Francien Dechesne

Operational and epistemic approaches to protocol analysis: bridging the gap

Operational models of protocols, on one hand, are readable and conveniently match their implementation, at a certain abstraction level. Epistemic models, on the other hand, are appropriate for specifying knowledge-related properties such as anonymity. These two approaches to specification and analysis have so far developed in parallel and one has either to define ad hoc correctness criteria for the operational model or use complicated epistemic models to specify the operational behavior. We work towards bridging this gap by proposing a combined framework which allows modeling the behavior of a protocol in a process language with an operational semantics and supports reasoning about properties expressed in a rich logic with temporal and epistemic operators.

No smoking here: values, norms and culture in multi-agent systems

We use the example of the introduction of the anti-smoking legislation to model the relationship between the cultural make-up, in terms of values, of societies and the acceptance of and compliance with norms. We present two agent-based simulations and discuss the challenge of modeling sanctions and their relation to values and culture.

Advanced Agent Technology : Aamas Workshops 2011, Ample, Aose, Arms, Docmas, Itmas, Taipei, Taiwan, May 2-6, 2011. Revised Selected Papers

Advanced Agent Technology : Aamas Workshops 2011, Ample, Aose, Arms, Docmas, Itmas, Taipei, Taiwan, May 2-6, 2011. Revised Selected Papers

Ethical requirements for reconfigurable sensor technology: a challenge for value sensitive design

Information technology is widely used to fulfill societal goals such as safety and security. These application areas put ever changing demands on the functionality of the technology. Designing technological appliances to be reconfigurable, thereby keeping them open to functionalities yet to be determined, will possibly allow the technology to fulfill these changing demands in an efficient way. In this paper we present a first exploration of potential societal and moral issues of reconfigurable sensors developed for application in the safety and security domain, in the context of a large scale R&D-project in the Netherlands. We discuss the subtle distinction between the relevant notions of reconfigurability, function creep, and unrestricted or unforeseen technological affordances. We argue that the feature of reconfigurability makes context of use the central issue in the assessment of the societal and moral impact of the technology. It follows that the design of good policies for new application contexts has to be central in a value sensitive design approach to reconfigurable technology.

To know or not to know: epistemic approaches to security protocol verification

Security properties naturally combine temporal aspects of protocols with aspects of knowledge of the agents. Since BAN-logic, there have been several initiatives and attempts to incorporate epistemics into the analysis of security protocols. In this paper, we give an overview of work in the field and present it in a unified perspective, with comparisons on technical subtleties that have been employed in different approaches. Also, we study to which degree the use of epistemics is essential for the analysis of security protocols. We look for formal conditions under which knowledge modalities can bring extra expressive power to pure temporal languages. On the other hand, we discuss the cost of the epistemic operators in terms of model checking complexity.

Refinement of Kripke Models for Dynamics

We propose a property-preserving refinement/abstraction theory for Kripke Modal Labelled Transition Systems incorporating not only state mapping but also label and proposition lumping, in order to have a compact but informative abstraction. We develop a 3-valued version of Public Announcement Logic (PAL) which has a dynamic operator that changes the model in the spirit of public broadcasting. We prove that the refinement relation on staticmodels assures us to safely reason about any dynamicproperties in terms of PAL-formulas on the abstraction of a model. The theory is in particular interesting and applicable for an epistemic setting as the example of the Muddy Children puzzle shows, especially in the view of the growing interest for epistemic modelling and (automatic) verification of communication protocols.

Effectiveness of qualitative and quantitative security obligations

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use logic-based and graph-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. Finally, we extend the graph-based model with quantitative policies and associated quantitative analysis, based on the time an adversary needs for an attack. The framework can assist organisations in aligning security policies with their threat model.

Security-by-Experiment: Lessons from Responsible Deployment in Cyberspace

Conceiving new technologies as social experiments is a means to discuss responsible deployment of technologies that may have unknown and potentially harmful side-effects. Thus far, the uncertain outcomes addressed in the paradigm of new technologies as social experiments have been mostly safety-related, meaning that potential harm is caused by the design plus accidental events in the environment. In some domains, such as cyberspace, adversarial agents (attackers) may be at least as important when it comes to undesirable effects of deployed technologies. In such cases, conditions for responsible experimentation may need to be implemented differently, as attackers behave strategically rather than probabilistically. In this contribution, we outline how adversarial aspects are already taken into account in technology deployment in the field of cyber security, and what the paradigm of new technologies as social experiments can learn from this. In particular, we show the importance of adversarial roles in social experiments with new technologies.

Obligations to enforce prohibitions: on the adequacy of security policies

Security policies in organisations typically take the form of obligations for the employees. However, it is often unclear what the purpose of such obligations is, and how these can be integrated in the operational processes of the organisation. This can result in policies that may be either too strong or too weak, leading to unnecessary productivity loss, or the possibility of becoming victim to attacks that exploit the weaknesses, respectively. In this paper, we propose a framework in which the security obligations of employees are linked directly to prohibitions that prevent external agents (attackers) from reaching their goals. We use graph-based and logic-based approaches to formalise and reason about such policies, and show how the framework can be used to verify correctness of the associated refinements. The framework can assist organisations in aligning security policies with their threat model.

Thompson Transformations for If-Logic

In this paper we study connections between game theoretical concepts and results, and features of IF-predicate logic, extending observations from J. van Benthem (2001) for IF-propositional logic. We highlight how both characteristics of perfect recall can fail in the semantic games for IF-formulas, and we discuss the four Thompson transformations in relation with IF-logic. Many (strong) equivalence schemes for IF-logic correspond to one or more of the transformations. However, we also find one equivalence that does not fit in this picture, by the type of imperfect recall involved. We point out that the connection between the transformations and logical equivalence schemes is less direct in IF-first order logic than in the propositional case. The transformations do not generate a reduced normal form for IF-logic, because the IF-language is not flexible enough.