James Riely

DePaul University · School of Computing

Program logics and semantics tell a pleasant story about sequential composition: when executing (S1;S2), we first execute S1 then S2. To improve performance, however, processors execute instructions out of order, and compilers reorder programs even more dramatically. By design, single-threaded systems cannot observe these reorderings; however, mult...

Relaxed memory models must simultaneously achieve efficient implementability and thread-compositional reasoning. Is that why they have become so complicated? We argue that the answer is no: It is possible to achieve these goals by combining an idea from the 60s (preconditions) with an idea from the 80s (pomsets), at least for X64 and ARMv8. We show...

We define local transactional race freedom (LTRF), which provides a programmer model for software transactional memory. LTRF programs satisfy the SC-LTRF property, thus allowing the programmer to focus on sequential executions in which transactions execute atomically. Unlike previous results, SC-LTRF does not require global race freedom. We also pr...

We address the problem of validity in eventually consistent (EC) systems: In what sense does an EC data structure satisfy the sequential specification of that data structure? Because EC is a very weak criterion, our definition does not describe every EC system; however it is expressive enough to describe any Convergent or Commutative Replicated Dat...

The integration of transactions into hardware relaxed memory architectures is a topic of current research both in industry and academia. In this paper, we provide a general architectural framework for the introduction of transactions into models of relaxed memory in hardware, including the SC, TSO, ARMv8 and PPC models. Our framework incorporates f...

To model relaxed memory, we propose confusion-free event structures over an alphabet with a justification relation. Executions are modeled by justified configurations, where every read event has a justifying write event. Justification alone is too weak a criterion, since it allows cycles of the kind that result in so-called thin-air reads. Acyclic...

This is the first paper to propose a pure event structures model of relaxed memory. We propose confusion-free event structures over an alphabet with a justification relation as a model. Executions are modeled by justified configurations, where every read event has a justifying write event. Justification alone is too weak a criterion, since it allow...

We address a fundamental issue of interfaces that arises in the context of cloud computing. We define what it means for a replicated and distributed implementation satisfy the standard sequential specification of the data structure. Several extant implementations of replicated data structures already satisfy the constraints of our definition. We de...

Session types describe and constrain the input/output behavior of systems. Existing session typing systems have limited support for polymorphism. For example, existing systems cannot provide the most general type for a generic proxy process that forwards messages between two channels. We provide a polymorphic session typing system for the π calculu...

Digital forensics reports typically document the search process that has led to a conclusion, the primary means to verify the report is to repeat the search process. We believe that, as a result, the Trusted Computing Base for digital forensics is unnecessarily large and opaque. We advocate the use of forensic certificates as intermediate artifacts...

Linearizability is the de facto correctness criterion for concurrent data structures. Unfortunately, linearizability imposes a performance penalty which scales linearly in the number of contending threads. Quiescent consistency is an alternative criterion which guarantees that a concurrent data structure behaves correctly when accessed sequentially...

In sequential computing, every method of an object can be described in isolation via preconditions and postconditions. However, reasoning in a concurrent setting requires a characterization of all possible interactions acrossmethod invocations. Herlihy and Wing [1990]'s notion of linearizability simplifies such reasoning by intuitively ensuring tha...

We study indexed necessity modalities in intuitionist S4. These provide the logical foundation required by a variety of applications, such as capability-based policy languages for access control and type theories for exceptional computation. We establish noninterference properties capturing the limitations on information flow between formulas under...

The possession of secrets is a recurrent theme in security literature and practice. We present a refinement type system, based on indexed intuitonist S4 necessity, for an object calculus with explicit locations (corresponding to principals) to control the principals that may possess a secret. Type safety ensures that if the execution of a well-type...

We revisit the Brookes [1996] semantics for a shared variable parallel programming language in the context of the Total Store Ordering TSO relaxed memory model. We describe a denotational semantics that is fully abstract for Brookes' language and also sound for the new commands that are specific to TSO. Our description supports the folklore sentime...

Multicore computers implementing weak memory models are mainstream, yet type-based analyses of these models remain rare. We help fill this gap. We not only prove the soundness of a type system for a weak execution model, but we also show that interesting properties of that model can be embedded in the types themselves. We argue that correspondence...

Randomization is used in computer security as a tool to introduce unpredictability into the software infrastructure. In this paper, we study the use of randomization to achieve the secrecy and integrity guarantees for local memory. We follow the approach set out by Abadi and Plot kin. We consider the execution of an idealized language in two enviro...

The specification of the Java Memory Model (jmm) is phrased in terms of acceptors of execution sequences rather than the standard generative view of operational semantics. This creates a mismatch with language-based techniques, such as simulation arguments and proofs of type safety. We describe a semantics for the jmm using standard programming la...

Static analyses allow dangerous code to be rejected before it runs. The distinct security concerns of code providers and end users necessitate that analysis be performed, or at least confirmed, during deployment rather than development; examples of this approach include bytecode verification and proof-carrying code. The situation is more complex in...

Accountability mechanisms, which rely on after-the-fact verification, are an attractive means to enforce authorization policies. In this paper, we describe an operational model of accountability-based distributed systems. We describe analyses which support both the design of accountability systems and the validation of auditors for finitary account...

Existing web services and mashups exemplify the need for flex ible construction of distributed applications. How to do so securely remains a topic of current research. We present TAPIDO, a programming model to address Trust and Authorization concerns via Provenance and Integrity in systems of Distributed Objects. Creation of TAPIDO objects requires...

Existing web services and mashups exemplify the need for flex ible construction of distributed applications. How to do so securely remains a topic of current research. We present TAPIDO, a programming model to address Trust and Authorization concerns via Provenance and Integrity in systems of Distributed Objects. Creation of TAPIDO objects requires...

We study mechanisms that permit program components to express role constraints on clients, focusing on programmatic security mechanisms, which permit access controls to be expressed, in situ, as part of the code realizing basic functionality. In this setting, two questions immediately arise: (1) The user of a component faces the issue of safety: is...

In computing systems, trust is an expectation on the dynamic behavior of an agent; static analysis is a collection of techniques for establishing static bounds on the dynamic behavior of an agent. We study the relationship between code identity, static analysis and trust in open distributed systems. Our primary result is a robust safety theorem exp...

We address the programmatic realization of the access control model of security in distributed systems. Our aim is to bridge the gap between abstract/declarative policies and their concrete/operational implementations. We present a programming formalism (which extends the asynchronous pi-calculus with explicit principals) and a specification logic...

We present a preliminary report on typing systems for polyadic µABC, aspect oriented programming—pointcuts and advice—and nothing else. Tuples of uninterpreted names are used to trigger ad- vice. The resulting language is remarkably unstructured: the least common denominator of the pi-calculus and Linda. As such, devel- oping meaningful type system...

Multiple flrewalls typically cooperate to provide security properties for a network, despite the fact that these flre- walls are often spatially distributed and conflgured in isola- tion. Without a global view of the network conflguration, such a system is ripe for misconflguration, causing con∞icts and major security vulnerabilities. We propose FL...

We study the incorporation of generic types in aspect languages. Since advice acts like method update, such a study has to accommodate the subtleties of the interaction of classes, polymorphism and aspects. Indeed, simple examples demonstrate that current aspect compiling techniques do not avoid runtime type errors.We explore type systems with poly...

Site failure is an essential aspect of distributed systems; nonetheless its effect on programming language semantics remains poorly understood. To model such systems, we define a process calculus in which processes are run at distributed locations. The language provides operators to kill locations, to test the status (dead or alive) of locations, a...

Abstract Remote attestation allows programs running on trusted hardware to prove their identity (and that of their environment) to programs on other hosts Remote attestation can be used to address security concerns if programs agree on the meaning of data in attestations This paper studies the enforcement of code - identity based access control pol...

We study mechanisms that permit program components to express role constraints on clients, focusing on programmatic security mechanisms, which permit access controls to be ex- pressed, in situ, as part of the code realizing basic functionality. In this setting, two questions imme- diately arise: • The user of a component faces the issue of safety:...

Aspect-oriented programming is emerging as a powerful tool for system design and development. In this paper, we study aspects as primitive computational entities on par with objects, functions and horn-clauses. To this end, we introduce μABC, a name-based calculus, that incorporates aspects as primitive. In contrast to earlier work on aspects in th...

Aspect-oriented programming is emerging as a powerful tool for system design and development. In this paper, we study aspects as primitive computational entities on par with objects, functions and horn-clauses. To this end, we introduce ABC, a minimal calculus that incorporates aspects as primitive. In contrast to earlier work on aspects in the con...

We describe a typing system for a distributed π-calculus which guarantees that distributed agents cannot access the resources of a system without first being granted the capability to do so. The language studied allows agents to move between distributed locations and to augment their set of capabilities via communication with other agents. The type...

Aspects have emerged as a powerful tool in the design and development of systems, allowing for the encapsulation of program transformations. In earlier work, we described an untyped calculus of aspect programs with a direct description of the dynamic semantics. This calculus provides a specification for the correctness of weaving.

Aspects have emerged as a powerful tool in the design and development of systems, allowing for the encapsulation of program transformations. The dynamic semantics of aspects is typically specified by appealing to an underlying object-oriented language via a compiler transformation known as weaving. This treatment is unsatisfactory for several reaso...

We propose an extension of the asynchronous π-calculus in which a variety of security properties may be captured using types. These are an extension of the input/output types for the π-calculus in which I/O capabilities are assigned specific security levels. The main innovation is a uniform typing system that, by varying slightly the allowed set of...

We describe a typing system for a distributed π-calculus which guarantees that distributed agents cannot access the resources of a system without first being granted the capability to do so. The language studied allows agents to move between distributed locations and to augment their set of capabilities via communication with other agents. The type...

Flattening is a program transformation that eliminates nested parallel con- structs, introducing flat parallel (vector) operations in their place. We define a sufficient syntactic condition for the correctness of flattening, providing a static approximation of Blelloch' s"containment" .Thi si sachieve dusin g atypin gsyste mtha ttrack sth econtrol...

. In open distributed systems of mobile agents, where code from remote sites may run locally, protection of sensitive data and system resources is of paramount importance. We present a security-based typing system that provides such protection, using a mix of static and runtime typing; mobile agents are allowed access to local resources in accordan...

We propose an extension of the asynchronous π-calculus in which a variety of security properties may be captured using types. These are an extension of the Input/Output types for the π-calculus in which I/O capabilities are assigned specific security levels. We define a typing system which ensures that processes running at security level σ cannot...

. In open distributed systems of mobile agents, where code from remote sites may run locally, protection of sensitive data and system resources is of paramount importance. We present a capability-based typing system that provides such protection, using a mix of static and runtime typing. We formalize security violations as runtime errors and prove...

Site failure is an essential aspect of distributed systems; nonetheless its effect on programming language semantics remains poorly understood. To model such systems, we define a process calculus in which processes are run at distributed locations. The language provides operators to kill locations, to test the status (dead or alive) of locations, a...

. The Proteus language is a wide-spectrum parallel programming notation that supports the expression of both high-level architectureindependent specifications and lower-level architecture-specific implementations. A methodology based on successive refinement and interactive experimentation supports the development of parallel algorithms from specif...

We describe a foundational language for specifying dynamically evolving networks of distributed processes, Dπ. The language is a distributed extension of the π-calculus which incorporates the notions of remote execution, migration, and site failure. Novel features of Dπ include: 1. Communication channels are explicitly located: the use of a channel...

We describe a foundational language for specifying dynamically evolving networks of distributed processes, Dp. The language is a distributed extension of the p-calculus which incorporates the notions of remote execution, migration, and site failure. Novel features of Dp include 1. Communication channels are explicitly located: the use of a channel...

The work/step framework provides a high-level cost model for nested data-parallel programming languages, allowing programmers to understand the efficiency of their codes without concern for the eventual mapping of tasks to processors. Vectorization, or flattening, is the key technique for compiling nested-parallel languages. This paper presents a f...

The work/step framework provides a high-level cost model for nested data-parallel programming languages, allowing programmers to understand the efficiency of their codes without concern for the eventual mapping of tasks to processors. Vectorization, or flattening, is the key technique for compiling nested-parallel languages. This paper presents a f...

This paper presents a framework for the abstract interpretation of processes that pass values. We define a process description language that is parameterized with respect to the set of values that processes may exchange and show that an abstraction over values induces an abstract semantics for processes. Our main results state that if the abstract...

This paper presents a framework for the abstract interpretation of pro- cesses that pass values. We dene a process description language that is parameter- ized with respect to the set of values that processes may exchange and show that an abstraction over values induces an abstract semantics for processes. Our main results state that if the abstrac...

. We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for mobile agents in open distributed systems in which some sites may harbor malicious intentions. Nonetheless, the semantics guarantees traditional type-safety properties at good locations by using a mixture of static and dynamic type-checking. We...

. We present a partially-typed semantics for Dp, a distributed p-calculus. The semantics is designed for open distributed systems in which some sites may harbor malicious agents. Nonetheless, the semantics guarantee traditional type-safety properties at "good" locations by using a mixture of static and dynamic type-checking. The run-time semantics...

We define bisimilarity for an aspect extension of the untyped lambda calculus and prove that it is sound and complete for contextual reasoning about programs. The language we study is very small, yet powerful enough to encode mutable references and a range of temporal pointcuts. We extend formal studies of Open Modules to this more general setting....

The advent of Trusted Computing (TC) has introduced an important new capability for establishing trust between distributed agents in the form of remote attestation. It has been noted, however, that current standards for remote attestation are too inflexible to be practically utilized beyond a few specific ap-plications, such as Digital Rights Manag...

Tools for constructing proofs of correctness of programs have a long history of development in the research community, but have often faced difficulty in being widely deployed in software devel-opment tools. In this paper, we demonstrate that the off-the-shelf Java type system is already powerful enough to encode non-trivial proofs of correctness u...

Challenges We argue that current formal approaches to cryp-tographic protocols are at an inappropriate level of abstraction when used to address Web 2.0 Security and Privacy issues. 1. They lack an explicit and primitive notion of identity. The foundations — usually based on an (applied) pi-calculus — are organized around channel names and communic...

Aspect-oriented programming (AOP) has been touted as a promising paradigm for managing complex software- security concerns. Roughly, AOP allows the secu- rity-sensitive events in a system to be specified separately from core functionality. The events of interest are spec- ified in a pointcut. When a pointcut triggers, control is redirected to advic...

Remote attestation allows programs running on trusted hardware to prove their identity (and that of their environment) to programs on other hosts. Remote attestation can be used to address security concerns if programs agree on the meaning of data in attestations. This paper studies the enforcement of code- identity based access control policies in...

We study a notion of secrecy that arises naturally in adversarial systems. Let all agents agree on a space of possible values. An honest agent chooses one of these values, and aims to make sure that this particular choice cannot be reliably guessed by an adversary, even in the context of a distributed protocol. An example is an agent that uses an h...

Static analysis using typestates can ensure that dynamic object proto-cols are respected, for example that an object is accessed only after it is initialized. Typestate analyses often impose aliasing and linearity constraints, limiting their applicability to common practice. Monotone typestates avoid such constraints by limiting attention to proper...

Flattening is a program transformation that eliminates nested parallel constructs, introducing flat parallel (vector) operations in their place. We define a sufficient syntactic condition for the correctness of flattening, providing a static approximation of Blelloch’s “containment”. This is achieved using a typing system that tracks the control fl...

Thesis (Ph. D.)--University of North Carolina at Chapel Hill, 1999. Includes bibliographical references (leaves 112-118).