# Alwen Tiu's research while affiliated with Australian National University and other places

**What is this page?**

This page lists the scientific contributions of an author, who either does not have a ResearchGate profile, or has not yet added these contributions to their profile.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

It was automatically created by ResearchGate to create a record of this author's body of work. We create such pages to advance our goal of creating and maintaining the most comprehensive scientific repository possible. In doing so, we process publicly available (personal) data relating to the author as a member of the scientific community.

If you're a ResearchGate member, you can follow this page to keep up with this author's work.

If you are this author, and you don't want us to display this page anymore, please let us know.

## Publications (96)

We describe Dagster, a system that implements a new approach to scheduling interdependent (Boolean) SAT search activities in high-performance computing (HPC) environments. This system allows practitioners to solve challenging problems by efficiently distributing search effort across computing cores in a customizable way. Our solver takes as input a...

We present an investigation into the design and implementation of a parallel model checker for security protocol verification that is based on a symbolic model of the adversary, where instantiations of concrete terms and messages are avoided until needed to resolve a particular assertion. We propose to build on this naturally lazy approach to paral...

We present an investigation into the design and implementation of a parallel model checker for security protocol verification that is based on a symbolic model of the adversary, where instantiations of concrete terms and messages are avoided until needed to resolve a particular assertion. We propose to build on this naturally lazy approach to paral...

In the hardware design process, hardware components are usually described in a hardware description language. Most of the hardware description languages, such as Verilog and VHDL, do not have mathematical foundation and hence are not fit for formal reasoning about the design. To enable formal reasoning in one of the most commonly used description l...

Open bisimilarity is defined for open process terms in which free variables may appear. The insight is, in order to characterise open bisimilarity, we move to the setting of intuitionistic modal logics. The intuitionistic modal logic introduced, called $\mathcal{OM}$, is such that modalities are closed under substitutions, which induces a property...

We introduce translations between display calculus proofs and labeled calculus proofs in the context of tense logics. First, we show that every derivation in the display calculus for the minimal tense logic Kt extended with general path axioms can be effectively transformed into a derivation in the corresponding labeled calculus. Concerning the con...

The SPARC instruction set architecture (ISA) has been used in various processors in workstations, embedded systems, and in mission-critical industries such as aviation and space engineering. Hence, it is important to provide formal frameworks that facilitate the verification of hardware and software that run on or interface with these processors. I...

This work explores how to enhance pseudonymous whistleblower submission systems, specifically by supporting protocol level unlinkability, while also making the system resilient against (distributed) denial of service attacks. To that end, we propose a blind signature based protocol which facilitates assignment of trust to anonymous posters in a man...

We introduce translations between display calculus proofs and labelled calculus proofs in the context of tense logics. First, we show that every derivation in the display calculus for the minimal tense logic Kt extended with general path axioms can be effectively transformed into a derivation in the corresponding labelled calculus. Concerning the c...

We provide a direct method for proving Craig interpolation for a range of modal and intuitionistic logics, including those containing a "converse" modality. We demonstrate this method for classical tense logic, its extensions with path axioms, and for bi-intuitionistic logic. These logics do not have straightforward formalisations in the traditiona...

We provide a direct method for proving Craig interpolation for a range of modal and intuitionistic logics, including those containing a "converse" modality. We demonstrate this method for classical tense logic, its extensions with path axioms, and for bi-intuitionistic logic. These logics do not have straightforward formalisations in the traditiona...

Symbolic verification of security protocols typically relies on an attacker model called the Dolev-Yao model, which does not model adequately various algebraic properties of cryptographic operators used in many real-world protocols. In this work we describe an integration of a state-of-the-art protocol verifier ProVerif, with automated first order...

This article explores the proof theory necessary for recommending an expressive but decidable first-order system, named MAV1, featuring a De Morgan dual pair of nominal quantifiers. These nominal quantifiers called “new” and “wen” are distinct from the self-dual Gabbay-Pitts and Miller-Tiu nominal quantifiers. The novelty of these nominal quantifie...

SPARC processors have many applications in mission-critical industries such as aviation and space engineering. Hence, it is important to provide formal frameworks that facilitate the verification of hardware and software that run on or interface with these processors. This paper presents the first mechanised SPARC Total Store Ordering (TSO) memory...

MTL has been widely used to specify runtime policies. Traditionally this use is to capture the qualitative aspects of the monitored systems, but recent developments in its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in MTL-based policy languages is driven by applications in runtime malware or i...

This paper clarifies that linear implication defines a branching-time preorder, preserved in all contexts, when used to compare embeddings of process in non-commutative logic. The logic considered is a first-order extension of the proof system BV featuring a de Morgan dual pair of nominal quantifiers, called BV1. An embedding of π -calculus process...

Attack trees provide a structure to an attack scenario, where disjunctions represent choices decomposing attacker’s goals into smaller subgoals. This paper investigates the nature of choices in attack trees. For some choices, the attacker has the initiative, but for other choices either the environment or an active defender decides. A semantics for...

Scalable and automatic formal verification for concurrent systems is always demanding. In this paper, we propose a verification framework to support automated compositional reasoning for concurrent programs with shared variables. Our framework models concurrent programs as succinct automata and supports the verification of multiple important proper...

Quasi-open bisimilarity is the coarsest notion of bisimilarity for the π-calculus that is also a congruence. This work extends quasi-open bisimilarity to handle mismatch (guards with inequalities). This minimal extension of quasi-open bisimilarity allows fresh names to be manufactured to provide constructive evidence that an inequality holds. The e...

separation logics are a family of extensions of Hoare logic for reasoning about programs that manipulate resources such as memory locations. These logics are “abstract” because they are independent of any particular concrete resource model. Their assertion languages, called Propositional Abstract Separation Logics (PASLs), extend the logic of (Bool...

We introduce a novel type system for enforcing secure information flow in an imperative language. Our work is motivated by the problem of statically checking potential information leakage in Android applications. To this end, we design a lightweight type system featuring Android permission model, where the permissions are statically assigned to app...

This paper presents tactics for reasoning about the assertions of separation logic.
We formalise our proof methods in Isabelle/HOL based on Klein
et al.’s separation algebra library. Our methods can also be used in other separation
logic frameworks that are instances of the separation algebra of Calcagno et
al. The first method, separata , is bas...

Open bisimilarity is a strong bisimulation congruence for the π-calculus. In open bisimilarity, free names in processes are treated as variables that may be instantiated; in contrast to late bisimilarity where free names are constants. An established modal logic due to Milner, Parrow, and Walker characterises late bisimilarity, that is, two process...

Coverage-based fuzzing is one of the most effective techniques to find vulnerabilities, bugs or crashes. However, existing techniques suffer from the difficulty in exercising the paths that are protected by magic bytes comparisons (e.g., string equality comparisons). Several approaches have been proposed to use heavy-weight program analysis to brea...

Attack trees profile the sub-goals of the proponent of an attack. Attack trees have a variety of semantics depending on the kind of question posed about the attack, where questions are captured by an attribute domain. We observe that one of the most general semantics for attack trees, the multiset semantics, coincides with a semantics expressed usi...

In the logic programming paradigm, it is difficult to develop an elegant solution for generating distinguishing formulae that witness the failure of open-bisimilarity between two pi-calculus processes; this was unexpected because the semantics of the pi-calculus and open bisimulation have already been elegantly specified in higher-order logic progr...

It is essential to deal with the interference of the environment between programs in concurrent program verification. This has led to the development of concurrent program reasoning techniques such as rely-guarantee. However, the source code of the programs to be verified often involves language features such as exceptions and procedures which are...

The high security requirements of cyber-physical systems and the critical tasks they carry out make it necessary to guarantee the absence of any vulnerability to security attacks and that they have no unexpected behaviour. The size and complexity of the underlying hardware in cyber-physical systems are increasing and so is the risk of failures and...

The high security requirements of cyber-physical systems and the critical tasks they carry out make it necessary to guarantee the absence of any vulnerability to security attacks and that they have no unexpected behaviour. The size and complexity of the underlying hardware in cyber-physical systems are increasing and so is the risk of failures and...

SPEC is an automated equivalence checker for security protocols specified in the spi-calculus, an extension of the pi-calculus with cryptographic primitives. The notion of equivalence considered is a variant of bisimulation, called open bisimulation, that identifies processes indistinguishable when executed in any context. SPEC produces compact and...

The SPARCv8 instruction set architecture (ISA) has been used in various processors for workstations, embedded systems, and space missions. However, there are no publicly available formal models for the SPARCv8 ISA. In this work, we give the first formal model for the integer unit of SPARCv8 ISA in Isabelle/HOL. We capture the operational semantics...

Scalable and automatic formal verification for concurrent systems is always demanding, but yet to be developed. In this paper, we propose a verification framework to support automated compositional reasoning for concurrent programs with shared variables. Our framework models concurrent programs as succinct automata and supports the verification of...

Existing work on theorem proving for the assertion language of separation logic (SL) either focuses on abstract semantics which are not readily available in most applications of program verification, or on concrete models for which completeness is not possible. An important element in concrete SL is the points-to predicate which denotes a singleton...

We present an expressive but decidable first-order system (named MAV1) defined by using the calculus of structures, a generalisation of the sequent calculus. In addition to first-order universal and existential quantifiers the system incorporates a pair of nominal quantifiers called `new' and `wen', distinct from the self-dual Gabbay-Pitts and Mill...

This paper considers Reynolds’s separation logic with all logical connectives but without arbitrary predicates. This logic is not recursively enumerable but is very useful in practice. We give a sound labelled sequent calculus for this logic. Using numerous examples, we illustrate the subtle deficiencies of several existing proof calculi for separa...

Linear temporal logic (LTL) has been widely used to specify runtime policies. Traditionally this use of LTL is to capture the qualitative aspects of the monitored systems, but recent developments in metric LTL and its extensions with aggregate operators allow some quantitative policies to be specified. Our interest in LTL-based policy languages is...

Android is an operating system that has been used in a majority of mobile
devices. Each application in Android runs in an instance of the Dalvik virtual
machine, which is a register-based virtual machine (VM). Most applications for
Android are developed using Java, compiled to Java bytecode and then translated
to DEX bytecode using the dx tool in t...

The Abella interactive theorem prover is based on an intuitionistic logic that allows for inductive and co-inductive reasoning over relations. Abella supports the λ-tree approach to treating syntax containing binders: it allows simply typed λ-terms to be used to represent such syntax and it provides higher-order (pattern) unification, the ∇ quantif...

Proof theory for a logic with categorical semantics can be developed by the following methodology: define a sound and complete display calculus for an extension of the logic with additional adjunctions; translate this calculus to a shallow inference nested sequent calculus; translate this calculus to a deep inference nested sequent calculus; then p...

separation logics are a family of extensions of Hoare logic for reasoning about programs that mutate memory. These logics are "abstract" because they are independent of any particular concrete memory model. Their assertion languages, called propositional abstract separation logics, extend the logic of (Boolean) Bunched Implications (BBI) in various...

We present a design and an implementation of a security policy specification
language based on metric linear-time temporal logic (MTL). MTL features
temporal operators that are indexed by time intervals, allowing one to specify
timing-dependent security policies. The design of the language is driven by the
problem of runtime monitoring of applicati...

We consider the problem of model checking specifications involving co-inductive definitions such as are available for bisimulation. A proof search approach to model checking with such specifications often involves state exploration. We consider four different tabling strategies that can minimize such exploration significantly. In general, tabling i...

Full Intuitionistic Linear Logic (FILL) is multiplicative intuitionistic
linear logic extended with par. Its proof theory has been notoriously difficult
to get right, and existing sequent calculi all involve inference rules with
complex annotations to guarantee soundness and cut-elimination. We give a
simple and annotation-free display calculus for...

We present a labelled sequent calculus for Boolean BI, a classical variant of
O'Hearn and Pym's logic of Bunched Implication. The calculus is simple, sound,
complete, and enjoys cut-elimination. We show that all the structural rules in
our proof system, including those rules that manipulate labels, can be
localised around applications of certain lo...

Proof systems for logics with recursive definitions typically impose a strict syntactic stratification on the body of a definition to ensure cut elimination and consistency of the logics, i.e., by forbidding any negative occurrences of the predicate being defined. Often such a restriction is too strong, as there are cases where such negative occurr...

A grammar logic refers to an extension to the multi-modal logic K in which
the modal axioms are generated from a formal grammar. We consider a proof
theory, in nested sequent calculus, of grammar logics with converse, i.e.,
every modal operator [a] comes with a converse. Extending previous works on
nested sequent systems for tense logics, we show a...

We consider two characterisations of the may and must testing preorders for a
probabilistic extension of the finite pi-calculus: one based on notions of
probabilistic weak simulations, and the other on a probabilistic extension of a
fragment of Milner-Parrow-Walker modal logic for the pi-calculus. We base our
notions of simulations on the similar c...

Gödel-Dummett logic is an extension of first-order intuitionistic logic with the linearity axiom (A É B) Ú(B É A)(A \supset B) \lor (B \supset A), and the so-called “quantifier shift” axiom "x(A ÚB(x)) É A Ú"x B(x).\forall x(A \lor B(x)) \supset A \lor \forall x B(x). Semantically, it can be characterised as a logic for linear Kripke frames with co...

We consider two styles of proof calculi for a family of tense logics,
presented in a formalism based on nested sequents. A nested sequent can be seen
as a tree of traditional single-sided sequents. Our first style of calculi is
what we call "shallow calculi", where inference rules are only applied at the
root node in a nested sequent. Our shallow c...

Proof search has been used to specify a wide range of computation systems. In order to build a framework for reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. These proof principles are based on a proof theoretic (rather than set-theoretic) notion of definition. Definitions are akin to logi...

We consider the problem of automating open bisimulation checking for the spi calculus, an extension of the pi-calculus with cryptographic primitives. The notion of open bisimulation considered here is indexed by a (symbolic) environment, represented as bi-traces (i.e., pairs of symbolic traces), which encode the history of interaction between the i...

We consider an extension of bi-intuitionistic logic with the traditional modalities from tense logic Kt. Proof theoretically, this extension is obtained simply by extending an existing sequent calculus for bi-intuitionistic logic with typical inference rules for the modalities used in display logics. As it turns out, the resulting calculus, LBiKt,...

Harrison John . Handbook of practical logic and automated reasoning. Cambridge University Press, Cambridge, UK, 2009, xix + 681 pp. - Volume 16 Issue 2 - Alwen Tiu

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message M can be deduced from a set of messages Gamma under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulations o...

We consider a formalisation of a notion of observer (or in- truder) theories, commonly used in symbolic analysis of security pro- tocols. An observer theory describes the knowledge and capabilities of an observer, and can be given a formal account using deductive sys- tems, such as those used in various "environment-sensitive" bisimulation for proc...

We consider two sequent calculi for tense logic in which the syntactic judgements are nested sequents, i.e., a tree of traditional one- sided sequents built from multisets of formulae. Our first calculus SKt is a variant of Kashima's calculus for Kt, which can also be seen as a display calculus, and uses "shallow" inference whereby inference rules...

We consider policies that are described by regular expres- sions, finite automata, or formulae of linear temporal logic (LTL). Such policies are assumed to describe situations that are problematic, and thus should be avoided. Given a trace pattern u, i.e., a sequence of ac- tion symbols and variables, were the variables stand for unknown (i.e., not...

Online trading invariably involves dealings between strangers, so it is important for one party to be able to judge objectively the trust- worthiness of the other. In such a setting, the decision to trust a user may sensibly be based on that user's past behaviour. We introduce a specication language based on linear temporal logic for expressing a p...

A notion of open bisimulation is formulated for the spi calculus, an extension of the pi-calculus with cryptographic primitives. In this formulation, open bisimulation is indexed by pairs of symbolic traces, which represent the history of interactions between the environment with the pairs of processes being checked for bisimilarity. The use of sym...

Lambda tree syntax (a variant of HOAS) and nominal techniques are two approaches to representing and reasoning about languages containing bindings. Although they are based on separate foundations, recent advances in the proof theory of generic judgments have shown that one may be able to incorporate some aspects of nominal techniques (i.e., the equ...

Online trading invariably involves dealings between strangers, so it is important for one party to be able to judge objectively the trustworthiness of the other. In su ch a setting, the decision to trust a user may sensibly be based on that user's past behaviour. We introduc e a specification language based on linear temporal logic for expressing a...

Proof search has been used to specify a wide range of computation systems. In order to build a framework for reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. These proof principles are based on a proof theoretic (rather than set-theoretic) notion of definition. Definitions are akin to (str...

We specify the operational semantics and bisimulation relations for the finite pi-calculus within a logic that contains the nabla quantifier for encoding generic judgments and definitions for encoding fixed points. Since we restrict to the finite case, the ability of the logic to unfold fixed points allows this logic to be complete for both the ind...

We consider the problem of intruder deduction in security protocol analysis: that is, deciding whether a given message $M$ can be deduced from a set of messages $\Gamma$ under the theory of blind signatures and arbitrary convergent equational theories modulo associativity and commutativity (AC) of certain binary operators. The traditional formulati...

This paper presents a cut-elimination proof for the logic $LG^\omega$, which is an extension of a proof system for encoding generic judgments, the logic $\FOLDNb$ of Miller and Tiu, with an induction principle. The logic $LG^\omega$, just as $\FOLDNb$, features extensions of first-order intuitionistic logic with fixed points and a ``generic quantif...

We propose a new sequent calculus for bi-intuitionistic log ic which sits somewhere between display calculi and traditional sequent calculi by using nested sequents. Our calculus enjoys a simple (purely syntactic) cut-elimination proof as do display calculi. But it has an eas ily derivable variant calculus which is amenable to automated proof searc...

In this paper, we consider policies that are described by reg- ular languages. Such regular policies L are assumed to describe situa- tions that are problematic, and thus should be avoided. Given a trace pattern u, i.e., a sequence of action symbols and variables, were the vari- ables stand for unknown (i.e., not observed) sequences of actions, we...

A notion of open bisimulation is formulated for the spi calculus, an extension of the π-calculus with cryptographic primitives. In this formulation, open bisimulation is indexed by pairs of symbolic traces, which represent the history of interactions between the environment with the pairs of processes being checked for bisimilarity. The use of symb...

We begin by showing how to faithfully encode the Classical Modal Display Logic (CMDL) of Wansing into the Calculus of Structures (CoS) of Guglielmi. Since every CMDL calculus enjoys cut-elimination, we obtain a cut-elimination theorem for all corresponding CoS calculi. We then show how our result leads to a minimal cut-free CoS calculus for modal l...

This paper presents an extension of a proof system for encoding generic judgments, the logic FO r of Miller and Tiu, with an induction principle. The logic FO r is itself an extension of intuitionistic logic with fixed points and a "generic quantifier", r, which is used to reason about the dynamics of bindings in object systems encoded in the logic...

Bedwyr is a generalization of logic programming that allows model checking directly on syntactic expressions possibly containing bindings. This system, written in OCaml, is a direct implementation of two recent advances in the theory of proof search. The first is centered on the fact that both finite success and finite failure can be captured in th...

This paper presents systems for first-order intuitionistic logic and several of its extensions in which all the propositional
rules are local, in the sense that, in applying the rules of the system, one needs only a fixed amount of information about the logical expressions
involved. The main source of non-locality is the contraction rules. We show...

We report on an experiment in combining the theorem prover Isabelle with automatic first-order arithmetic provers to increase automation on the verification of distributed protocols. As a case study for the experiment we verify several averaging clock synchronization algorithms. We present a formalization of Schneider's generalized clock synchroniz...

This paper studies properties of the logic BV, which is an extension of
multiplicative linear logic (MLL) with a self-dual non-commutative operator. BV
is presented in the calculus of structures, a proof theoretic formalism that
supports deep inference, in which inference rules can be applied anywhere
inside logical expressions. The use of deep inf...

The operational semantics of a computation system is often presented as inference rules or, equivalently, as logical theories. Specifications can be made more declarative and high level if syntactic details concerning bound variables and substitutions are encoded directly into the logic using term-level abstractions (λ-abstraction) and proof-level...

We formalize the generalized Byzantine fault-tolerant clock synchronization protocol of Schneider. This protocol abstracts from particular algorithms or implementations for clock syn- chronization. This abstraction includes several assumptions on the behaviors of physical clocks and on general properties of concrete algorithms/implementations. Base...

The operational semantics and typing of modern program- ming and specification languages are often defined using relations and proof systems. In simple settings, logic programming can be used to pro- vide rather direct and natural interpreters for such operational semantics. More complex features of specifications such as names and their bind- ings...

Model checking for transition systems specified in pi-calculus has been a difficult problem due to the infinite-branching nature of input prefix, name-restriction and scope extrusion. We propose here an approach to model checking for pi-calculus by encoding it into a logic which supports reasoning about bindings and fixed points. This logic, called...

This paper presents a system for intuitionistic logic in which all the rules are local, in the sense that, in applying the rules of the system, one needs only a fixed amount of information about the logical expressions involved. The main source of non-locality is the contraction rule. We show that the contraction rule can be restricted to the atomi...

We present a meta-logic that contains a new quantifier ∇ (for encoding “generic judgments”) and inference rules for reasoning within fixed points of a given specification. We then specify the operational semantics and bisimulation relations for the finite π-calculus within this meta-logic. Since we restrict to the finite case, the ability of the me...

This paper gives an overview of a prototype implementation of a fragment of the logic Linc [5, 8, 13] (also referred to as F Oλ∆ ∇ in [5]), which we tentatively call ‘Level 0/1 Prover ’ here. This implementation is part of a larger project, Parsifal, at INRIA Futurs (see

We present a logic in which signatures are explicit in the sequent, and of two different nature: one signature is associated to the whole sequent to account for eigenvariables of the sequent, the other is associated to each formula in the sequent, used to account for generic variables locally scoped over the formula. The logic is a version of intui...

An extension of the language L is given. The extension was mainly motivated by applications of higher-order abstract syntax in en- coding generic judgments, where object-level signatures need to be coded explicitly. It is shown that this extension preserves the m.g.u property and the decidability of the unification problems.

Proof search has been used to specify a wide range of computation systems. In order to build a framework for reasoning about such specifications, we make use of a sequent calculus involving induction and co-induction. These proof principles are based on a proof theoretic notion of definition, following on work by Schroeder-Heister, Girard, and McDo...

A notion of open bisimulation is formulated for the spi cal-culus, an extension of the π-calculus with cryptographic primitives. This notion of open bisimulation is based on the so-called hedged bisimula-tion, due to Borgström and Nestmann. Open bisimulation is shown to be sound with respect to hedged bisimulation, and futher, open bisimi-larity is...

For formal system verification to become common practice, it has to be supported by flexible and powerful deductive tools that can accommodate adequate levels of abstraction as well as a high degree of automation. In this paper, we report on a case study on combination of deductive tools to support verification of distributed algorithms. More speci...

This course introduces a logical approach to formalizing, prototyp-ing and reasoning about computational systems. We shall consider systems from various contexts, including typing and evaluation notions for programming languages, logics and proof-theoretic principles, formally specified software and concurrency. A fea-ture common to many of these s...

We present a meta-logic that contains a new quantifler r (for encoding \generic judg- ments") and inference rules for reasoning within flxed points of a given speciflcation. We then specify the operational semantics and bisimulation relations for the flnite …-calculus within this meta-logic. Since we restrict to the flnite case, the ability of the...

## Citations

... Ahn et al. (2017) [AHT17] give an innovative intuitionistic logic characterising open bisimilarity. In their setting, substitution effects are only employed inside the definition of the logical implication operator. ...

Reference: Modal Logics for Nominal Transition Systems

... The propagation rules we use are largely based upon the work of [26,49], where such rules were used in the setting of display and nested calculi. These rules were then transported to the labeled setting to prove the decidability of agency (STIT) logics [34], to establish translations between calculi within various proof-theoretic formalisms [11], and to provide a basis for the structural refinement methodology [32]. In this paper, we apply this methodology in the setting of intuitionistic grammar logics, obtaining analytic nested systems for these logics, which are then put to use to establish conservativity and (un)decidability results. ...

... A DoS attack its purpose is to make the server or network fail to yield normal services. Ordinarily, this attack is managed by Send fake packets to the victim's device or by sending a large number of packets that exceed the ability to process them [17], [18]. There is no IPv6 safe zone, even if it was. ...

... The common presentation of Total Store Order (TSO) memory model is operational [18]. In addition to the traditional interleaving semantics, each hardware thread under TSO has a write buffer and propagates writes to the main memory nondeterministically. Hóu et al. [19] presented axiomatic TSO model and operational TSO model on the top of high-level ISA model and low-level ISA model. Using axiomatic memory model definitions, Lahav et al. [17] listed several laws that WMMs such as TSO or other non-multi-copy-atomic memory models should follow respectively. ...

... Initiated by Bull [5] and Kashima [30], nested sequent systems perform reasoning over trees of (pairs of) multisets of formulae, proving worthwhile in developing automated reasoning techniques for logics. Such systems have been used to write decision algorithms for logics supporting automated counter-model extraction [22,49], have been employed in constructive proofs of interpolation [21,35], and have even been applied in knowledge integration scenarios [39]. ...

... Here, it is of absolute importance that the protocols are correctly designed and specified. However, designing and specifying such protocols is an error-prone task, due to the complex security requirements and their dependencies on the attacker model [5,13]. As a consequence, many flaws of security protocols were only discovered after years of productive usage, e.g., it took 17 years to identify a critical flaw in the Needham-Schroeder Public-Key protocol [24]. ...

... The existence of these two separate cases is a surprising novelty since all proof systems, on which the splitting technique has been applied so far, only employ atoms, binary connectives [Gug07,AT17], modalities [Str03a,GS11], and quantifiers [HTAC19]. Here, for the first time we present splitting for n-ary connectives with n > 2. ...

... Past-time LTL (PTLTL) [10] is another useful language for specifying security-related properties [11]. PTLTL has two distinct temporal operators called previously (P ) and since ( S ). ...

... The next natural extension was adding the additives, leading to the logic MAV [Hor15], which has then been extended by nominal quantifiers (and standard first-order quantifiers) [HTAC19,HT19] in order to simulate private names in process algebras, as for example the π-calculus. This is in the line of research by Bruscoli [Bru02] who used BV to simulate reductions in CCS, following the formulas-as-processes paradigm. ...

... To solve this problem, the work in [15] proposed a type system that incorporates permissions in function types. And another work in [16] also proposed a type system that solves the problem of typing non-monotonic policies without resorting to downgrading or declassifying the information. Inspired by the above research, we define a statement that supports declassification assignment, as shown in Table II. ...