Introduction SAMSON ABRAMSKY (samson@comlab.ox.ac.uk) Oxford University Computing Laboratory 1. Introduction Game Semantics has emerged as a powerful paradigm for giving semantics to a variety of programming languages and logical systems. It has been used to construct the first syntax-independent fully abstract models for a spectrum of programming languages ranging from purely functional languages to languages with non-functional features such as control operators and locally-scoped references [4, 21, 5, 19, 2, 22, 17, 11]. A substantial survey of the state of the art of Game Semantics circa 1997 was given in a previous Marktoberdorf volume [6]. Our aim in this tutorial presentation is to give a first indication of how Game Semantics can be developed in a new, algorithmic direction, with a view to applications in computer-assisted verification and program analysis. Some promising steps have already been taken in this

Logical relations and their generalizations are a fundamental tool in proving properties of lambda-calculi, e.g., yielding sound principles for observational equivalence. We propose a natural notion of logical relations able to deal with the monadic types of Moggi's computational lambda-calculus. The treatment is categorical, and is based on notions of subsconing and distributivity laws for monads. Our approach has a number of interesting applications, including cases for lambda-calculi with non-determinism (where being in logical relation means being bisimilar), dynamic name creation, and probabilistic systems.

We extend the classes of network which Data Independent Induction can be used to reason about. Through the use of constants and predicates in the data independent type we build proofs of structured networks' behaviours, where a network's topology need not be as regular as one might expect data independence to imply. These properties hold true independent of the size of the type, and so for arbitrary network size. The inductions combine the use of the process algebra CSP to model systems and their specifications, and the FDR tool to discharge the various proof obligations.

A system is data-independent with respect to a data type X iff the only operation it can perform on values of type X is equality testing. The system may also store, input and output values of type X. We study model checking of systems which are data-independent with respect to two distinct type variables X and Y, and may in addition use arrays with indices from X and values from Y. The main problem of interest is the following parameterised model-checking problem: whether a given program satisfies a given temporal-logic formula for all non-empty finite instances of X and Y. Initially, we consider instead the abstraction where X and Y are infinite and where partial functions with finite domains are used to model arrays. Using a translation to data-independent systems without arrays, we show that the mu-calculus model-checking problem is decidable for these systems. From this result, we can deduce properties of all systems with finite instances of X and Y. We show that there is a procedure for the above parameterised model-checking problem of the universal fragment of the mu-calculus, such that it always terminates but may give false negatives. We also deduce that there is a procedure for the parameterised model-checking problem of the universal disjunction-free fragment of the mu-calculus. Practical motivations for model checking data-independent systems with arrays include verification of fault-tolerant cache systems, where X is the type of memory addresses, and Y the type of storable values. As an example we verify a fault-tolerant memory interface over a set of unreliable memories.

In this paper, we generalise and fully automate the use of data independence techniques in the analysis of security protocols, developed in [16, 17]. In [17], we successfully applied these techniques to a series of case studies; however, our scripts were carefully crafted by hand to suit each case study, a rather time-consuming and error-prone task. We have fully automated the data independence techniques by incorporating them into Casper, thus abstracting away from the user the complexity of the techniques, making them much more accessible.

We investigate the decidability of reachability specifications in programs data-independent in two types X and Y , and which can contain arrays X Y . We show that this type of specification is undecidable in general for programs that may contain a Reset operation for setting all members of an array to a member of Y . However, if either X or Y is of fixed finite size (and not necessarily data independent) then we can obtain decidability results. The main

Introduction Key management systems are central to secure informations systems. Changing paradigms in technology and the increasing dependency on technology, by all aspect of society, will mean that key management systems will be more important than ever. In particular, future key management systems must be : 1. highly dependable, capable of surviving a range of attack; 2. scalable, to very large numbers of nodes and very, very large numbers of keys; 3. dynamic, providing services across networks of variable connectivity, and changing sets of principals. Studies conducted by DERA have also identified that future key management systems should also: 4. merge key management functions onto backbone networks, rather than having separate, dedicated key management networks; 5. utilise the civil communications infrastructure, for key distribution, where necessary. Together, the five requirements above, raise very significant questions for high integrity design, implementation and accreditation

Machine) formalism has been used for describing the structure and abstract behaviour of a specific architecture (i.e., the one of a compiler) in [Inverardi & Wolf 1995]. The Z language has been used to characterise architectural styles and has later led to define a framework for such characterisations so as to enable comparing styles sharing a common semantic model [Abowd et al. 1995]. Logic has been used in [Moriconi et al. 1995] for supporting correct stepwise refinement of configurations. Graph grammars are exploited in [Le Metayer 1996] for enabling constrained architecture evolution. The advantages of introducing ADLs over the above works are obvious with respect to leveraging the elaboration of software architectures. An overview of existing ADLs is provided hereafter, and is followed by a discussion about the relation of such notations with the UML standard software modelling language that is becoming a major player in industry. We conclude this section by sketching some ongoing...

A variety of results which enable model checking of important classes of infinite-state systems are based on exploiting the property of data independence. The literature contains a number of definitions of variants of data independence which are by syntactic restrictions in particular formalisms. More recently, data independence was defined for labelled transition systems using logical relations, enabling results about data independent systems to be proved without reference to a particular syntax. In this paper, we show that the semantic definition is suciently strong for this purpose. More precisely, it was known that any syntactically data independent symbolic LTS denotes a semantically data independent family of LTSs, but here we show that the converse also holds.

this report. Key advances 1 and 2 were not part of the original workplan, but are crucial to the solid foundation of the symbolic framework. The introduction of Dr Maharaj to the project made key advance 2 possible