Antonio Cau

The Calculus of Context-aware Ambients

We present the Calculus of Context-aware Ambients (CCA in short) for the modelling and verification of mobile systems that are context-aware. This process calculus is built upon the calculus of mobile ambients and introduces new constructs to enable ambients and processes to be aware of the environment in which they are being executed. This results in a powerful calculus where both mobility and context-awareness are first-class citizens. We present the syntax and a formal semantics of the calculus. We propose a new theory of equivalence of processes which allows the identification of systems that have the same context-aware behaviours. We prove that CCA encodes the @p-calculus which is known to be a universal model of computation. Finally, we illustrate the pragmatics of the calculus through many examples and a real-world case study of a context-aware hospital bed.

A compositional framework for access control policies enforcement

Despite considerable number of work on authorization models, enforcing multiple polices is still a challenge in order to achieve the level of security required in many real-world systems. Moreover current approaches address security settings independently, and their incorporation into systems development lifecycle is not well understood. This paper presents a formal model for the specification of access control policies. The approach can handle the enforcement of multiple policies through policies composition. Temporal dependencies among authorizations can be formulated. Interval Temporal Logic (ITL) is our underlying formal framework an policies are modeled as safety properties expressing how authorizations are granted over time. The approach is compositional, and can be used to specify other systems properties such as functional and temporal requirements. The use of a common formalism eases the integration of security requirements into system requirements so that they can be reasoned about uniformly throughout the development lifecycle. Furthermore specification of policies are executable in <i>Tempura,</i> a simulation tool for ITL.

Refining Interval Temporal Logic Specifications

Interval Temporal Logic (ITL) was designed as a tool for the specification and verification of systems. The development of an executable subset of ITL, namely Tempura, was an important step in the use of temporal logic as it enables the developer to check, debug and simulate the design. However, a design methodology is missing that transforms an abstract ITL specification to an executable (concrete) Tempura program. The paper describes a development technique for ITL based on refinement calculus. The technique allows the development to proceed from high level “abstract” system specification to low level “concrete” implementation via a series of correctness preserving refinement steps. It also permits a mixture of abstract specification and concrete implementation at any development step.

Parallel composition of assumption-commitment specifications

We unify the parallel composition rule of assumption-commitment specifications for respectively state-based and message-based concurrent processes. Without providing language-dependent definitions, we first assume that the model of a process can be given as a set of ‘sequences’ (e.g., traces, state sequences). Then we assume the existence of a merging operator that captures the compositionality of that model. On this basis, we formulate a semantic parallel composition rule for assumptioncommitment specifications wherein the merging operator behaves as a parameter. Then, by providing suitable language-specific definitions for the model of a process and the merging operator, we transform the semantic rule into syntactic ones, both for the state-based and message-based approaches to concurrency.

On Unifying Assumption-Commitment Style Proof Rules for Concurrency

Assumption-Commitment paradigms for specification and verification of concurrent programs have been proposed in the past. We show that two typical parallel composition rules for shared variable and message passing programs [8, 12] which hitherto required different formulations are instances of one general rule mainly inspired by Abadi & Lamports composition theorem [1].

Concurrent Enforcement of Usage Control Policies

Policy-based approaches to the management of systems distinguish between the specification of requirements, in the form of policies, and their enforcement on the system. In this work we focus on the latter aspect and investigate the enforcement of stateful policies in a concurrent environment. As a representative of stateful policies we use the UCON model and show how dependencies between policy rules affect their enforcement. We propose a technique for enforcing policies concurrently based on the static analysis of dependencies between policies. The potential of our technique for improving the efficacy of enforcement mechanisms is illustrated using a small, but representative example.

Deriving Enforcement Mechanisms from Policies

Policies provide a flexible and scalable approach to the management of distributed systems by separating the specification of security requirements and their enforcement Over the years the expressiveness of policy languages increased considerably making it possible to capture a variety of complex requirements that for example depend on the history of the system execution. The most important criteria for the successful operation of policy-managed systems is whether the deployed enforcement mechanisms can guarantee the compliance with the policies. With the expressiveness of policy languages this assurance is increasingly difficult to achieve. In this paper we therefore address the development of enforcement mechanisms from a theoretical perspective and show how enforcement code can be formally derived for compositional, history-dependent policies that can change dynamically over time or on the occurrence of events.

ASDL: a wide spectrum language for designing web services

A Service oriented system emerges from composition of services. Dynamically composed reactive Web services form a special class of service oriented system, where the delays associated with communication, unreliability and unavailability of services, and competition for resources from multiple service requesters are dominant concerns. As complexity of services increase, an abstract design language for the specification of services and interaction between them is desired. In this paper, we present ASDL (Abstract Service Design Language), a wide spectrum language for modelling Web services. We initially provide an informal description of our computational model for service oriented systems. We then present ASDL along with its specification oriented semantics defined in Interval Temporal Logic (ITL): a sound formalism for specifying and reasoning about temporal properties of systems. The objective of ASDL is to provide a notation for the design of service composition and interaction protocols at an abstract level.

Using ITL and Tempura for large-scale specification and simulation

ITL and Tempura are used for respectively the formal specification and simulation of a large scale system, namely the general purpose multi threaded dataflow processor EP/3. The paper shows that this processor can be specified concisely within ITL and simulated with Tempura. But it also discusses some problems encountered during the specification and simulation, and indicates what should be added to solve those problems.

Verification and enforcement of access control policies

Access control mechanisms protect critical resources of systems from unauthorized access. In a policy-based management approach, administrators define user privileges as rules that determine the conditions and the extent of users’ access rights. As rules become more complex, analytical skills are required to identify conflicts and interactions within the rules that comprise a system policy—especially when rules are stateful and depend on event histories. Without adequate tool support such an analysis is error-prone and expensive. In consequence, many policy specifications are inconsistent or conflicting that render the system insecure. The security of the system, however, does not only depend on the correct specification of the security policy, but in a large part also on the correct interpretation of those rules by the system’s enforcement mechanism.In this paper, we show how policy rules can be formalized in Fusion Logic, a temporal logic for the specification of behavior of systems. A symbolic decision procedure for Fusion Logic based on Binary Decision Diagrams (BDDs) is provided and we introduce a novel technique for the construction of enforcement mechanisms of access control policy rules that uses a BDD encoded enforcement automaton based on input traces which reflect state changes in the system. We provide examples of verification of policy rules, such as absence of conflicts, and dynamic separation of duty and of the enforcement of policies using our prototype implementation (FLCheck) for which we detail the underlying theory.