Gian Luigi Ferrari

The Klaim Project: Theory and Practice

Klaim (Kernel Language for Agents Interaction and Mobility) is an experimental language specifically designed to program distributed systems consisting of several mobile components that interact through multiple distributed tuple spaces. Klaim primitives allow programmers to distribute and retrieve data and processes to and from the nodes of a net. Moreover, localities are first-class citizens that can be dynamically created and communicated over the network. Components, both stationary and mobile, can explicitly refer and control the spatial structures of the network. This paper reports the experiences in the design and development of Klaim. Its main purpose is to outline the theoretical foundations of the main features of Klaim and its programming model. We also present a modal logic that permits reasoning about behavioural properties of systems and various type systems that help in controlling agents movements and actions. Extensions of the language in the direction of object oriented programming are also discussed together with the description of the implementation efforts which have lead to the current prototypes.

Types for access control

KLAIM is an experimental programming language that supports a programming paradigm where both processes and data can be moved across dierent computing environments. This paper presents the mathematical foundations of the KLAIM type system; this system permits checking access rights violations of mobile agents. Types are used to describe the intentions (read, write, execute, :::) of processes relative to the dierent localities with which they are willing to interact, or to which they want to migrate. Type checking then determines whether processes comply with the declared intentions, and whether they have been assigned the necessary rights to perform the intended operations at the specied localities. The KLAIM type system encompasses both subtyping and recursively dened types. The former occurs naturally when considering hierarchies of access rights, while the latter is needed to model migration of recursive processes. c 2000 Elsevier Science B.V. All rights reserved.

A model-checking verification environment for mobile processes

This article presents a semantic-based environment for reasoning about the behavior of mobile systems. The verification environment, called HAL, exploits a novel automata-like model that allows finite-state verification of systems specified in the π-calculus. The HAL system is able to interface with several efficient toolkits (e.g. model-checkers) to determine whether or not certain properties hold for a given specification. We report experimental results on some case studies.

History-based access control with local policies

An extension of the λ-calculus is proposed, to study history-based access control. It allows for security policies with a possibly nested, local scope. We define a type and effect system that, given a program, extracts a history expression, i.e. a correct approximation to the set of histories obtainable at run-time. Validity of history expressions is non-regular, because the scope of policies can be nested. Nevertheless, a transformation of history expressions is presented, that makes verification possible through standard model checking techniques. A program will never fail at run-time if its history expression, extracted at compile-time, is valid.

Interactive mobile agents in X-KLAIM

Mobile agents are processes which can migrate and execute on new hosts. Mobility is a key concept for network programming; it has stimulated much research about new programming languages and paradigms. X-KLAIM is an experimental programming language, inspired by the Linda paradigm, where mobile agents and their interaction strategies can be naturally programmed. A prototype implementation of X-KLAIM is presented, together with a few examples introducing the new programming style.

Semantics-Based Design for Secure Web Services

We outline a methodology for designing and composing services in a secure manner. In particular, we are concerned with safety properties of service behavior. Services can enforce security policies locally and can invoke other services that respect given security contracts. This call-by-contract mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how we can correctly plan service compositions in several relevant classes of services and security properties. With this aim, we propose a graphical modeling framework based on a foundational calculus called lambda req [13]. Our formalism features dynamic and static semantics, thus allowing for formal reasoning about systems. Static analysis and model checking techniques provide the designer with useful information to assess and fix possible vulnerabilities.

A Language-Based Approach to Autonomic Computing

SCEL is a new language specifically designed to model autonomic components and their interaction. It brings together various programming abstractions that permit to directly represent knowledge, behaviors and aggregations according to specific policies. It also supports naturally programming self-awareness, context-awareness, and adaptation. In this paper, we first present design principles, syntax and operational semantics of SCEL. Then, we show how a dialect can be defined by appropriately instantiating the features of the language we left open to deal with different application domains and use this dialect to model a simple, yet illustrative, example application. Finally, we demonstrate that adaptation can be naturally expressed in SCEL.

Enforcing secure service composition

A static approach is proposed to study secure composition of software. We extend the /spl lambda/-calculus with primitives for invoking services that respect given security requirements. Security-critical code is enclosed in policy framings with a possibly nested, local scope. Policy framings enforce safety and liveness properties of execution histories. The actual histories that can occur at runtime are over-approximated by a type and effect system. These approximations are model-checked to verify policy framings within their scopes. This allows for removing any runtime execution monitor, and for selecting those services that match the security requirements.

Synchronised hyperedge replacement as a model for service oriented computing

This tutorial paper describes a framework for modelling several aspects of distributed computing based on Synchronised Hyperedge Replacement (SHR), a graph rewriting formalism. Components are represented as edges and they rewrite themselves by synchronising with neighbour components the productions that specify their behaviour. The SHR framework has been equipped with many formal devices for representing complex synchronisation mechanisms which can tackle mobility, heterogeneous synchronisations and non-functional aspects, key factors of Service Oriented Computing (SOC). We revise the SHR family as a suitable model for contributing to the formalisation of SOC systems.

A LTS Semantics of Ambients via Graph Synchronization with Mobility

We present a simple labelled transition system semantics of Cardelli and Gordons Ambient calculus. We exploit a general and flexible model based on (hyper)graphs, where graph transformation is obtained via (hyper)edge replacement and local synchronization with mobility. In addition to tree-like ambients, the calculus we define works just as well with graph-like ambients, which are a more realistic model of internetworks.