for advertising contracts, for reaching agreements, and for querying the fulfilment of contracts. Coordination among participants happens via multi-party sessions, which are created once agreements are reached. We present two instances of our calculus, by modelling contracts as processes in a variant of CCS, and as formulae in a logic. We formally relate the two paradigms, through an encoding from contracts-as-formulae to contracts-as-processes which ensures that the promises deducible in the logical system are exactly those reachable by its encoding as a process. Finally, we present a coarse-grained taxonomy of possible misbehaviours in contract-oriented systems, and we illustrate them with the help of a variety of examples

ERAP1 and ERAP2 Haplotypes Influence Suboptimal HLA-B*27:05-Restricted Anti-Viral CD8+ T Cell Responses Cross-Reactive to Self-Epitopes

The human leukocyte antigen (HLA)-B*27 family of alleles is strongly associated with ankylosing spondylitis (AS), a chronic inflammatory disorder affecting the axial and peripheral joints, yet some HLA-B*27 variants not associated with AS have been shown. Since no major differences in the ligandome of associated compared to not-associated alleles have emerged, a plausible hypothesis is that the quantity rather than the quality of the presented epitopes makes the difference. In addition, the Endoplasmic Reticulum AminoPeptidases (ERAPs) 1 and 2, playing a crucial role in shaping the HLA class I epitopes, act as strong AS susceptibility factors, suggesting that an altered peptidome might be responsible for the activation of pathogenic CD8+ T cells. In this context, we have previously singled out a B*27:05-restricted CD8+ T cell response against pEBNA3A (RPPIFIRRL), an EBV peptide lacking the B*27 classic binding motif. Here, we show that a specific ERAP1/2 haplotype negatively correlates with such response in B*27:05 subjects. Moreover, we prove that the B*27:05 allele successfully presents peptides with the same suboptimal N-terminal RP motif, including the self-peptide, pDYNEIN (RPPIFGDFL). Overall, this study underscores the cooperation between the HLA-B*27 and ERAP1/2 allelic variants in defining CD8+ T cell reactivity to suboptimal viral and self-B*27 peptides and prompts further investigation of the B*27:05 peptidome composition