Damiano Macedonio

A Semantic Analysis of Wireless Network Security Protocols

Model Repair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 341 George Chatzieleftheriou, Borzoo Bonakdarpour, Scott A. Smolka, and Panagiotis Katsaros CLSE: Closed-Loop Symbolic Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 Rupak Majumdar, Indranil Saha, K.C. Shashidhar, and Zilong Wang On the Development and Formalization of an Extensible Code Generator for Real Life Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . 371 Michael Backes, Alex Busenius, and Cătălin Hriţcu Incremental Verification with Mode Variable Invariants in State Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388 Temesghen Kahsai, Pierre-Löıc Garoche, Cesare Tinelli, and Mike Whalen A Semantic Analysis of Wireless Network Security Protocols . . . . . . . . . . 403 Damiano Macedonio and Massimo Merro XII Table of

Spatial logics for bigraphs

Bigraphs are emerging as an interesting model for concurrent calculi, like CCS, pi-calculus, and Petri nets. Bigraphs are built orthogonally on two structures: a hierarchical place graph for locations and a link (hyper-)graph for connections. With the aim of describing bigraphical structures, we introduce a general framework for logics whose terms represent arrows in monoidal categories. We then instantiate the framework to bigraphical structures and obtain a logic that is a natural composition of a place graph logic and a link graph logic. We explore the concepts of separation and sharing in these logics and we prove that they generalise some known spatial logics for trees, graphs and tree contexts.

A Hybrid Intuitionistic Logic: Semantics and Decidability

We study a hybrid intuitionistic modal logic suitable for reasoning about distribution of resources. The modalities of the logic allow validation of properties in a particular place, in some place and in all places. We provide a sound and complete Kripke semantics. We also define a sound and complete birelational semantics, and show that it enjoys the finite model property: if a judgement is not valid in the logic, then there is a finite birelational counter-model. Hence, we prove that the logic is decidable.

A semantic analysis of key management protocols for wireless sensor networks

Gorrieri and Martinellis timed Generalized Non-Deducibility on Compositions (tGNDC) schema is a well-known general framework for the formal verification of security protocols in a concurrent scenario. We generalise the tGNDC schema to verify wireless network security protocols. Our generalisation relies on a simple timed broadcasting process calculus whose operational semantics is given in terms of a labelled transition system which is used to derive a standard simulation theory. We apply our tGNDC framework to perform a security analysis of three well-known key management protocols for wireless sensor networks: @mTESLA, LEAP+ and LiSP.

Unwinding in Information Flow Security

We study information flow security properties which are persistent, in the sense that if a system is secure then all of its reachable states are secure too. We present a uniform characterization of these properties in terms of a general unwinding schema. This unwinding characterization allows us to prove several compositionality properties of the considered security classes. Moreover, we exploit the unwinding condition to dictate the form of the rules we can use to incrementally develop secure processes and to rectify insecure processes.

Compliance preorders for web services

Compliance is a basic property of web-service architectures that ensures the absence of deadlocks and livelocks during execution. Following recent attempts in the literature, we interpret compliance as an experiment, much like the experiments made by a test process in testing theories, and use it as the basis for a notion of compliance preserving substitution of components within a composition of web services. We review the different notions of compliance in the literature, analyze their relative strengths and weaknesses, and formalize their interrelationships by providing a uniform formal framework where we reconcile the different perspectives that characterize them.

A Theory of Adaptable Contract-Based Service Composition

Service oriented architectures draw heavily on techniques for reusing and assembling off-the-shelf software components. While powerful, this programming practice is not without a cost: the software architect must ensure that the off-the-shelf components interact safely and in ways that conform with the specification. We develop a new theory for adaptable service composition. The theory provides an effective framework for analyzing the conformance of contract-based service compositions, and for enforcing their compliance, in a uniform, formally elegant setting.

Information flow in secure contexts

Information flow Security in a multilevel system aims at guaranteeing that no high level information is revealed to low level user, even in the presence of any possible malicious process. This requirment could be stronger than necessary when some knowledge about the environment (context) in which the process is going to run is available. To relax this requirment we introduce the notion of secure contexts for a class of processes. This notion is parametric with respect to both the observation equivalance and the operation used to characterize the low level view of a process. As observation equivalance we consider the cases of weak bisimulation and trace equivalance. We describe how to build secure context in these cases and we show that two well-known security properties, named BNDC and NDC. are just special instances of our general notion.

A Thread-Safe Library for Binary Decision Diagrams

We describe the motivations, technical problems and solutions behind the implementation of BeeDeeDee, a new thread-safe Java library for Binary Decision Diagrams (BDDs) manipulation. BeeDeeDee allows clients to share a single factory of BDDs, in real parallelism, and reduce the memory footprint of their overall execution, at a very low synchronization cost. We prove through experiments on multi-core computers that BeeDeeDee is an effective thread-safe library for BDD manipulation. As test cases, we consider multiple instances of the n-queens problem, the construction of circuits and the parallel execution of information flow static analyses of Java programs, for distinct properties of variables. For sequential-only executions, BeeDeeDee is faster than other non-thread-safe Java libraries and as fast as non-thread-safe C libraries.

Locking discipline inference and checking

Concurrency is a requirement for much modern software, but the implementation of multithreaded algorithms comes at the risk of errors such as data races.Programmers can prevent data races by documenting and obeying a locking discipline, which indicates which locks must be held in order to access which data.This paper introduces a formal semantics for locking specifications that gives a guarantee of race freedom.A notable difference from most other semantics is that it is in terms of values (which is what the runtime system locks) rather than variables.The paper also shows how to express the formal semantics in two different styles of analysis:abstract interpretation and type theory.We have implemented both analyses, in tools that operate on Java.To the best of our knowledge, these are the first tools that can soundly infer and check a locking discipline for Java.Our experiments compare the implementations with one another and with annotations written by programmers, showing that the ambiguities and unsoundness of previous formulations are a problem in practice.