Fabio Massacci

A survey of autonomic communications

Autonomic communications seek to improve the ability of network and services to cope with unpredicted change, including changes in topology, load, task, the physical and logical characteristics of the networks that can be accessed, and so forth. Broad-ranging autonomic solutions require designers to account for a range of end-to-end issues affecting programming models, network and contextual modeling and reasoning, decentralised algorithms, trust acquisition and maintenance---issues whose solutions may draw on approaches and results from a surprisingly broad range of disciplines. We survey the current state of autonomic communications research and identify significant emerging trends and techniques.

Modeling security requirements through ownership, permission and delegation

Security requirements engineering is emerging as a branch of software engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging, as they must take into account subtle notions such as trust (or lack thereof), delegation, and permission; they must also model entire organizations and not only systems-to-be. In our previous work we introduced Secure Tropos, a formal framework for modeling and analyzing security requirements. Secure Tropos is founded on three main notions: ownership, trust, and delegation. In this paper, we refine Secure Tropos introducing the notions of at-least delegation and trust of execution; also, at-most delegation and trust of permission. We also propose monitoring as a security design pattern intended to overcome the problem of lack of trust between actors. The paper presents a semantic for these notions, and describes an implemented formal reasoning tool based on Datalog.

Requirements engineering for trust management: model, methodology, and reasoning

A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission, and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.

EXP TIME tableaux for ALC

Abstract The last years have seen two major advances in Knowledge Representation and Reasoning. First, many interesting problems (ranging from Semi-structured Data to Linguistics) were shown to be expressible in logics whose main deductive problems are EXPtime -complete. Second, experiments in automated reasoning have substantially broadened the meaning of “practical tractability”. Instances of realistic size for Pspace -complete problems are now within reach for implemented systems. Still, there is a gap between the reasoning services needed by the expressive logics mentioned above and those provided by the current systems. Indeed, the algorithms based on tree-automata, which are used to prove EXPtime -completeness, require exponential time and space even in simple cases. On the other hand, current algorithms based on tableau methods can take advantage of such cases, but require double exponential time in the worst case. We propose a tableau calculus for the description logic ALC for checking the satisfiability of a concept with respect to a TBox with general axioms, and transform it into the first simple tableau-based decision procedure working in single exponential time. To guarantee the ease of implementation, we also discuss the effects that optimizations (propositional backjumping, simplification, semantic branching, etc.) might have on our complexity result, and introduce a few optimizations ourselves.

Combining deduction and model checking into Tableaux and algorithms for converse-PDL

This paper presents a prefixed tableaux calculus for Propositional Dynamic Logic with Converse based on a combination of different techniques such as prefixed tableaux for modal logics and model checkers for μ-calculus. We prove the correctness and completeness of the calculus and illustrate its features. We also discuss the transformation of the tableaux method (naively NEXPTIME) into an EXPTIME algorithm.

Strongly Analytic Tableaux for Normal Modal Logics

A strong analytic tableau calculus is presentend for the most common normal modal logics. The method combines the advantages of both sequent-like tableaux and prefixed tableaux. Proper rules are used, instead of complex closure operations for the accessibility relation, while non determinism and cut rules, used by sequent-like tableaux, are totally eliminated. A strong completeness theorem without cut is also given for symmetric and euclidean logics. The system gains the same modularity of Hilbert-style formulations, where the addition or deletion of rules is the way to change logic. Since each rule has to consider only adjacent possible worlds, the calculus also gains efficiency. Moreover, the rules satisfy the strong Church Rosser property and can thus be fully parallelized. Termination properties and a general algorithm are devised. The propositional modal logics thus treated are K, D, T, KB, K4, K5, K45, KDB, D4, KD5, KD45, B, S4, S5, OM, OB, OK4, OS4, OM+, OB+, OK4+, OS4+. Other logics can be constructed with different combinations of the proposed rules, but are not presented here.

Logical Cryptanalysis as a SAT Problem

Cryptographic algorithms play a key role in computer security and the formal analysis of their robustness is of utmost importance. Yet, logic and automated reasoning tools are seldom used in the analysis of a cipher, and thus one cannot often get the desired formal assurance that the cipher is free from unwanted properties that may weaken its strength.In this paper, we claim that one can feasibly encode the low-level properties of state-of-the-art cryptographic algorithms as SAT problems and then use efficient automated theorem-proving systems and SAT-solvers for reasoning about them. We call this approach logical cryptanalysis.In this framework, for instance, finding a model for a formula encoding an algorithm is equivalent to finding a key with a cryptanalytic attack. Other important properties, such as cipher integrity or algebraic closure, can also be captured as SAT problems or as quantified boolean formulae. SAT benchmarks based on the encoding of cryptographic algorithms can be used to effectively combine features of “real-world” problems and randomly generated problems.Here we present a case study on the U.S. Data Encryption Standard (DES) and show how to obtain a manageable encoding of its properties.We have also tested three SAT provers, TABLEAU by Crawford and Auton, SATO by Zhang, and rel-SAT by Bayardo and Schrag, on the encoding of DES, and we discuss the reasons behind their different performance.A discussion of open problems and future research concludes the paper.

Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements. In this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme.

Verifying security protocols as planning in logic programming

We illustrate ALSP (Action Language for Security Protocol), a declarative executable specification language for planning attacks to security protocols. ALSP is based on logic programming with negation as failure, and with stable model semantics. In ALSP we can give a declarative specification of a protocol with the natural semantics of send and receive actions which can be performed in parallel. By viewing a protocol trace as a plan to achieve a goal, attacks are (possibly parallel) plans achieving goals that correspond to security violations. Building on results from logic programming and planning, we map the existence of an attack into the existence of a model for the protocol that satisfies the specification of an attack. We show that our liberal model of parallel actions can adequately represent the traditional Dolev-Yao trace-based model used in the formal analysis of security protocols. Specifications in ALSP are executable, as we can automatically search for attacks via an efficient model generator (smodels), implementing the stable model semantics of normal logic programs.

Security-by-contract: toward a semantics for digital signatures on mobile code

In this paper we propose the notion of security-by-contract, a mobile contract that an application carries with itself. The key idea of the framework is that a digital signature should not just certify the origin of the code but rather bind together the code with a contract. We provide a description of the overall lifecycle of mobile code in the setting of security-by-contract, describe a tentative structure for a contractual language and propose a number of algorithms for one of the key steps in the process, the contract-policy matching issue. We argue that security-by-contract would provide a semantics for digital signatures on mobile code thus being a step in the transition from trusted code to trustworthy code.