Eduardo Bonelli

Correspondence assertions for process synchronization in concurrent communications

High-level specification of patterns of communications such as protocols can be modeled elegantly by means of session types (Honda et al., 1998). However, a number of examples suggest that session types fall short when finer precision on protocol specification is required. In order to increase the expressiveness of session types we appeal to the theory of correspondence assertions (Clarke & Marrero, 1998; Gordon & Jeffrey, 2003b). The resulting type discipline augments the types of long-term channels with effects and thus yields types which may depend on messages read or written earlier within the same session. This new type system can be used to check: source of information, whether data is propagated as specified across multiple parties, if there are unspecified communications between parties, and if the data being exchanged has been modified by the code in an unspecified way. We prove that evaluation preserves typability and that well-typed processes are safe. Also, we illustrate how the resulting theory allows us to address shortcomings present in the pure theory of session types.

Multipoint session types for a distributed calculus

Session types are a means of statically encoding patterns of interaction between two communicating parties. This paper explores a distributed calculus with session types in which a number of fixed sites interact. The reduction schemes describing the operational semantics satisfy the locality principle: at most one site is involved. Both session engagement and data communication are local and asynchronous. Furthermore, our setting is a natural one in which the novel notion of multipoint session types, sessions in which more than two parties may be involved, can be introduced.

A typed assembly language for non-interference

Non-interference is a desirable property of systems in a multilevel security architecture, stating that confidential information is not disclosed in public output. The challenge of studying information flow for assembly languages is that the control flow constructs that guide the analysis in high-level languages are not present. To address this problem, we define a typed assembly language that uses pseudo-instructions to impose a stack discipline on the control flow of programs. We develop a type system for checking that assembly programs enjoy non-interference and its proof of soundness.

Typechecking Safe Process Synchronization

Session types describe the interactions between two parties within multi-party communications. They constitute a communication protocol in the sense that the order and type of interactions between two parties are specified. For their part, correspondence assertions provide a mechanism for synchronization. When session types and correspondence assertions are combined, they are able to describe synchronization across different communication sessions, yielding a rich language for imposing expressive interaction patterns in multi-party communications. This paper studies the typechecking problem for Iris, a typed @p-calculus that combines session types and correspondence assertions. We define a typechecking algorithm and prove that it is sound and complete with respect to the typing rules. Furthermore, we show that the typing system satisfies the minimum effects property. Although session types have been extensively studied in the past few years, to our knowledge this is the first proof of decidability of typechecking for a type system with session types.

BioScape: A Modeling and Simulation Language for Bacteria-Materials Interactions

We design BioScape, a concurrent language for the stochastic simulation of biological and bio-materials processes in a reactive environment in 3D space. BioScape is based on the Stochastic Pi-Calculus, and it is motivated by the need for individual-based, continuous motion, and continuous space simulation in modeling complex bacteria-materials interactions. Our driving example is a bio-triggered drug delivery system for infection-resistant medical implants. Our models in BioScape will help in identifying biological targets and materials strategies to treat biomaterials associated bacterial infections. The novel aspects of BioScape include syntactic primitives to declare the scope in space where species can move, diffusion rate, shape, and reaction distance, and an operational semantics that deals with the specifics of 3D locations, verifying reaction distance, and featuring random movement. We define a translation from BioScape to 3@p and prove its soundness with respect to the operational semantics.

Boxed Ambients with Communication Interfaces

We define BACI (Boxed Ambients with Communication Interfaces), an ambient calculus allowing a liberal communication policy. Each ambient carries its local view of the topic of conversation (the type of the information being exchanged) with parents and children that will condition where it is allowed to stay or migrate to and which ambients may be allowed to enter it. The topic of conversation view of ambients can dynamically change during migration. BACI is flexible enough to allow different topics of conversation between an ambient and different parents, without compromising type-safety: it uses port names for communication and ambient names for mobility. Capabilities and co-capabilities exchange port names and run-time typing information to control mobility. We show the type-soundness of BACI proving that it satisfies the subject reduction property. Moreover we study its behavioural semantics by means of a labelled transition system.

On-the-Fly inlining of dynamic dependency monitors for secure information flow

Information flow analysis (IFA) in the setting of programming languages is steadily veering towards the adoption of dynamic techniques. This is particularly attractive for scripting languages for web applications programming. A common manifestation of dynamic techniques is that of run-time monitors, which should block program execution in the presence of an insecure run. Significant efforts are still required before practical, scalable monitors for secure IFA of industrial scale languages such as JavaScript can be achieved. Such monitors ideally should compensate for the absence of the traces they do not track, should not require modifications of the VM and should provide a fair compromise between security and usability among other things. This paper discusses on-the-fly inlining of monitors that track dependencies as a prospective candidate.

Type-based information flow analysis for bytecode languages with variable object field policies

Static, type-based information flow analysis techniques targeted at Java and JVM-like code typically assume a global security policy on object fields: all fields are assigned a fixed security level. In essence they are treated as standard variables. However different objects may be created under varying security contexts, particularly for widely used classes such as wrapper or collection classes. This entails an important loss in precision of the analysis. We present a flow-sensitive type system for statically detecting illegal flows of information in a JVM-like language that allows the level of a field to vary at different object creation points. Also, we prove a noninterference result for this language.

Justification logic and audited computation

Justification Logic (JL) is a refinement of modal logic in which assertions of knowledge and belief are accompanied by justifications: the formula s A states that s is a ‘reason’ for knowing/believing A. We study the computational interpretation of JL via the Curry–Howard isomorphism in which the modality s A is interpreted as: s is a type derivation justifying the validity of A. The resulting lambda calculus is such that its terms are aware of the reduction sequence that gave rise to them. This serves as a basis for understanding systems, many of which belong to the security domain, in which computation is history-aware.

Information flow analysis for a typed assembly language with polymorphic stacks

We study secure information flow in a stack based Typed Assembly Language (TAL). We define a TAL with an execution stack and establish the soundness of its type system by proving non-interference. One of the problems of studying information flow for a low-level language is the absence of high-level control flow constructs that guide information flow analysis in high-level languages. Furthermore, in the presence of an execution stack, code that frees space on the stack must be constrained in order to avoid illegal flows. Finally, in the presence of stack polymorphism, we must ensure that type variables are instantiated without observable differences. These issues are addressed by introducing junction points into the type system, ensuring that they behave as ordered linear continuations, and that they interact safely with the execution stack. We also discuss several limitations of our approach and point out some remaining open issues.