Julian Rathke

Java JR: fully abstract trace semantics for a core java language

We introduce an expressive yet semantically clean core Java-like language, Java JR, and provide it with a formal operational semantics based on traces of observable actions which represent interaction across package boundaries. A detailed example based on the Observer Pattern is used to demonstrate the intuitive character of the semantic model. We also show that our semantic trace equivalence is fully-abstract with respect to a natural notion of testing equivalence for object systems. This is the first such result for a full class-based OO-language with inheritance.

Typed behavioural equivalences for processes in the presence of subtyping

We study typed behavioural equivalences for the

Towards a theory of bisimulation for local names

\pi

Contextual equivalence for higher-order pi-calculus revisited

-calculus in which the type system allows a form of subtyping. This enables processes to distribute different capabilities selectively on communication channels. The equivalences considered include typed versions of testing equivalences and barbed bisimulation equivalences.We show that each of these equivalences can be characterised via standard techniques applied to a novel labelled transition system of configurations. These consist of a process term together with two related type environments; one constraining the process and the other its computing environment.

Towards a behavioural theory of access and mobility control in distributed systems

A.M. Pitts and I.D.B. Stark (1998) have proposed the v-calculus as a language for investigating the interaction of unique name generation and higher-order functions. They developed a sound model based on logical relations, but left completeness as an open problem. In this paper, we develop a complete model based on bisimulation for a labelled transition system semantics. We show that bisimulation is complete, but not sound, for the v-calculus. We also show that by adding assignment to the v-calculus, bisimulation becomes sound and complete. The analysis used to obtain this result illuminates the difficulties involved in finding fully abstract models for v-calculus proper.

Local Memory via Layout Randomization

The higher-order pi-calculus is an extension of the pi-calculus to allow communication of abstractions of processes rather than names alone. It has been studied intensively by Sangiorgi in his thesis where a characterisation of a contextual equivalence for higher-order pi-calculus is provided using labelled transition systems and normal bisimulations. Unfortunately the proof technique used there requires a restriction of the language to only allow finite types. We revisit this calculus and offer an alternative presentation of the labelled transition system and a novel proof technique which allows us to provide a fully abstract characterisation of contextual equivalence using labelled transitions and bisimulations for higher-order pi-calculus with recursive types also.

Deriving Structural Labelled Transitions for Mobile Ambients

We define a typed bisimulation equivalence for the language DPI, a distributed version of the π-calculus in which processes may migrate between dynamically created locations. It takes into account resource access policies, which can be implemented in DPI using a novel form of dynamic capability types. The equivalence, based on typed actions between configurations, is justified by showing that it is fully abstract with respect to a natural distributed version of a contextual equivalence.In the second part of the paper we study the effect of controlling the migration of processes. This affects the ability to perform observations at specific locations, as the observer may be denied access. We show how the typed actions can be modified to take this into account, and generalise the full-abstraction result to this more delicate scenario.

A theory of bisimulation for a fragment of concurrent ML with local names

Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plot kin. We consider the execution of an idealized language in two environments. In the strict environment, opponents cannot access local variables of the user program. In the lax environment, opponents may attempt to guess allocated memory locations and thus, with small probability, gain access the local memory of the user program. We model these environments using two novel calculi: lambda-mu-hashref and lambda-mu-proberef. Our contribution to the Abadi-Plot kin program is to enrich the programming language with dynamic memory allocation, first class and higher order references and call/cc-style control. On the one hand, these enhancements allow us to directly model a larger class of system hardening principles. On the other hand, the class of opponents is also enhanced since our enriched language permits natural and direct encoding of attacks that alter the control flow of programs. Our main technical result is a fully abstract translation (up to probability) of lambda-mu-hashref into lambda-mu-proberef. Thus, in the presence of randomized layouts, the opponent gains no new power from being able to guess local references of the user program. Our numerical bounds are similar to those of Abadi and Plot kin, thus, the extra programming language features do not cause a concomitant increase in the resources required for protection via randomization.

Semantic barbs and biorthogonality

We present a new labelled transition system ( lts ) for the ambient calculus on which ordinary bisimilarity coincides with contextual equivalence. The key feature of this lts is that it is the fruit of ongoing work on developing a systematic procedure for deriving lts s in the structural style from the underlying reduction semantics and observability. Notably, even though we have derived our lts for ambients systematically it compares very favourably with existing transition systems for the same calculus.

A fully abstract may testing semantics for concurrent objects

Concurrent ML is an extension of Standard ML with π-calculus-like primitives for multithreaded programming. CML has a reduction semantics, but to date there has been no labelled transition system semantics provided for the entire language. In this paper, we present a labelled transition semantics for a fragment of CML called µvCML which includes features not covered before: dynamically generated local channels and thread identifiers. We show that weak bisimilarity for µvCML is a congruence, and coincides with barbed bisimulation congruence. We also provide a variant of Sangiorgis normal bisimulation for µvCML, and show that this too coincides with bisimilarity.