C. R. Ramakrishnan

Efficient Model Checking Using Tabled Resolution

We demonstrate the feasibility of using the XSB tabled logic programming system as a programmable fixed-point engine for implementing efficient local model checkers. In particular, we present XMC, an XSB-based local model checker for a CCS-like value-passing language and the alternation-free fragment of the modal mu-calculus. XMC is written in under 200 lines of XSB code, which constitute a declarative specification of CCS and the modal mu-calculus at the level of semantic equations.

Policy analysis for administrative role based access control

Role-based access control (RBAC) is a widely used model for expressing access control policies. In large organizations, the RBAC policy may be collectively managed by many administrators. Administrative RBAC (ARBAC) is a model for expressing the authority of administrators, thereby specifying how an organizations RBAC policy may change. Changes by one administrator may interact in unintended ways with changes by other administrators. Consequently, the effect of an ARBAC policy is hard to understand by simple inspection. In this paper, we consider the problem of analyzing ARBAC policies, in particular to determine reachability properties (e.g., whether a user can eventually be assigned to a role by a group of administrators) and availability properties (e.g., whether a user cannot be removed from a role by a group of administrators) implied by a policy. We first establish the connection between security policy analysis and planning in artificial intelligence. Based partly on this connection, we show that reachability analysis for ARBAC is PSPACE-complete. We also give algorithms and complexity results for reachability and related analysis problems for several categories of ARBAC policies, defined by simple restrictions on the policy language.

Efficient policy analysis for administrative role based access control

Administrative RBAC (ARBAC) policies specify how Role-Based Access Control (RBAC) policies may be changed by each administrator. It is often difficult to fully understand the effect of an ARBAC policy by simple inspection, because sequences of changes by different administrators may interact in unexpected ways. ARBAC policy analysis algorithms can help by answering questions, such a suser-role reachability, which asks whether a given user can be assigned to given roles by given administrators. This problem is intractable in general. This paper identifies classes of policies of practical interest, develops analysis algorithms for them, and analyzes their parameterized complexity, showing that the algorithms may have high complexity with respect to some parameter k characterizing the hardness of the input (such that k is often small in practice) but have polynomial complexity in terms of the overall input size when the value of k is fixed.

Practical program analysis using general purpose logic programming systems—a case study

Many analysis problems can be cast in the form of evaluating minimal models of a logic program. Although such formulations are appealing due to their simplicity and declarativeness, they have not been widely used in practice because, either existing logic programming systems do not guarantee completeness, or those that do have been viewed as too inefficient for integration into a compiler. The objective of this paper is to re-examine this issue in the context of recent advances in implementation technologies of logic programming systems.We find that such declarative formulations can indeed be used in practical systems, when combined with the appropriate tool for evaluation. We use existing formulations of analysis problems --- groundness analysis of logic programs, and strictness analysis of functional programs --- in this case study, and the XSB system, a table-based logic programming system, as the evaluation tool of choice. We give experimental evidence that the resultant groundness and strictness analysis systems are practical in terms of both time and space. In terms of implementation effort, the analyzers took less than 2 man-weeks (in total), to develop, optimize and evaluate. The analyzer itself consists of about 100 lines of tabled Prolog code and the entire system, including the components to read and preprocess input programs and to collect the analysis results, consists of about 500 lines of code.

Model repair for probabilistic systems

We introduce the problem of Model Repair for Probabilistic Systems as follows. Given a probabilistic system M and a probabilistic temporal logic formula φ such that M fails to satisfy φ, the Model Repair problem is to find an M′ that satisfies v and differs from M only in the transition flows of those states in M that are deemed controllable. Moreover, the cost associated with modifying Ms transition flows to obtain M′ should be minimized. Using a new version of parametric probabilistic model checking, we show how the Model Repair problem can be reduced to a nonlinear optimization problem with a minimal-cost objective function, thereby yielding a solution technique. We demonstrate the practical utility of our approach by applying it to a number of significant case studies, including a DTMC reward model of the Zeroconf protocol for assigning IP addresses, and a CTMC model of the highly publicized Kaminsky DNS cache-poisoning attack.

A process calculus for mobile ad hoc networks

We present the ω-calculus, a process calculus for formally modeling and reasoning about Mobile Ad Hoc Wireless Networks (MANETs) and their protocols. The ω-calculus naturally captures essential characteristics of MANETs, including the ability of a MANET node to broadcast a message to any other node within its physical transmission range (and no others), and to move in and out of the transmission range of other nodes in the network. A key feature of the ω-calculus is the separation of a nodes communication and computational behavior, described by an ω-process, from the description of its physical transmission range, referred to as an ω-process interface. Our main technical results are as follows. We give a formal operational semantics of the ω-calculus in terms of labeled transition systems and show that the state reachability problem is decidable for finite-control ω-processes. We also prove that the ω-calculus is a conservative extension of the π-calculus, and that late bisimulation (appropriately lifted from the π-calculus to the ω-calculus) is a congruence. Congruence results are also established for a weak version of late bisimulation, which abstracts away from two types of internal actions: τ -actions, as in the π-calculus, and µ-actions, signaling node movement. Finally, we illustrate the practical utility of the calculus by developing and analyzing a formal model of a leader-election protocol for MANETs.

Modeling and analysis of interactions in virtual enterprises

Advances in computer networking technology and open system standards are making the creation and management of virtual enterprises feasible. A virtual enterprise is a temporary consortium of autonomous, diverse, and possibly geographically dispersed organizations that pool their resources to meet short-term objectives and exploit fast-changing market trends. For a virtual enterprise to succeed, its business processes must be automated, and its startup costs must be minimized. We describe a formal framework for modeling and reasoning about interactions in a virtual enterprise. Such a framework will form the basis for tools that provide automated support for creation and operation of virtual enterprises.

A process calculus for Mobile Ad Hoc Networks

We present the @w-calculus, a process calculus for formally modeling and reasoning about Mobile Ad Hoc Wireless Networks (MANETs) and their protocols. The @w-calculus naturally captures essential characteristics of MANETs, including the ability of a MANET node to broadcast a message to any other node within its physical transmission range (and no others), and to move in and out of the transmission range of other nodes in the network. A key feature of the @w-calculus is the separation of a nodes communication and computational behavior, described by an @w-process, from the description of its physical transmission range, referred to as an @w-process interface. Our main technical results are as follows. We give a formal operational semantics of the @w-calculus in terms of labeled transition systems and show that the state reachability problem is decidable for finite-control @w-processes. We also prove that the @w-calculus is a conservative extension of the @p-calculus, and that late bisimulation equivalence (appropriately lifted from the @p-calculus to the @w-calculus) is a congruence. Congruence results are also established for a weak version of late bisimulation equivalence, which abstracts away from two types of internal actions: @t-actions, as in the @p-calculus, and @m-actions, signaling node movement. We additionally define a symbolic semantics for the @w-calculus extended with the mismatch operator, along with a corresponding notion of symbolic bisimulation equivalence, and establish congruence results for this extension as well. Finally, we illustrate the practical utility of the calculus by developing and analyzing formal models of a leader election protocol for MANETs and the AODV routing protocol.

XMC: A Logic-Programming-Based Verification Toolset

XMC is a toolset for specifying and verifying concurrent systems. Its main mode of verification is temporal-logic model checking [CES86], although equivalence checkers have also been implemented. In its current form, temporal properties are specified in the alternation-free fragment of the modal mu-calculus [Koz83], and system models are specified in XL, a value-passing language based on CCS [Mil89]. The core computational components of the XMC system, such as those for compiling the specification language, model checking, etc., are built on top of the XSB tabled logic-programming system [XSB99].

Fully local and efficient evaluation of alternating fixed points

A key holder which includes a body and a key pivotably mounted on the body and movable between an operating position in which the key is disposed outside of the body and a non-operating position in which the key is housed within the body. The key holder may also include a biasing member for maintaining the key at the operating position thereof or the non-operating position thereof and the key may include a stopper member disposed thereon which is engageable with the body to maintain the key at the non-operating position thereof.