A. W. Roscoe

• Doctor of Philosophy
• Professor at University of Oxford

Professor Sir Charles Antony Richard Hoare, FRS1, reached his 90th birthday in January this year. Tony Hoare, as he is better known, was knighted for his services to theoretical computer science, and was one of the earliest computer scientists to be made a Fellow by the Royal Society. I believe the first computer scientist to be elected FRS was Mau...

In our previous work, we proposed a verification framework that shifts from the “code is law” to a new “specification is law” paradigm related to the safe evolution of smart contracts. The framework proposed there relaxed the well-established requirement that, once a smart contract is deployed in a blockchain, its code is expected to be immutable....

We present a multi-party exchange protocol that achieves optimal partial fairness even in the presence of a dishonest majority. We demonstrate how this protocol can be applied to any type of multi-party exchange scenario where the network topology is complete. When combined with standard secure multi-party computation techniques, our protocol enabl...

Interest in decentralised systems such as blockchains and network computers has increased in the last few years, with increasing globalisation and distrust of centralised authorities. These systems typically comprise a loosely coupled population of both honest and malevolent (Byzantine) agents, communicating with each other using message passing. A...

This paper is on the application of formal modelling in CSP and associated verification to decision making in decentralised systems. In particular we look at the problem of ensuring that decentralisation cannot allow two separate and apparently valid decisions to arise when exactly one is required. This is motivated by an approach to blockchain con...

We present a framework that supports the safe deployment and upgrade of smart contracts based on the design-by-contract paradigm. The starting point is an interface specification with invariants and pre- and postconditions for each function. The first deployed smart contract must conform to this specification. Specification evolution might involve...

Smart contracts are the building blocks of the “code is law” paradigm: the smart contract’s code indisputably describes how its assets are to be managed - once it is created, its code is typically immutable. Faulty smart contracts present the most significant evidence against the practicality of this paradigm; they are well-documented and resulted...

Distributed systems often rely on token structures to avoid undesired states and behave correctly. While conservative token structures ensure that a fixed number of tokens exist at all times, existential structures guarantee that tokens cannot be completely eliminated. In this paper, we show how a SAT/SMT checker can be used to automatically detect...

Smart contracts are the building blocks of the "code is law" paradigm: the smart contract's code indisputably describes how its assets are to be managed - once it is created, its code is typically immutable. Faulty smart contracts present the most significant evidence against the practicality of this paradigm; they are well-documented and resulted...

We develop the concept of Trusted and Confidential Program Analysis (TCPA) which enables program certification to be used where previously there was insufficient trust. Imagine a scenario where a producer may not be trusted to certify its own software (perhaps by a foreign regulator), and the producer is unwilling to release its sources and detaile...

We describe a new protocol to achieve two party \(\varepsilon \)-fair exchange: at any point in the unfolding of the protocol the difference in the probabilities of the parties having acquired the desired term is bounded by a value \(\varepsilon \) that can be made as small as necessary. Our construction uses oblivious transfer and sidesteps previo...

Modern processors can offer hardware primitives that allow a process to run in isolation. These primitives implement a trusted execution environment (TEE) in which a program can run such that the integrity and confidentiality of its execution are guaranteed. Intel's Software Guard eXtensions (SGX) is an example of such primitives and its isolated p...

Hoare’s Communicating Sequential Processes (CSP) (Hoare in Communicating Sequential Processes, Prentice-Hall Inc, Upper Saddle River, 1985) admits a rich universe of semantic models closely related to the van Glabbeek spectrum. In this paper we study finite observational models, of which at least six have been studied for CSP, namely traces, stable...

The exploitation of smart-contract vulnerabilities can have catastrophic consequences such as the loss of millions of pounds worth of crypto assets. Formal verification can be a useful tool in identifying vulnerabilities and proving that they have been fixed. In this paper, we present a formalisation of Solidity and the Ethereum blockchain using th...

This article investigates how the use of approximations can make the formal verification of concurrent systems scalable. We propose the idea of synchronisation analysis to automatically capture global invariants and approximate reachability. We calculate invariants on how components participate on global system synchronisations and use a notion of...

This work develops a type of local analysis that can prove concurrent systems deadlock free. As opposed to examining the overall behaviour of a system, local analysis consists of examining the behaviour of small parts of the system to yield a given property. We analyse pairs of interacting components to approximate system reachability and propose a...

Hoare's Communicating Sequential Processes (CSP) admits a rich universe of semantic models closely related to the van Glabbeek spectrum. In this paper we study finite observational models, of which at least six have been identified for CSP, namely traces, stable failures, revivals, acceptances, refusal testing and finite linear observations. We sho...

Inspired by the ideas of no cloning and measurable degrading that quantum key agreement protocols rely on, we devise novel key agreement protocols for the classical world. Our protocols are based on identical devices that are mass produced and distributed among parties participating in the protocol. We thus use protocols a little outside their norm...

From the output produced by a memoryless deletion channel from a uniformly random input of known length $n$, one obtains a posterior distribution on the channel input. The difference between the Shannon entropy of this distribution and that of the uniform prior measures the amount of information about the channel input which is conveyed by the outp...

Process algebras such as CCS, CSP and ACP are abstract notations for describing concurrent systems that interact via (usually) handshake-based communication. They lead to natural concepts of process state and are therefore natural candidates for model checking. We survey the area of process algebra and model checking, focusing on these three proces...

A binary string transmitted via a memoryless i.i.d. deletion channel is received as a subsequence of the original input. From this, one obtains a posterior distribution on the channel input, corresponding to a set of candidate supersequences weighted by the number of times the received subsequence can be embedded in them. In a previous work it is c...

Roscoe recently showed how HISPs, a class of protocol to allow humans to contribute to the creation of secure authentic channels between them, can be made auditable in the sense that a failed attack on them cannot be disguised as communication failure. In this paper we study the same issue for PAKEs: password authenticated key exchange protocols. W...

The use of specialised approximations for reachability, instead of exact reachability, has given rise to scalable methods to verify deadlock freedom in the context of distributed finite-state systems. In this work, we extend these approaches to check static properties. These properties capture the immediate/static behaviour of a system. The static...

One of the main challenges in pervasive computing is how we can establish secure communication over an untrusted high-bandwidth network without any initial knowledge or a Public Key Infrastructure. An approach studied by a number of researchers is building security though involving humans in a low-bandwidth “empirical” out-of-band channel where the...

This talk is about is detecting failed attacks, in other words, how to let protocols evolve, or how to evolve protocols so that at least in the particular class of protocol, if somebody does try to attack it, there’s a very good chance you’ll be able to detect this attack has happened, rather than perhaps suppose it was some innocent communications...

Many distributed systems rely on token structures for their correct operation. Often, these structures make sure that a fixed number of tokens exists at all times, or perhaps that tokens cannot be completely eliminated, to prevent systems from reaching undesired states. In this paper we show how a SAT checker can be used to automatically detect tok...

We combine a prior incomplete deadlock-freedom-checking approach with two new reachability techniques to create a more precise deadlock-freedom-checking framework for concurrent systems. The reachability techniques that we propose are based on the analysis of individual components of the system; we use static analysis to summarise the behaviour tha...

Hoare's Communicating Sequential Processes (CSP) [C.A.R. Hoare. Communicating Sequential Processes. Prentice-Hall, Inc., Upper Saddle River, NJ, USA, 1985] admits a rich universe of semantic models. In this paper we study finite observational models, of which at least six have been identified for CSP, namely traces, failures, revivals, acceptances,...

We build upon established techniques of deadlock analysis by formulating a new sound but incomplete framework for deadlock freedom analysis that tackles some sources of imprecision of current incomplete techniques. Our new deadlock candidate criterion is based on constraints derived from the analysis of the state space of pairs of components. This...

We present and compare several algorithms for computing the maximal strong bisimulation, the maximal divergence-respecting delay bisimulation, and the maximal divergence-respecting weak bisimulation of a generalised labelled transition system. These bisimulation relations preserve CSP semantics, as well as the operational semantics of programs in o...

The author previously [A.W. Roscoe, On the expressiveness of CSP, https://www.cs.ox.ac.uk/files/1383/expressive.pdf, 2011; A.W. Roscoe, Understanding concurrent systems, Springer 2010] defined CSP-like operational semantics whose main restrictions were the automatic promotion of most τ actions, no cloning of running processes, and no negative premi...

FDR is an explicit-state refinement checker for the process algebra CSP and, as such, is vulnerable to the state-explosion problem. In this paper, we show how a form of partial-order reduction, an automatic state reduction mechanism, can be utilised to soundly reduce the number of states that must be visited. In particular, we develop a composition...

Failures divergence refinement 3 (FDR3) is a complete rewrite of the CSP refinement checker FDR2 that incorporates a significant number of enhancements. In this paper, we describe the operation of FDR3 at a high level and give a detailed description of several of the more important innovations. FDR3 has a new parallel refinement-checking algorithm...

This note describes an information theory problem that arose from some analysis of quantum key distribution protocols. The problem seems very natural and is very easy to state but has not to our knowledge been addressed before in the information theory literature: suppose that we have a random bit string y of length n and we reveal k bits at random...

We present and compare several algorithms for computing the maximal strong bisimulation, the maximal divergence-respecting delay bisimulation, and the maximal divergence-respecting weak bisimulation of a generalised labelled transition system. These bisimulation relations preserve CSP semantics, as well as the operational semantics of programs in o...

FDR3 is a complete rewrite of the CSP refinement checker FDR2, incorporating a significant number of enhancements. In this paper we describe the operation of FDR3 at a high level and then give a detailed description of several of its more important innovations. This includes the new multi-core refinement-checking algorithm that is able to achieve a...

A well-established specification of noninterference in CSP is that, when high-level events are appropriately abstracted, the remaining low-level view is deterministic. This is not a workable definition in Timed CSP, where many processes cannot be refined to deterministic ones. We argue that in fact “deterministic” should be replaced by “maximally r...

In a process algebra with hiding and recursion it is possible to create processes which compute internally without ever communicating with their environment. Such processes are said to diverge or livelock. In this paper we show how it is possible to conservatively classify processes as livelock-free through a static analysis of their syntax. In par...

A body sensor network (BSN) is typically a wearable wireless sensor network. Security protection is critical to BSNs, since they collect sensitive personal information. Generally speaking, security protection of BSN relies on identity (ID) and key distribution protocols. Most existing protocols are designed to run in general wireless sensor network...

CSP treats internal τ actions as urgent, so that an infinite sequence of them is the misbehaviour known as divergence, and states with them available make no offer that we can rely on. While it has been possible to formulate a number of forms of abstraction in these models where the abstracted actions become τs, it has sometimes been necessary to b...

This paper reports on the challenge of designing an application for bootstrapping secure communications in ad-hoc situations. The starting point of this work was based on prior work in “spontaneous security”: making use of Human-Interactive Security Protocols (HISPs) which exploit a human-based unspoofable channel to bootstrap secure comunications....

In this paper, we address the problem of applying SAT-based bounded model checking (BMC) and temporal k-induction to asynchronous concurrent systems. We investigate refinement checking in the process-algebraic setting of Communicating Sequential Processes (CSP), focusing on the CSP traces model which is sufficient for verifying safety properties. W...

Security and privacy protection for body sensor networks are nontrivial: inadequate protection could lead to the leakage of sensitive personal information and other attacks. Unfortunately, current solutions mainly rely on static and machine-oriented pre-distributed IDs, which have several weaknesses. In order to solve this problem, we propose dynam...

We describe and report upon various substantial extensions of the CSP refinement checker FDR including (i) the direct ability to han-dle real-time processes; (ii) the incorporation of bounded model check-ing technology; (iii) the development of conservative and highly efficient static analysis algorithms for guaranteeing livelock-freedom; and (iv)...

New families of protocol, based on communication over human-based side channels, permit secure pairing or group formation in ways such that no party has to prove its name. Rather, individuals are able to hook up devices in their possession to others that they can identify by context. We examine a model in which, to prove his or her identity to a pa...

Online social networks are rapidly changing our lives. Their growing pervasiveness and the trust that we develop in online identities provide us with a new platform for security applications. Additionally, the integration of various sensors and mobile devices on social networks has shortened the separation between one’s physical and virtual (i.e. w...

Message authentication codes usually require the underlining universal hash functions to have a long output so that the probability of successfully forging messages is low enough for cryptographic purposes. To take advantage of fast operation on word-size parameters in modern processors, long-output universal hashing schemes can be securely constru...

The Internet of Things (IoT) is a network of objects; it is enabled by the Internet technologies. The IoT always collects sensitive data, but inadequate protection may lead to serious user privacy leakage. Thus, privacy protection functions are important to the IoT. Our research aims to provide better privacy protections to IoTs. Firstly, user cont...

Body sensor networks enable many interesting applications. In these applications, sensor networks always collect sensitive information, thus security is significant. Since most security mechanisms are based on identities and keys, we propose a human controlled LED-camera channel based hash key before knowledge identity and key distribution protocol...

Security protection is critical to body sensor networks, since they collect sensitive personal information. Generally speaking, security protection of body sensor network relies on key distribution protocols. Most existing key distribution protocols are designed to run in general wireless sensor networks, and are not suitable for body sensor networ...

We introduce an approach to model checking cryptographic protocols that use hashing too weak to resist combinatorial attacks. Typically such hashing is used when an extremely low bandwidth channel, such as a human user, is employed to transmit its output. This leads to two opportunities for attack: deducing a weak value from its properties and disc...

In a process algebra with hiding and recursion it is possible to create processes which compute internally without ever communicating with their environment. Such processes are said to diverge or livelock. In this paper we show how it is possible to conservatively classify processes as livelock-free through a static analysis of their syntax. In par...

The pervasive use of mobile phones has created a dynamic computing platform that a large percentage of the population carries routinely. There is a growing trend of integrating mobile phones with electronic identity, giving the phone the ability to prove or support the identity of the owner by containing, for example, a tuple of name, ID, photo and...

Using the pigeon-hole principle, we derive a new bound for the key length in a l-wise almost universal hash function where the multicollision or l-collision probability is bounded above by ∈ [0, 1]. The important features of this bound are (1) it decreases very slowly as l increases, and (2) the key length grows at least linearly with the logarithm...

This paper describes the automated translation of timed automata to tock-CSP. This translation has been implemented in a translator. The tock-CSP output of the translator can be input into FDR for the automated verification of properties of the input timed automata. It has been shown, by the use of the digitisation technique, that there are relatio...

In mobile computing applications the traditional name-based concept of identity is both difficult to support and frequently inappropriate. The natural alternative is to use the context in which parties sit to identify them. We discuss this issue and the ways in which Human Interactive Security Protocols (HISPs) can play a role in enabling this.

We introduce a formal algebraic semantics for CSP. First we show how algebraic laws can systematically reduce all finite CSP terms to a head normal form, and therefore create an Algebraic Operational Semantics. Then we show how to reduce this to a normal form for the finest CSP model as developed in Chap.12. We can then show how a small selection o...

CSP notation has been used extensively for teaching and applying concurrency theory, ever since the publication of the text Communicating Sequential Processes by C.A.R. Hoare in 1985. Both a programming language and a specification language, the theory of CSP helps users to understand concurrent systems, and to decide whether a program meets its sp...

Tony Hoare’s many contributions to computing science are marked by insight that was grounded in practical programming. Many of his papers have had a profound impact on the evolution of our field; they have moreover provided a source of inspiration to several generations of researchers. We examine the development of his work through a review of the...

Recent results show that Hoare’s CSP, augmented by one additional operator, can express every operator whose operational semantics are expressible in a new notation and are therefore “CSP-like.” In this paper we show that π-calculus fits into this framework and therefore has CSP semantics. Rather than relying on the machinery of the earlier result...

Previous research has proposed Human-Interactive Security Protocols (HISP) for bootstrapping security in ad hoc mobile device interactions. These protocols rely on low bandwidth Out-Of-Band (OOB) channels—that are suitable for trans-ferring limited information (e.g. fingerprints of public keys) but unsuitable for transmitting cryptographic keys due...

New families of protocol, based on communication over human-based side channels, permit secure pairing or group formation in ways that no party has to prove its name, which is particularly suitable for authentication on mobile phones. Rather, individuals are able to hook up devices in their possession to others that they can identify by context. We...

We analyse and evaluate the usability and security of the process of bootstrapping security among devices in group scenarios. While a lot of work has been done in single user scenarios, we are not aware of any that focusses on group situations. Unlike in single user scenarios, bootstrapping security in a group requires coordination, attention, and...

Summary form only. This article presents the review of the developing tool, including new model checking strategies such as those based on SAT checking and restructuring explicit searches for optimising the use of memory and parallelism.

Protocols for bootstrapping security in ad hoc mobile device interactions rely on users’ ability to perform specific tasks such as transferring or comparing fingerprints of information between devices. The size of fingerprints depends on the level of technical security required by a given application but, at the same time, is limited by users’ inab...

The differences between the fields of Human- Computer Interaction and Security (HCISec) and Human- Computer Interaction (HCI) have not been investigated very closely. Many HCI methods and procedures have been adopted by HCISec researchers, however the extent to which these apply to the field of HCISec is arguable given the fine balance between impr...

One of the main challenges in pervasive computing is how we can establish secure communication over an untrusted high-bandwidth net- work without any initial knowledge or a Public Key Infrastructure. An approach studied by a number of researchers is building security though human work creating a low-bandwidth empirical (or authen- tication) channel...

Thousands of different programming languages exist, and many more are being created each year, yet all those involved in such work must acknowledge that it is the highest goal of programming language design to enable good ideas to be elegantly expressed. These are the words of Sir Charles Antony Richard Hoare, or Tony Hoare to his colleagues and fr...

Here we look in depth at the state explosion problem and the related parameterised verification problem: how to prove a property of a general class of processes or networks. We look at induction and data independence separately, and combine them into data independent induction, which can handle many networks that neither parent method can. These in...

In previous chapters we have already discovered that traces give an incomplete picture of how processes behave, for example by failing to distinguish deterministic from nondeterministic behaviour and failing to capture deadlock properly. In this chapter we introduce the ideas of failures and divergences, which allow us to develop models that do cap...

Here we look at shared variables in depth, including a study of dirty variables via the bakery algorithm and Simpson’s 4-slot algorithm (where we propose a version that avoids known difficulties arising from dirty flag variables). We also define what it means for one shared variable program to refine another one, and introduce various ideas necessa...

This chapter describes FDR and how to use this tool effectively. We describe how to interact with the FDR user interface, and how to program in CSP M and its functional sub-language which is roughly equivalent to Haskell. We see what FDR can and cannot do, and how to play to its strengths. For example we see—in an example based on finding a Hamilto...

This chapter covers a number of more advanced topics in the implementation and use of FDR. The first of these are in-depth studies of normalisation and the other compression operators that FDR uses, the latter including types of bisimulation and the CSP-specific diamond operator. We then look at ideas for partial order reduction and “lazy compressi...

This chapter develops the tock-CSP model of CSP introduced in Chap. 14 of Theory and Practice of Concurrency. We see how incorporating time into CSP models necessarily changes our understanding of the processes represented in this dialect. We develop a major new case study: the Bully algorithm for leadership election, and explain the use of the τ-p...

This chapter introduces a number of case studies that we will meet many times in the rest of the book. The first of these shows you how you can code Sudoku puzzles in CSP and use FDR to solve them. The second shows how designing a routing network can easily lead to deadlock but how well designed networks can work reliably: we offer a number of alte...

Here we look at the other CSP view of timed systems, namely Timed CSP in which time appears implicitly rather than as an explicit tock. We concentrate on the discrete variant of this, based on a semantic model involving tock to record the passage of time, and show how it can be implemented in a variant of tock-CSP. We use the alternating bit protoc...

There are two dimensions to study when we try to understand what behavioural models for CSP exist: what finitely observable things to record and what infinitely observable things to add to these. In this chapter we study what finite observation models exist. We examine the long-understood acceptances or ready-sets and refusal testing models. We dis...

We look at two ideas which are not normally thought of as within the scope of CSP, namely priority and mobility. These are motivated by a CSP study of finding a (chess) knight’s tour. We introduce a priority operator that is consistent with some of the standard models of CSP. As examples of priority we study Statecharts via a burglar alarm case stu...

This chapter completes the CSP language by introducing three operators that allow one process to hand control on to another. In sequential composition P;Q this happens when the first process terminates successfully via a special action ✓. In interrupt P\mathrel \mathord \triangle QP\mathrel {\mathord {\triangle }}Q this happens when the environme...

We introduce the syntax that CSP uses to create basic sequential processes: prefixing, recursion and conditional, external and internal choice. The ideas and syntax of events and channels is introduced. We learn the distinction between deterministic and nondeterministic behaviour. Examples include buffer and counter processes, and processes that de...

This introduces the three types of formalism that this book uses to study CSP. The first of these is algebra: we give and explain many examples of algebraic laws that CSP operators satisfy as well as comparing these to familiar laws from arithmetic and set theory. Denotational semantics is based on behavioural models such as traces: we introduce ru...

This chapter shows how one can write a compiler in CSP M and base a tool around the result. In this case that compiler is for shared variable programs, so this chapter is also an introduction to that subject. We study this through examples such as mutual exclusion, including Lamport’s bakery algorithm, and the dining philosophers. The compiler is b...

Here we study how infinite behaviours can be added to these models. We get three classes of models in addition to the finite observation ones. The first of these, adding only divergence, can cope with finitely nondeterministic CSP with divergence strictness. The second, in which infinite traces and similar behaviours are added, can handle infinitel...

We meet some new operators. Hiding (P\X) allows you to conceal the internal actions of a process from the outside world. Renaming (P〚R〛) gives a flexible way of changing the labels on the events that a process communicates into different labels seen by the outside world. We see how hiding can create more natural models of parallel systems but can c...

This is an in-depth study of the operational semantics of CSP and of the transition systems these are based on. We study the difference between finitely and infinitely branching transition systems, and between ordinary LTSs and ones where there may be acceptance or divergence information in additional labels on states. We show how CSP can be given...

This chapter studies denotational semantics in more depth than in the introductory chapters. We discuss the nature of behavioural models and what is required of them. We see how CSP definitions of operators naturally lead to distributive operators, and discuss topics such as full abstraction and congruence with operational semantics. We look in det...

We meet the main parallel operators of CSP: synchronous, alphabetised, interleaving and generalised parallel. We see how processes can influence each other and transfer data along channels by synchronising on all or some of their events. Examples include people trying to agree on joint lives, bargaining in a shop, and the five dining philosophers w...

With the flourishing development of efficient SAT-solvers, bounded model checking (BMC) has proven to be an extremely powerful symbolic model checking technique. In this paper, we address the problem of applying BMC to con- current systems involving the interaction of multiple processes running in parallel. We adapt the BMC framework to the context...