Silvia Crafa

Access control for mobile agents: The calculus of boxed ambients

Boxed Ambients are a variant of Mobile Ambients that result from dropping the open capability and introducing new primitives for ambient communication. The new model of communication is faithful to the principles of distribution and location-awareness of Mobile Ambients, and complements the constructs in and out for mobility with finer-grained mechanisms for ambient interaction. We introduce the new calculus, study the impact of the new mechanisms for communication of typing and mobility, and show that they yield an effective framework for resource protection and access control in distributed systems.

Communication Interference in Mobile Boxed Ambients

Boxed Ambients (BA) replace Mobile Ambientsopen capability with communication primitives acting across ambient boundaries. Expressiveness is achieved at the price of communication interferences on message reception whose resolution requires synchronisation of activities at multiple, distributed locations. We study a variant of BA aimed at controlling communication interferences as well as mobility ones. Our calculus draws inspiration from Safe Ambients (SA) (with passwords) and modifies the communication mechanism of BA. Expressiveness is maintained through a new form of co-capability that at the same time registers incoming agents with the receiver ambient and performs access control.

Reasoning about Security in Mobile Ambients

The paper gives an assessment of security for Mobile Ambients, with specific focus on mandatory access control (MAC) policies in multilevel security systems. The first part of the paper reports on different formalization attempts for MAC policies in the Ambient Calculus, and provides an in-depth analysis of the problems one encounters. As it turns out, MAC security does not appear to have fully convincing interpretations in the calculus. The second part proposes a solution to this impasse, based on a variant of Mobile Ambients. A type system for resource access control is defined, and the new calculus is discussed and illustrated with several examples of resource management policies.

Communication and mobility control in boxed ambients

Boxed Ambients (BA) replace Mobile Ambients open capability with communication primitives acting across ambient boundaries. The expressiveness of the new communication model is achieved at the price of communication interferences whose resolution requires synchronisation of activities at multiple, distributed locations. We study a variant of BA aimed at controlling communication as well as mobility interferences. Our calculus modifies the communication mechanism of BA, and introduces a new form of co-capability, inspired from Safe Ambients (SA) (with passwords), that registers incoming agents with the receiver ambient while at the same time performing access control. We prove that the new calculus has a rich semantics theory, including a sound and complete coinductive characterisation, and an expressive, yet simple type system. Through a set of examples, and an encoding, we characterise its expressiveness with respect to both BA and SA.

A Logic for True Concurrency

We propose a logic for true concurrency whose formulae predicate about events in computations and their causal dependencies. The induced logical equivalence is hereditary history-preserving bisimilarity, and fragments of the logic can be identified which correspond to other true concurrent behavioural equivalences in the literature: step, pomset and history-preserving bisimilarity. Standard Hennessy-Milner logic, and thus (interleaving) bisimilarity, is also recovered as a fragment. We also propose an extension of the logic with fixpoint operators, thus allowing to describe causal and concurrency properties of infinite computations. This work contributes to a rational presentation of the true concurrent spectrum and to a deeper understanding of the relations between the involved behavioural equivalences.

Information Flow Security for Boxed Ambients

Abstract We study the problem of secure information flow for Boxed Ambients in terms of non-interference. We develop a sound type system that provides static guarantees of absence of unwanted flow of information for well typed processes. Non-interference is stated, and proved, in terms of a typed notion of contextual equivalence for Boxed Ambients akin to the corresponding equivalence defined for Mobile Ambients.

Event structure semantics of parallel extrusion in the pi-calculus

We give a compositional event structure semantics of the π-calculus. The main issues to deal with are the communication of free names and the extrusion of bound names. These are the source of the expressiveness of the π-calculus, but they also allow subtle forms of causal dependencies. We show that free name communications can be modeled in terms of incomplete/potential synchronization events. On the other hand, we argue that it is not possible to satisfactorily model parallel extrusion within the framework of stable event structures. We propose to model a process as a pair (E, X) where E is a prime event structure and X is a set of (bound) names. Intuitively, E encodes the structural causality of the process, while the set X affects the computation on E so as to capture the causal dependencies introduced by scope extrusion. The correctness of our true concurrent semantics is shown by an operational adequacy theorem with respect to the standard late semantics of the π-calculus.

Type Based Discretionary Access Control

Discretionary Access Control (DAC) systems provide powerful mechanisms for resource management based on the selective distribution of capabilities to selected classes of principals. We study a type-based theory of DAC models for concurrent and distributed systems represented as terms of Cardelli, Ghelli and Gordon’s pi calculus with groups [2]. In our theory, groups play the role of principals, and the structure of types allows fine-grained mechanisms to be specified to govern the transmission of names, to bound the (iterated) re-transmission of capabilities, to predicate their use on the inability to pass them to third parties, ... and more. The type system relies on subtyping to help achieve a selective distribution of capabilities, based on the groups in control of the communication channels. Type preservation provides the basis for a safety theorem stating that in well-typed processes all names flow according to the delivery policies specified by their types, and are received at the intended sites with the intended capabilities.

A logic for true concurrency

We propose a logic for true concurrency whose formulae predicate about events in computations and their causal dependencies. The induced logical equivalence is hereditary history preserving bisimilarity, and fragments of the logic can be identified which correspond to other true concurrent behavioural equivalences in the literature: step, pomset and history preserving bisimilarity. Standard Hennessy-Milner logic, thus (interleaving) bisimilarity, is also recovered as a fragment. We believe that this contributes to a rational presentation of the true concurrent spectrum and to a deeper understanding of the relations between the involved behavioural equivalences.

A spectrum of behavioral relations over LTSs on probability distributions

Probabilistic nondeterministic processes are commonly modeled as probabilistic LTSs (PLTSs, a.k.a. probabilistic automata). A number of logical characterizations of the main behavioral relations on PLTSs have been studied. In particular, Parma and Segala [2007] define a probabilistic Hennessy-Milner logic interpreted over distributions, whose logical equivalence/preorder when restricted to Dirac distributions coincide with standard bisimulation/simulation between the states of a PLTS. This result is here extended by studying the full logical equivalence/preorder between distributions in terms of a notion of bisimulation/ simulation defined on a LTS of probability distributions (DLTS). We show that the standard spectrum of behavioral relations on nonprobabilistic LTSs as well as its logical characterization in terms of Hennessy-Milner logic scales to the probabilistic setting when considering DLTSs.