Shin-ya Nishizaki

A Polymorphic Environment Calculus and its Type-Inference Algorithm

The polymorphic environment calculus is a polymorphic lambda calculus which enables us to treat environments as first-class citizens. In the calculus, environments are formalized as explicit substitutions, and the substitutions are included in the set of terms of the calculus. First, we introduce an untyped environment calculus, and we present a semantics of the calculus as a translation into the lambda calculus. Second, we propose a polymorphic type system for the environment calculus based on Damas-Milners ML-polymorphic type system. In ML, polymorphism is allowed only in let-expressions; in the polymorphic environment calculus, polymorphism is provided with environment compositions. We prove a subject-reduction theorem for the type system. Third, a type-inference algorithm is given to the polymorphic environment calculus, and we establish its soundness, termination, and principal-typing theorem.

Formalization of Graph Search Algorithms and Its Applications

This paper describes a formalization of a class of fixed-point problems on graphs and its applications. This class captures several well-known graph theoretical problems such as those of shortest path type and for data flow analysis. An abstract solution algorithm of the fixed-point problem is formalized and its correctness is proved using a theorem proving system. Moreover, the validity of the A* algorithm, considered as a specialized version of the abstract algorithm, is proved by extending the proof of the latter. The insights we obtained through these formalizations are described. We also discuss the extension of this approach to the verification of model checking algorithms.

A cost estimation calculus for analyzing the resistance to denial-of-service attack

In order to describe and analyze cryptographic protocols, several researchers have proposed formal frameworks and have studied the security properties of communication protocols, such as authenticity. Abadi and Gordon used Milner’s pi-calculus for their research into security properties. The resistance to denial-of-service (DoS) attacks is one of the most important properties of communication protocols. This paper proposes a new calculus for analyzing the resistance to DoS. One crucial point that the analysis considers is the estimation of the resource consumption in each CPU. In the proposed calculus, the time and space costs for each CPU are determined by referring to its type and application data.

Cooperation of Model Checking and Network Simulation for Cost Analyses of Distributed Systems

Abstract Several studies have made formal analyses of denial-of-service (DoS) attacks to distributed systems. A primary factor in the attack is the imbalance between the victim server and the attackers. That is, the victim server incurs a heavy load compared to participants on the attacker side. The existing formal frameworks on DoS attacks mainly analyze and reason qualitative assertions on computational costs because generalized quantitative assertions are more difficult to formalize. The results of quantitative analysis, however, are easier to understand. Therefore, we propose a new cooperative approach to qualitative and quantitative analyses of DoS attacks. For qualitative analysis, we use Spice calculus to formulate the cost estimation in each process, which is a variation of Milner’s π-calculus. A system to be analyzed in Spice is translated into the modelling language process meta-language, to be analysed using a SPIN model checker. For quantitative analysis, the description in Spice is translated into a scenario script to be analyzed using the network simulator NS2. In the qualitative analysis, an assertion to be testified is described in linear temporal logic for SPIN model checker, whereas we can directly comprehend the result of the quantitative analysis.

AnZenMail: a secure and certified e-mail system

We are developing a secure and certified e-mail system AnZenMail that provides an experimental testbed for our cutting-edge security enhancement technologies. In addition to a provably secure message transfer protocol, we have designed and implemented a server (MTU) and a client (MUA) in order that they could survive recent malicious attacks such as server-cracking and e-mail viruses. The AnZenMail server is implemented in Java, a memory-safe language, and so it is free from stack smashing. Some of its safety properties have been formally verified in Coq mostly at the source code level by manually translating Java methods into Coq functions. The AnZenMail client is designed to provide a support for secure execution of mobile code arriving as email attachments. It has plug-in interfaces for code inspection and execution modules such as static analysis tools, runtime/inline reference monitors, and an anti-virus engine, which are currently being developed by members of our research project.

A Parallel Abstract Machine for the RPC Calculus

Cooper and Wadler introduced the RPC calculus, which is obtained by incorporating a mechanism for remote procedure calls (RPC) into the lambda calculus. The location where a caller’s code is executed is designated in a lambda abstraction in the RPC calculus. Nishizaki et al. proposed a simplified abstract machine for the lambda calculus, known as a Simple Abstract Machine (SAM). The configuration of an SECD machine is a quadruple of data sequences: Stack, Environment, Code, and Dump. In contrast, the SAM configuration is a double of data sequences: Stack and Code. In this paper, we introduce a SAM-based abstract machine for the RPC calculus, called a Location-aware Simple Abstract Machine (LSAM). This machine makes it possible to model parallelism more clearly. We provide a translation of the RPC calculus into LSAM, and prove a correctness theorem for the translation. We then show that the translation can be extended to allow parallel execution in LSAM.

KNOWLEDGE-BASED SIMULATION OF REGULATORY ACTION IN LAMBDA PHAGE

We have developed a knowledge-based but partially analytic simulation system. This system simulates regulatory action in lambda phage, a virus which infects E. coli. Specifically, we simulated the decision between its two developmental pathways, lytic and lysogenic growth. Our model is composed of two levels: roughly abstracted level and precisely abstracted level. The former level is discrete-event and knowledge-based. It covers overall regulations inside lambda phage in qualitative representation. On the other hand, the latter is based on quantitative chemical equations describing the sensitive bifurcation within pathways. In this way, qualitatively clear overview of regulatory action is efficiently simulated using knowledge base, and only the unpredictable part is analytically simulated in detail. This system can output not only input knowledge but also precise prediction by computational analysis, data which help molecular biologists find new theories of regulatory actions.

Real-Time Model Checking for Regulatory Compliance

Nowadays, regulatory compliance is one of the most important issues in Japan. Due to the increasing number of regulations, it will not be easy to ensure that all governance requirements are fulfilled by the business processes of an information system. In this paper, we propose a new method of strengthening the compliance controls in information systems using model checking. We formulate an information system as a timed automaton and compliance requirements as CTL formulas. We employ the model checker UPPAAL to check whether the automaton satisfies the requirements. We apply our method to an example taken from Japanese banking regulations.

Destructive testing of software systems by model checking

Recently, software verification using model checkers has achieved widespread success. It can locate hard-to-find bugs in software by exhaustively searching executing paths. In this paper, we propose a new software design method that enables the evaluation of the fault tolerance of software behavior at the specification level: we can check software behavior, not only when the hardware and network are in good order, but also when they are out of order; we can then improve fault tolerance of the target software using the model checker. We can test software under environments in which we destroy hardware and/or networks intentionally, not in situ, but in silico (in computer simulation).

A simple abstract machine for functional first-class continuations

Many kinds of abstract machine have been proposed for executing byte codes of functional languages, such as Landins SECD machine and Curiens Categorical Abstract Machine, which have been studied for decades from a theoretical viewpoint and applied in the implementation of functional language processors. In this paper, we propose the Simple Abstract Machine (SAM), a simplified SECD machine. The simplification lets us handle first-class continuations in the framework of abstract machines.