No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Call-by-Contract for Service Discovery, Orchestration and Recovery
Abstract
We present a framework for designing and composing services in a “call-by-contract” fashion, i.e. according to their behavior.
We discuss how to correctly plan service compositions in some relevant classes of services and behavioral properties. To this
aim, we propose both a core functional calculus for services, and a graphical design language. The core calculus features
primitives for selecting and invoking services that respect given behavioral requirements, typically safety properties on
the service execution history. A type and effect system over-approximates the actual run-time behavior of services. A further
static analysis step finds the viable plans that drive the selection of those services matching the behavioral requirements
on demand.
... The contracts of Castagna et al. [3,4] take the form of CCS processes and permit to describe if the interaction between two parties terminates or gets stuck, and when a service can be replaced with a more general one. Instead Bartoletti et al. [1,2] introduce a core calculus for services that extends the λ-calculus with primitives for composing services in a call-bycontract fashion under security properties. They develop a static technique for extracting the abstract behaviour of a service (called History Expression) that must obey the security policies. ...
... The main novelty of our approach lies in exploiting standard techniques of model checking for controlling compliance of behavioural contracts. Also differently from [1][2][3] we manage both multi-party contracts and sessions. Due to lack of space, we cannot compare in more detail the vaste existing literature in this field, and refer the interested reader to [6]. ...
We outline a methodology to check the compliance of ser-vice orchestration with respect to service contracts. The contract of a service is expressed by a finite state automaton, while the traces of the or-chestration form a context-free language. A contract asserts the security policy controlling resource accesses, including accesses to the communi-cation channels, so making manifest also the client-service interactions. The key idea of the methodology is controlling both access control and compliance by an appropriate model-checking technique. Our approach naturally deals with multi-party contracts.
... λ-calculus, logics, event-structures. Services are represented in [10, 9] by λ-expressions, and safety policies are imposed over their interactions. A type and effect system is used to compute the types of the services and their abstract behaviours, that are then model checked at static time to guarantee that the required policies are always satisfied. ...
An approach to the formal description of service contracts is presented in terms of automata. We focus on the basic property of guaranteeing that in the multi-party composition of principals each of them gets his requests satisfied, so that the overall composition reaches its goal. Depending on whether requests are satisfied synchronously or asynchronously, we construct an orchestrator that at static time either yields composed services enjoying the required properties or detects the principals responsible for possible violations. To do that in the asynchronous case we resort to Linear Programming techniques. We also relate our automata with two logically based methods for specifying contracts.
... Previous work have tackled similar issues. We only mention a few that use the λ-calculus [4, 5, 8], process calculi [14, 15, 1], non-classical logics [7]. Here, we introduce an automata-based model for contracts called contract automata (CA), that are a special kind of finite state automata endowed with two composition operators , involving many parties and reflecting two different orchestration policies. ...
A novel approach to the formal description of service contracts is presented in terms of automata. We focus on the basic property of guaranteeing that in the multi-party composition of principals each individual gets his requests satisfied, so that the overall composition reaches its goal. Depending on whether requests are satisfied synchronously or asynchronously, we construct an orchestrator that at static time either yields composed services enjoying the required properties or detects the individuals responsible for possible violations. To do that in the asynchronous case we resort to techniques from Operational Research.
Process-algebraic methods have proven to be excellent tools for designing and analysing concurrent systems. In this paper we review several process calculi and languages developed and studied by Rocco De Nicola and his students and colleagues in the three EU projects AGILE, SENSORIA, and ASCENS. These calculi provide a theoretical basis for engineering mobile, service-oriented, and collective autonomic systems. KLAIM is a framework for distributed mobile agents consisting of a kernel language, a stochastic extension, a logic for specifying properties of mobile applications, and an automatic tool for verifying such properties. In the AGILE project of the EU Global Computing Initiative I, KLAIM served as a the process-algebraic basis for an architectural approach to mobile systems development. For modelling and analysing service-oriented systems, a family of process-algebraic core calculi was developed in the SENSORIA project of the EU Global Computing Initiative II. These calculi address complementary aspects of service-oriented programming such as sessions and correlations. They come with reasoning and analysis techniques, specification and verification tools as well as prototypical analyses of case studies. In the ASCENS project, the language SCEL was developed for modelling and programming systems consisting of interactive autonomic components. SCEL is based on process-algebraic principles and supports formal description and analysis of the behaviours of ensembles of autonomic components.
Internet is offering a variety of services, that are assembled to accomplish requests made by clients. While serving a request, security of the communications and of the data exchanged among services is crucial. Furthermore, communications occur along specific channels, and it is equally important to guarantee that the interactions between a client and a server never get blocked because either cannot access a selected channel. We address here both these problems, from a formal point of view. A static analysis is presented, guaranteeing that a composition of a client and of possibly nested services respects both security policies for access control, and compliance between clients and servers.
In this book we shall introduce four of the main approaches to program analysis: Data Flow Analysis, Control Flow Analysis, Abstract Interpretation, and Type and Effect Systems. Each of Chapters 2 to 5 deals with one of these approaches to some length and generally treats the more advanced material in later sections. Throughout the book we aim at stressing the many similarities between what may at a first glance appear to be very unrelated approaches. To help getting this idea across, and to serve as a gentle introduction, this chapter treats all of-the approaches at the level of examples. The technical details are worked-out but it may be difficult to apply the techniques to related examples until some of the material of later chapters have been studied.
Abstract This deliverable addresses the description of non-functional properties for Web services. It provides a survey of solutions to this problem for Web services in particular and Software Systems in general. Fur- thermore, it takes the most relevant non-functional properties models adopted from [O’Sullivan et al., 2005] and provides possible solutions for specifying them in a formal manner, using WSMO/WSML. These solutions can be seen as possible extensions of non-functional properties description support in WSMO/WSML. Copyright c ∞ 2004 DERI , ∞ , All Rights Reserved.
We study how to compose services in the presence of security con-straints. By analysing the abstract behaviour of a set of services, we are able to determine the plans that drive safe program executions. These plans can be of different kinds, and we study here three of them, with different expressive power. Simple plans choose a single service for each request; multi-choice plans instead can choose among a set of services; dependent plans exploit the knowledge of past choices to decide for the future ones.
A trend in software engineering is towards model-driven development. Models are used to document requirements, design results,
and analysis in early phases of the development process. However, the aim of modeling is very often more ambitious as models
are used for automatic generation in so-called model-driven engineering approaches. The relevance of models leads to the need
of both, high-level domain specific modeling languages (DSML), and metamodels which are the basis for the definition of model
transformations and code generation.
For the service-oriented computing domain we developed within the Sensoria project a DSML for building and transforming SOA models. This DSML is defined as a family of UML profiles, which complement
the SoaML profile for the specification of SOAs structure. Our family of profiles focus on orchestration of services, service-level
agreements, non-functional properties of services, implementation of service modes and service deployment.
We propose a model for specifying, analysing and enforcing safe usage of resources. Our usage policies allow for parametricity
over resources, and they can be enforced through finite state automata. The patterns of resource access and creation are described
through a basic calculus of usages. In spite of the augmented flexibility given by resource creation and by policy parametrization,
we devise an efficient (polynomial-time) model-checking technique for deciding when a usage is resource-safe, i.e. when it
complies with all the relevant usage policies.
Interacting with a web service enabled marketplace in order to achieve a complex task involves sequencing a set of individual service operations, gathering information from the services, and making choices. We propose to encode the problem of issuing requests to a composi- tion of web services as a constraint programming problem. In particular, we provide algorithms to encode nondeterministic web service business processes and user goals given in an expressive request language.
Service Level Agreements are a key issue in Service Oriented Com- puting. SLA contracts specify client requirements and service guarantees, with emphasis on Quality of Service (cost, performance, availability, etc.). In this work we propose a simple model of contracts for QoS and SLAs that also allows to study mechanisms for resource allocation and for joining different SLA require- ments. Our language combines two basic programming paradigms: name-passing calculi and concurrent constraint programming (cc programming). Specifically, we extend cc programming by adding synchronous communication and by pro- viding a treatment of names in terms of restriction and structural axioms closer to nominal calculi than to variables with existential quant ification. In the result- ing framework, SLA requirements are constraints that can be generated either by a single party or by the synchronisation of two agents. Moreover, restricting the scope of names allows for local stores of constraints, which may become global as a consequence of synchronisations. Our approach relies on a system of named constraints that equip classical constraints with a suitab le algebraic struc- ture providing a richer mechanism of constraint combination. We give reduction- preserving translations of both cc programming and the calculus of explicit fu- sions.
We introduce basic language constructs and a type discipline as a foundation of structured communication-based concurrent programming. The constructs, which are easily translatable into the summation-less asynchronous 7r-calculus, allow programmers to organise programs as a combination of multiple flows of (possibly unbounded) reciprocal interactions in a simple and elegant way, subsuming the preceding communication primitives such as method invocation and rendez-vous. The resulting syntactic structure is exploited by a type discipline a la ML, which offers a high-level type abstraction of interactive behaviours of programs as well as guaranteeing the compatibility of interaction patterns between processes in a well-typed program. After presenting the formal semantics, the use of language constructs is illustrated through examples, and the basic syntactic results of the type discipline are established. Implementation concerns are also addressed.
We introduce COWS (Calculus for Orchestration of Web Services), a new foundational language for SOC whose design has been influenced by WS-BPEL, the de facto standard language for orchestration of web services.
COWS combines in an original way a number of ingredients borrowed from well-known process calculi, e.g. asynchronous communication, polyadic synchroniza-tion, pattern matching, protection, delimited receiving and killing activities, while resulting different from any of them. Several examples illustrates COWS peculiarities and show its expressiveness both for modelling imperative and orchestration constructs, e.g. web services, flow graphs, fault and compensation handlers, and for encoding other process and orchestration languages.
This article relates two different paradigms of descriptions of communication behavior, one focusing on global message flows and another on end-point behaviors, using formal calculi based on session types. The global calculus, which originates from a Web service description language (W3C WS-CDL), describes an interaction scenario from a vantage viewpoint; the end-point calculus, an applied typed π-calculus, precisely identifies a local behavior of each participant. We explore a theory of end-point projection, by which we can map a global description to its end-point counterparts preserving types and dynamics. Three principles of well-structured description and the type structures play a fundamental role in the theory.
An extension of the -calculus is proposed, to study resource usage analysis and verication. Resources can be dynamically created, and passed/ re- turned by functions; their usages have side e ects, represented by events. Usage policies are properties over histories of events, and have a possibly nested, local scope. A type and e ect system over-approximates the set of histories a program can generate at run-time. A crucial point solved here concerns correctly associ- ating fresh resources with their usages within approximations. A second issue is that these approximations may contain an unbounded number of fresh resources. Despite of that, we have devised a technique to model-check validity of approx- imations. A program with a valid approximation is resource-safe: no run-time monitor is needed to safely drive its executions.
An extension of the λ-calculus is proposed, to study history-based access control. It allows for security policies with a possibly nested, local
scope. We define a type and effect system that, given a program, extracts a history expression, i.e. a correct approximation
to the set of histories obtainable at run-time. Validity of history expressions is non-regular, because the scope of policies
can be nested. Nevertheless, a transformation of history expressions is presented, that makes verification possible through
standard model checking techniques. A program will never fail at run-time if its history expression, extracted at compile-time,
is valid.
This paper shows how type effect systems can be combined with model-checking techniques to produce powerful, automatically verifiable program logics for higher-order programs. The properties verified are based on the ordered sequence of events that occur during program execution — an event history. Our type and effect systems automatically infer conservative approximations of the event histories arising at run- time, and model-checking techniques are used to verify logical properties of these histories.
Our language model is based on the λ -calculus. Technical results include a powerful type inference algorithm for a polymorphic type effect system, and a method for applying known model-checking techniques to the history effects inferred by the type inference algorithm, allowing static enforcement of history- and stack-based security mechanisms.
A distributed calculus is proposed for describing networks of services. We model service interaction through a call-by-property invocation mechanism, by specifying the security constraints that make their composition safe. A static approach is then proposed to determine how to compose services and guarantee that their execution is always secure, without resorting to any dynamic check
A static approach is proposed to study secure composition of software. We extend the λ-calculus with primitives for invoking services that respect given security requirements. Security-critical code is enclosed in policy framings with a possibly nested, local scope. Policy framings enforce safety and liveness properties of execution histories. The actual histories that can occur at runtime are over-approximated by a type and effect system. These approximations are model-checked to verify policy framings within their scopes. This allows for removing any runtime execution monitor, and for selecting those services that match the security requirements.
We present a framework for designing and composing services in a secure manner. Services can enforce security policies locally, and can invoke other services in a “call-by-contract” fashion. This mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how to correctly plan service orchestrations in some relevant classes of services and security properties. To this aim, we propose both a core functional calculus for services and a graphical design language. The core calculus is called λreq
[10]. It features primitives for selecting and invoking services that respect given behavioural requirements. Critical code can be enclosed in security framings, with a possibly nested, local scope. These framings enforce safety properties on execution histories. A type and effect system over-approximates the actual run-time behaviour of services. Effects include the actions with possible security concerns, as well as information about which services may be selected at run-time. A verification step on these effects allows for detecting the viable plans that drive the selection of those services that match the security requirements on demand.
Component adaptation is widely recognised to be one of the crucial problems in Component-Based Software Engineering. The objec- tive of this paper is to set a formal foundation for the adaptation of het- erogeneous components that present mismatching interaction behaviour. The proposed adaptation methodology relies on: (1) the inclusion of be- havioural types in component interfaces, to describe the interaction be- haviour of components, (2) a simple high-level notation for adaptor spec- ification, to express the intended connection between component inter- faces, and (3) a formal definition of adaptor, a component-in-the-middle capable of making two components interoperate successfully according to a given specification.
We seek for a small set of primitives that might serve as a basis for formalising and programming service oriented applications
over global computers. As an outcome of this study we introduce here SCC, a process calculus that features explicit notions of service definition, service invocation and session handling. Our proposal
has been influenced by Orc, a programming model for structured orchestration of services, but the SCC’s session handling mechanism allows for the definition of structured interaction protocols, more complex than the basic request-response provided by Orc. We present syntax and operational semantics of SCC and a number of simple but nontrivial programming examples that demonstrate flexibility of the chosen set of primitives.
A few encodings are also provided to relate our proposal with existing ones.
An extension of the -calculus is proposed to study history- based access control. It allows for parametrized security policies with a possibly nested, local scope. To govern the rich interplay between lo- cal policies, we propose a combination of static analysis and dynamic checking. A type and eect system extracts from programs a correct approximation to the histories obtainable at run-time. A further static analysis over these approximations determines how to instrument code so to enforce the desired security constraints. The execution monitor, based on nite-state automata, runs ecien tly the instrumented code.
Service-oriented computing is an emerging paradigm where services are understood as autonomous, platform-independent computational entities that can be described, published, categorised, discovered, and dynamically assembled for developing massively distributed, interoperable, evolvable systems and appli- cations. The IST-FET Integrated Project SENSORIA aims at developing a novel comprehensive approach to the engineering of service-oriented software systems where foundational theories, techniques and methods are fully integrated in a pragmatic software engineering approach. In this paper we present first ideas for the SENSORIA semantic-based development of service-oriented systems. This in- cludes service-oriented extensions to the UML, a mathematical basis formed by a family of process calculi, a language for expressing context-dependent soft con- straints and preferences, qualitative and quantitative analysis methods, and model transformations from UML to process calculi. The results are illustrated by a case study in the area of automotive systems.
This paper describes the design and the prototype implementation of a middleware, called Java Signal Core Layer (JSCL), for coordinating distributed services. JSCL supports the coordination of distributed services by exploiting an event notification paradigm. The design and the implementation of JSCL has been inspired and driven by its formal specification given as a process calculus, the Signal Calculus (SC). At the experimental level JSCL has been exploited to im- plement Long Running Transactions (LRTs).
An extension of the λ-calculus is proposed, to study resource usage analysis and verification. It features usage policies with a possibly nested, local scope, and dynamic creation of resources. We define a type and effect system that, given a program, extracts a history expression, that is, a sound overapproximation to the set of histories obtainable at runtime. After a suitable transformation, history expressions are model-checked for validity. A program is resource-safe if its history expression is verified valid: If such, no runtime monitor is needed to safely drive its executions.
Session types describe the interactions between two parties within multi-party communications. They constitute a communication pro- tocol in the sense that the order and type of interactions between two parties are specified. For their part, correspondence assertions provide a mechanism for synchronization. When session types and correspon- dence assertions are combined, they are able to describe synchroniza- tion across dierent communication sessions, yielding a rich language for imposing expressive interaction patterns in multi-party communi- cations. This paper studies the typechecking problem for Iris, a typed - calculus that combines session types and correspondence assertions. We define a typechecking algorithm and prove that it is sound and complete with respect to the typing rules. Furthermore, we show that the typing system satisfies the minimum eects property. Although
We propose an extension to the security model of Java. It allows for specifying, analysing and enforcing history-based policies. Poli- cies are defined by finite state automata recognizing the permitted execu- tion histories. Programmers can sandbox an untrusted piece of code with a policy, which is enforced at run-time through its local scope. A static analysis allows for optimizing the execution monitor, that will only check the program points where some security violation may actually occur. A fundamental concern of security is to ensure that resources are used correctly. Devising expressive, flexible and efficient mechanisms to control resource usages is therefore a major issue in the design and implementation of security-aware programming languages. The problem is made even more crucial by the current programming trends, which allow for reusing code, and exploiting services and components, offered by (possibly untrusted) third parties. It is common practice to pick from the Web some scripts, or plugins, or packages, and assemble them into a bigger program, with little or no control about the security of the whole. Stack inspection, the mechanism adopted by Java (23) and the .NET CLR (31), offers a pragmatic setting for access control. Roughly, each frame in the call stack represents a method; methods are associated with "protection domains", that reflect their provenance; a global security policy grants each protection domain a set of permissions. Code includes local checks that guard access to critical re- sources. At run-time, an access authorization is granted when all the frames on the call stack have the required permission (a special case is that of privileged calls, that trust the methods below them in the call stack). Being strongly biased towards implementation, this mechanism suffers from some major shortcomings. First, local checks must be explicitly inserted into code by the programmer. Since forgetting even a single check might compromise the safety of the whole applica- tion, programmers have to carefully inspect their code. This may be cumbersome even for small programs, and it may lead to unnecessary checking. Second, many security policies are not enforceable by stack inspection, because a method re- moved from the call stack no longer affects security. This may be harmful, e.g. when trusted code depends on the results supplied by untrusted code (22). History-based access control has been receiving major attention as an alterna- tive to stack inspection. Differently from stack inspection, the run-time security
A static approach is proposed to study secure composition of services. We extend the �-calculus with primitives for selecting and invoking ser- vices that respect given security requirements. Security-critical code is en- closed in policy framings with a possibly nested, local scope. Policy fram- ings enforce safety and liveness properties. The actual run-time behaviour of services is over-approximated by a type and effect system. Types are standard, and effects include the actions with possible security concerns — as well as information about which services may be invoked at run-time. An approximation is model-checked to verify policy framings within their scopes. This allows for removing any run-time execution monitor, and for determining the plans driving the selection of those services that match the security requirements on demand.
Local policies represent security properties that are applied to (parts of) programs or services.They are amenable for developers since they provide for a full compositionality (through scope nesting), for a simple, automaton-like structure and for a direct enforcing through a corresponding execution monitor. Compliance w.r.t. local policies is statically verified against a safe over-approximation of all the possible execution traces, namely a history expression. Given a service, a safe type and effect system extracts a history expression, from which a viable composition plan can be automatically produced. Viable plans drive executions that never rise policy exceptions. Our main contribution consists in defining a type and effect system that also deals with open systems.We extend the syntax of a service-oriented version of the λ-calculus, namely λreq, with resources and external branching operators. Then, we safely over-approximate the possible run-time behaviour of services collecting partial information on the relationship between the program flow and the actual resources. Indeed, the history expressions obtained in this way are compact, rather accurate and able to derive viable plans in most cases.
We outline a methodology for designing and composing services in a secure manner. In particular, we are concerned with safety properties of service behavior. Services can enforce security policies locally and can invoke other services that respect given security contracts. This call-by-contract mechanism offers a significant set of opportunities, each driving secure ways to compose services. We discuss how we can correctly plan service compositions in several relevant classes of services and security properties. With this aim, we propose a graphical modeling framework based on a foundational calculus called lambda req [13]. Our formalism features dynamic and static semantics, thus allowing for formal reasoning about systems. Static analysis and model checking techniques provide the designer with useful information to assess and fix possible vulnerabilities.
This document defines a language for specifying business process behavior based on Web Services. This language is called Web Services Business Process Execution Language (abbreviated to WS-BPEL in the rest of this document). Processes in WS-BPEL export and import functionality by using Web Service interfaces exclusively. Business processes can be described in two ways. Executable business processes model actual behavior of a participant in a business interaction. Abstract business processes are partially specified processes that are not intended to be executed. An Abstract Process may hide some of the required concrete operational details. Abstract Processes serve a descriptive role, with more than one possible use case, including observable behavior and process template. WS-BPEL is meant to be used to model the behavior of both Executable and Abstract Processes. WS-BPEL provides a language for the specification of Executable and Abstract business processes. By doing so, it extends the Web Services interaction model and enables it to support business transactions. WS-BPEL defines an interoperable integration model that should facilitate the expansion of automated process integration in both the intra-corporate and the business-to-business spaces.
Copyright Notice ? 2003 Oracle Corporation All Rights Reserved. This WS-Choreography Specification-Choreography Description Language (WS-CDL) (the "Specification") is protected by copyright and the information described therein and technology required to implement the Specification may be protected by one or more U. S. patents, foreign patents, or pending applications. The copyright owners named above ("Owners") hereby grant you a fully-paid, non-exclusive, non-transferable, worldwide, limited license under their copyrights to: (i) download, view, reproduce, and otherwise use the Specification for internal purposes; (ii) distribute the Specification to third parties provided that the Specification is not modified by you or such third parties; (iii) implement the Specification and distribute such implementations, including the right to authorize others to do the same, provided however, that you only distribute the Specification subject to a license agreement that protects the Owners'interests by including the proprietary legend and terms set forth in this Copyright Notice. Disclaimer of Warranties THIS SPECIFICATION IS PROVIDED "AS IS" AND IS EXPERIMENTAL AND MAY CONTAIN DEFECTS OR DEFICIENCIES WHICH CANNOT OR WILL NOT BE CORRECTED BY THE OWNERS). THE OWNERS MAKE NO REPRESENTATIONS OR WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO, WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT THAT THE CONTENTS OF THE SPECIFICATION ARE SUITABLE FOR ANY PURPOSE OR THAT ANY PRACTICE OR IMPLEMENTATION OF SUCH CONTENTS WILL NOT INFRINGE ANY THIRD PARTY OR COPYRIGHT OWNER PATENTS, COPYRIGHTS, TRADE SECRETS OR OTHER RIGHTS. This document does not represent any commitment to release or implement any portion
The design and implementation of a correct system can benefit from employing static techniques for ensuring that the dynamic
behaviour satisfies the specification. Many programming languages incorporate types for ensuring that certain operations are
only applied to data of the appropriate form. A natural extension of type checking techniques is to enrich the types with
annotations and effects that further describe intensional aspects of the dynamic behaviour.
Service oriented computing is an emerging paradigm for designing distributed applications where service and composition are the main concepts it is based upon. In this paper we propose SOCK, a three-layered calculus equipped with a formal semantics, for addressing all the basic mechanisms of service communication
and composition. The main contribute of our work is the development of a formal framework where the service design is decomposed
into three fundamental parts: the behaviour, the declaration and the composition where each part can be designed independently
of the other ones.
Usage automata are an extension of finite stata automata, with some additional features (e.g. parameters and guards) that
improve their expressivity. Usage automata are expressive enough to model security requirements of real-world applications;
at the same time, they are simple enough to be statically amenable, e.g. they can be model-checked against abstractions of
program usages. We study here some foundational aspects of usage automata. In particular, we discuss about their expressive
power, and about their effective use in run-time mechanisms for enforcing usage policies.
We introduce COWS (Calculus for Orchestration of Web Services), a new foundational language for SOC whose design has been influenced by WS-BPEL, the de facto standard language for orchestration of web services. COWS combines in an original way a number of ingredients borrowed from well- known process calculi, e.g. asynchronous communication, polyadic synchroniza- tion, pattern matching, protection, delimited receiving and killing activities, while resulting di erent from any of them. Several examples illustrates COWS pecu- liarities and show its expressiveness both for modelling imperative and orchestra- tion constructs, e.g. web services, flow graphs, fault and compensation handlers, and for encoding other process and orchestration languages. We also present an extension of the basic language with timed constructs.
Software execution environments like operating systems, mobile code platforms and scriptable applications must protect themselves against potential damages caused by malicious code. Monitoring the execution history of the latter provides an effective means for controlling the access pattern of system services. Several authors have recently proposed increasingly general automata models for characterizing various classes of security policies enforceable by execution monitoring. An open question raised by Bauer, Ligatti and Walker is whether one can further classify the space of security policies by constraining the capabilities of the execution monitor. This paper presents a novel information-based approach to address the research problem. Specifically, security policies are characterized by the information consumed by an enforcing execution monitor. By restricting the execution monitor to track only a shallow history of previously granted access events, a precise characterization of a class of security policies enforceable by restricted access to information is identified. Although provably less expressive than the general class of policies enforceable by execution monitoring, this class does contain naturally occurring policies including Chinese Wall policy, low-water-mark policy, one-out-of-k authorization, assured pipelines, etc. Encouraged by this success, the technique is generalized to produce a lattice of policy classes. Within the lattice, policy classes are ordered by the information required for enforcing member policies. Such a fine-grained policy classification lays the semantic foundation for future studies on special-purpose policy languages.
The authors specify authentication protocols as formal objects with precise syntax and semantics, and define a semantic model that characterizes protocol executions. They have identified two basic types of correctness properties, namely, correspondence and secrecy; that underlie the correctness concerns of authentication protocols. Assertions for specifying these properties, and a formal semantics for their satisfaction in the semantic model are defined. The Otway-Rees protocol is used to illustrate the semantic model and the basic correctness properties
The type and effect discipline, a framework for reconstructing the
principal type and the minimal effect of expressions in implicitly typed
polymorphic functional languages that support imperative constructs, is
introduced. The type and effect discipline outperforms other polymorphic
type systems. Just as types abstract collections of concrete values,
effects denote imperative operations on regions. Regions abstract sets
of possibly aliased memory locations. Effects are used to control type
generalization in the presence of imperative constructs while regions
delimit observable side effects. The observable effects of an expression
range over the regions that are free in its type environment and its
type; effects related to local data structures can be discarded during
type reconstruction. The type of an expression can be generalized with
respect to the variables that are not free in the type environment or in
the observable effect
This paper addresses the problem of static checking of programs to ensure that they satisfy confidentiality policies in the presence of dynamic access control in the form of Abadi and Fournet’s history-based access control mechanism. The Java virtual machine’s permission-based stack inspection mechanism provides dynamic access control and is useful in protecting trusted callees from untrusted callers. In contrast, history-based access control provides a stateful view of permissions: permissions after execution are at most the permissions before execution. This allows protection of both callers and callees.
The main contributions of this paper are to provide a semantics for history-based access control and a static analysis for confidentiality that takes history-based access control into account. The static analysis is a type and effects analysis where the chief novelty is the use of security types dependent on permission state. We also show that in contrast to stack inspection, confidential information can be leaked by the history-based access control mechanism itself. The analysis ensures a noninterference property formalizing confidentiality.
program accesses resources in a valid manner. For example, a memory region that has been allocated should be eventually deallocated, and after the deallocation, the region should no longer be accessed. A file that has been opened should be eventually closed. So far, most of the methods to analyze this kind of property have been proposed in rather specific contexts (like studies of memory management and verification of usage of lock primitives), and it was not so clear what is the essence of those methods or how methods proposed for individual problems are related. To remedy this situation, we formalize a general problem of analyzing resource usage as a resource usage analysis problem, and propose a type-based method as a solution to the problem.
Security is a major, frequent concern in extensible software systems such as Java Virtual Machines and the Common Language Runtime. These systems aim to enable simple, classic applets and also, for example, distributed applications, Web services, and programmable networks, with appropriate security expectations. Accordingly, they feature elaborate constructs and mechanisms for associating rights with code, including a technique for determining the run-time rights of a piece of code as a function of the state of the execution stack. These mechanisms prevent many security holes, but they are inherently partial and they have proved difficult to use reliably.
This paper addresses those questions for the class of enforcement mechanisms that work by monitoring execution steps of some system, herein called the target, and terminating the target's execution if it is about to violate the security policy being enforced. We call this class EM, for Execution Monitoring. EM includes security kernels, reference monitors, firewalls, and most other operating system and hardware -based enforcement mechanisms that have appeared in the literature. Our targets may be objects, modules, processes, subsystems, or entire systems; the execution steps monitored may range from fine-grained actions (such as memory accesses) to higher-level operations (such as method calls) to operations that change the security-configuration and thus restrict subsequent execution
Typing the behaviours of objects and components using session types
- A Vallecillo
- V Vansconcelos
- A Ravara
Business Process Management Initiative
- Management Object
- Group
History-based access control for mobile code
- G Edjlali
- A Acharya
- V Chaudhary
- G. Edjlali