Annalisa Bossi

The s-semantics approach: theory and applications.

Abstract This paper is a general overview of an approach to the semantics of logic programs whose aim is to find notions of models which really capture the operational semantics, and are, therefore, useful for defining program equivalences and for semantics-based program analysis. The approach leads to the introduction of extended interpretations which are more expressive than Herbrand interpretations. The semantics in terms of extended interpretations can be obtained as a result of both an operational (top-down) and a fixpoint (bottom-up) construction. It can also be characterized from the model-theoretic viewpoint, by defining a set of extended models which contains standard Herbrand models. We discuss the original construction modeling computed answer substitutions, its compositional version, and various semantics modeling more concrete observables. We then show how the approach can be applied to several extensions of positive logic programs. We finally consider some applications, mainly in the area of semantics-based program transformation and analysis.

A compositional semantics for logic programs

Bossi, A., M. Gabbrielli, G. Levi and M.C. Meo, A compositional semantics for logic programs, Theoretical Computer Science 122 (1994) 3-47. This paper considers open logic programs originally introduced as a tool to build an OR-compositional semantics of logic programs. We extend the original semantic definitions in the framework of the general approach to the semantics,of logic programs described by Gabbrielli and Levi (1991). We first define an operational semantic

Norms on terms and their use in proving universal termination of a logic program

Lno6P) which models computed answer substitutions and which is compositional w.r.t. the union 6f programs. Next, we consider the semantic domain of Q-denotations, which are sets of clauses with a suitable equivalence relation. The fixpoint semantics F;(P) given by Bossi and Menegus (1991) is proved equivalent to the operational semantics. From the model-theoretic viewpoint, an Q-denotation is mapped onto a set of Herbrand interpretations, thus leading to a definition of an R-model based on the classical notion of truth. Moreower, we consider a particular kind of Q-models (compositional modelsL and we show that I”,(P) is a (nonminimal) compositional Q-model. A suitable abstraction oq0,( P) is compositional and fully

Basic Transformation Operations which preserve Computed Answer Substitutions of Logic Programs

Abstract In this paper semi-linear norms , a class of functions to weight the terms occurring in a program, are defined and studied. All the functions in this class have the nice property of allowing a syntactical characterization of rigid terms , i.e. terms whose weight does not change under substitution. Based on these norms, a general proof method for universal termination of pure Prolog programs can be adapted to deal with a large class of programs in a simple way. The proof method requires pre/post specifications well-behaved with respect to substitutions to be associated with each predicate symbol in the program, and ordering functions not increasing with respect to substitutions to be associated with cycles in the program. The specification collects information on term properties which are useful to prove that the ordering functions actually decrease at each traversal of each cycle. Some examples of termination proof are also given.

Modelling downgrading in information flow security

Abstract Some transformation operations for logic programs, basic for partial deduction, program specialization, and transformation, and for program synthesis from specifications, are studied with respect to the minimal S-model semantics defined in [31, 15–17]. Such a semantics is, in our opinion, more interesting than the usual least Herbrand model one since it captures the programs behavior with respect to computed answers. The S-semantics is also the strongest semantics which is maintained by unrestricted unfolding [31]. For such operations, we single out general applicability conditions, and prove that they guarantee that the minimal S-model semantics of a program is not modified by the transformation. Some sufficient conditions, which are very common in practice and easy to verify, since they are mostly syntactical, are also supplied with simple exemplifications.

Preserving Universal Termination through Unfold/Fold

Information flow security properties such as noninterference ensure the protection of confidential data by strongly limiting the flow of sensitive information. However, to deal with real applications, it is often necessary to admit mechanisms for downgrading or declassifying information. In this paper, we propose a general unwinding framework for formalizing different noninterference properties permitting downgrading, i.e., allowing information to flow from a higher to a lower security level through a downgrader. The framework is parametric with respect to the observation equivalence used to discriminate between different process behaviours. We prove general compositionality properties and provide conditions under which both horizontal and vertical refinements are preserved under all the security properties obtained as instances of the unwinding framework. Finally, we present a decision procedure to check our security properties and prove some complexity results.

Termination of Well-Moded Programs

We study how to preserve universal termination besides computed answer substitutions while transforming definite programs. We consider the unfold operation both alone and combined with the introduction of a new definition and fold operations. We prove that unfold always preserves universal termination. Moreover we define a restricted version of the Tamaki-Satos transformation sequence and show that it preserves universal termination as well.

Refinement operators and information flow security

We study the termination properties of well-moded programs, and we show that, under suitable conditions, for these programs there exists an algebraic characterization-in the style of Apt and Pedreschi, Studies in pure prolog: termination, in: J.W. Lloyd (Ed.), Proceedings of the Simposium in Computational Logic, Springer, Berlin, 1990, pp. 150?176-of the property of being terminating. This characterization enjoys the properties of being compositional and, to some extent, of being easy to check.

Verifying persistent security properties

The systematic development of complex systems usually relies on a stepwise refinement procedure from an abstract specification to a more concrete one that can finally be implemented. The use of refinement operators preserving system properties is clearly essential since it avoids properties to be re-investigated at each development step. In this paper, we formalize the notion of refinement for processes described as terms of the security process algebra (SPA). We consider several information flow security properties and provide sufficient conditions under which our refinement operators preserve such security properties. Finally, we study how refinements can be composed still preserving the security of the system.

Transforming Normal Programs by Replacement

We study bisimulation-based information flow security properties which are persistent, in the sense that if a system is secure then all of its reachable states are secure too. We show that such properties can be characterized in terms of bisimulation-like equivalence relations, between the full system and the system prevented from performing confidential actions. Moreover, we provide a characterization of such properties in terms of unwinding conditions which demand properties of individual actions. These two different characterizations naturally lead to efficient methods for the verification and construction of secure systems. We also prove several compositionality results, that allow us to check the security of a system by only verifying the security of its subcomponents.