Laboratory We introduce a calculus describing the movement of processes and devices, including movement through administrative domains.

Abstract not found

Abstract. Boxed Ambients are a variant of Mobile Ambients that result from (i) dropping the open capability and (ii) providing new primitives for ambient communication while retaining the constructs in and out for mobility. The new model of communication is faithful to the principles of distribution and locationawareness of Mobile Ambients, and complements the constructs for Mobile Ambient mobility with finer-grained mechanisms for ambient interaction. 1

interpretation is a methodology for deriving program analyses systematically from the semantics of a programming language. Hansen, Jensen, Nielson, and Nielson [20] describe a constraint-based framework for abstract interpretation of mobile ambients; instances of the framework include an analysis counting occurrences of ambients, and also the original control ow analysis for the ambient calculus [29]. Levi and Maeis [24] and Feret [19] present abstract interpretations based on alternative semantics of the ambient calculus. Some analyses have been developed in the setting of Levi and Sangiorgi's calculus of safe ambients [25], a generalization of the original ambient calculus that gives processes greater control over synchronization, and hence avoids certain kinds of nondeterminism. In their paper, Levi and Sangiorgi propose a type system to guarantee immobility and single-threadedness. Security properties are considered by several authors. Bugliesi and Castagna [8] describe a type system for safe ambients that checks security properties, including security in a distributed setting. They rely on a notion of ambient domain that is similar to the notion of an ambient group, but have no counterpart to the group creation operator. Dezani-Ciancaglini and Salvo [18] present a type system for safe ambients where each ambient has a security level, akin to a group. Unlike our system, security levels are partially ordered, allowing the system to express trust relationships. Degano, Levi, and Bodei [17, 23] rene Nielson and Nielson's original ow analysis [29] for the calculus of safe ambients. The analysis allows the proof of simple secrecy properties; they formally distinguish between trustworthy and untrustworthy ambients, and show that no trustworthy ambient may be ope...

We present an ambient-like calculus in which the open capability is dropped, and a new form of "lightweight" process mobility is introduced. The calculus comes equipped with a type system that allows the kind of values exchanged in communications and the access and mobility properties of processes to be controlled. A type inference procedure determines the "minimal" requirements to accept a system or a component as well typed. This gives a kind of principal typing. As an expressiveness test, we show that some well known calculi of concurrency and mobility can be encoded in our calculus in a natural way.

Abstract. The paper gives an assessment of security for Mobile Ambients, with specific focus on mandatory access control (MAC) policies in multilevel security systems. The first part of the paper reports on different formalization attempts for MAC policies in the Ambient Calculus, and provides an in-depth analysis of the problems one encounters. As it turns out, MAC security does not appear to have fully convincing interpretations in the calculus. The second part proposes a solution to this impasse, based on a variant of Mobile Ambients. A type system for resource access control is defined, and the new calculus is discussed and illustrated with several examples of resource management policies. 1

The issue of this work is how to type mobility, in the sense that we tackle the problem of typing not only mobile agents but also their movement. This yields higher-order types for agents. To that end we first provide a new definition of the Seal Calculus that gets rid of existing inessential features while preserving the distinctive characteristics of the Seal model. Then we discuss the use of interfaces to type agents and define the type system. This type system induces a new interpretation of the types: interfaces describe interaction effects rather than, as it is customary, provided services. We discuss at length the difference of the two interpretations and justify our choice of the former.

We study the problem of secure information flow for Boxed Ambients in terms of noninterference. We develop a sound type system that provides static guarantees of absence of unwanted flow of information for well typed processes. Non-interference is stated, and proved, in terms of a typed notion of contextual equivalence for Boxed Ambients akin to the corresponding equivalence defined for Mobile Ambients.

The Seal Calculus is a process language for describing mobile computation. Threads and resources are tree structured; the nodes thereof correspond to agents, the units of mobility. The Calculus extends a �-calculus core with synchronous, objective mobility of agents over channels. This paper systematically compares all previous variants of Seal Calculus. We study their operational behaviour with labelled transition systems and bisimulations; by comparing the resulting algebraic theories we highlight the differences between these apparently similar approaches. This leads us to identify the dialect of Seal that is most amenable to operational reasoning and can form the basis of a distributed programming language. We propose type systems for characterising the communications in which an agent can engage. The type systems thus enforce a discipline of agent mobility, since the latter is coded in terms of higher-order communication.

. The Ambient Calculus and the Safe Ambient Calculus have been recently successfully proposed as models for the Web. They are based on the notions of ambient movement and ambient opening. Different type disciplines have been devised for them in order to avoid unwanted behaviours of processes. In the present paper we propose a type discipline for safe mobile ambients which is essentially motivated by ensuring security properties. We associate security levels to ambients and we require that an ambient at security level s can only be traversed or opened by ambients at security level at least s. Since the movement and opening rights can be unrelated, we consider two partial orders between security levels. We also discuss some meaningful examples of use of our type discipline. 1 Introduction The Ambient Calculus [4] has been recently successfully proposed as a model for the Web. An ambient is a named location: it may contain processes and sub-ambients. A process may: -- communicate in an ...