Nobuko Yoshida Imperial College London ABSTRACT We introduce a new expressive theory of types for the higher-order p-calculus and demonstrate its applicability via non-trivial security analyses of a simple class-based language with distributed code mobility. The new theory significantly improves our previous one presented in [52] by the use of channel dependent/existential types. New dependent types control dynamic change of process accessibility via channel passing, while existential types guarantee safe scope-extrusion in higher-order process passing. This solves an open issue in [52], leading to significant enlargement of original typability. Two basic security concerns for mobile computation, secrecy for data confidentiality and access controls for authorised resources are analysed in a uniform type-based static framework, culminating in the noninterference theorem and authority-error freedom in the presence of higher-order code mobility. The generality and expressiveness of the new type discipline are tested with a sound embedding of multi-threaded class-based language with dynamic code/class distribution, enforcing secrecy and accessibility.

The Internet has grown substantially in recent years, and an increasing number of applications are now being developed to exploit this distributed infrastructure. Mobility is an important paradigm for such applications, where mobile code is supplied on demand and mobile components interact freely within a given network. However, mobile applications are difficult to develop: not only do they involve complex parallel interactions between multiple components, but they must also satisfy strict security requirements. One could argue that the development of such applications requires a rigorous means of describing and reasoning about mobile computation, through the use of an appropriate model. Foundational research by Cardelli and Gordon on the Ambient Calculus has shown that process calculi are a promising approach to modelling mobile computation. This thesis builds on more recent research in the field of process calculi, and presents a new model of computation known as the Channel Ambient calculus, which can be used both to specify mobile applications and to reason about their security properties. The primitives of the model were developed with real-world applications in mind, and are designed to be at a level of abstraction suitable for an application programmer. The thesis also bridges a gap between theory and implementation by defining a distributed abstract machine for the Channel Ambient calculus. The abstract machine uses a list semantics, which is close to an implementation language, and a blocking semantics, which leads to an efficient implementation. The machine is proved sound and complete with respect to the underlying calculus. A prototype implementation is also described, together with an application for tracking the location of migrating ambients. The correctness of the machine ensures that the work done in specifying and analysing mobile applications is not lost during their implementation.