We consider the problem of assembling concurrent software systems from untrusted or partially trusted off-the-shelf components, using wrapper programs to encapsulate components and enforce security policies. In previous work we introduced the box-pi process calculus with constrained interaction to express wrappers and discussed the rigorous formulation of their security properties. This paper addresses the verification of wrapper information flow properties. We present a novel causal type system that statically captures the allowed flows between wrapped possibly-badly-typed components; we use it to prove that an example unidirectional-flow wrapper enforces a causal flow property.

This paper investigates presheaf models for process calculi with value passing. Denotational semantics in presheaf models are shown to correspond to operational semantics in that bisimulation obtained from open maps is proved to coincide with bisimulation as defined traditionally from the operational semantics. Both "early" and "late" semantics are considered, though the more interesting "late" semantics is emphasised. A presheaf model and denotational semantics is proposed for a language allowing process passing, though there remains the problem of relating the notion of bisimulation obtained from open maps to a more traditional definition from the operational semantics.

Software systems are becoming heterogeneous: instead of a small number of large programs from well-established sources, a user's desktop may now consist of many smaller components that interact in intricate ways. Some components will be downloaded from the network from sources that are only partially trusted. A user would like to know that a number of security properties hold, e.g. that personal data is not leaked to the net, but it is typically infeasible to verify that such components are well-behaved. Instead, they must be executed in a secure environment, or wrapper, that provides fine-grain control of the allowable interactions between them, and between components and other system resources. In this paper we study such wrappers, focusing on how they can be expressed in a way that enables their security properties to be stated and proved rigorously. We introduce a model programming language, the box-pi calculus, that supports composition of software components and the enforcement of security policies. Several example wrappers are expressed using the calculus; we explore the delicate security properties they guarantee.

This document consists of a slightly revised and corrected version of a dissertation

We extend labelled transition systems to distributed transition systems by labelling the transition relation with a finite set of actions, representing the fact that the actions occur as a concurrent step. We design an action-based temporal logic in which one can explicitly talk about steps. The logic is studied to establish a variety of positive and negative results in terms of axiomatizability and decidability. Our positive results show that the step notion is amenable to logical treatment via standard techniques. They also help us to obtain a logical characterization of two well known models for distributed systems: labelled elementary net systems and labelled prime event structures. Our negative results show that demanding deterministic structures when dealing with a "noninterleaved " notion of transitions is, from a logical standpoint, very expressive. They also show that another well known model of distributed systems called asynchronous transition systems exhibits a surprising a...

. Fully concurrent models of distributed object systems are specified using linear temporal logic that does not per se cope with concurrency. This is achieved by employing the principle of local sequentiality: we specify from local viewpoints assuming that there is no intraobject concurrency but full inter-object concurrency. Local formulae are labelled by identity terms. For interaction, objects may refer to actions of other objects, e.g., calling them to happen synchronously. A locality predicate allows for making local statements about other objects. The interpretation structures are global webs of local life cycles, glued together at shared communication events. These interpretation structures are embedded in an interpretation frame that is a labelled locally sequential event structure. Two initiality results are presented: the category of labelled locally sequential event structures has initial elements, and so has the full subcategory of those satisfying given temporal axioms. As...

Abstract not found

. There has been considerable controversy in concurrency theory between the `interleaving' and `true concurrency' schools. The former school advocates associating a transition system with a process which captures concurrent execution via the interleaving of occurrences; the latter adopts more complex semantic structures to avoid reducing concurrency to interleaving. In this paper we show that the two approaches are not irreconcilable. We define a timed process algebra where occurrences are associated with intervals of time, and give it a transition system semantics. This semantics has many of the advantages of the interleaving approach; the algebra admits an expansion theorem, and bisimulation semantics can be used as usual. Our transition systems, however, incorporate timing information, and this enables us to express concurrency: merely adding timing appropriately generalises transition systems to asynchronous transition systems, showing that time gives a link between true concurrenc...

. Models for concurrency can be classified with respect to three relevant parameters: behaviour/system, interleaving/noninterleaving, linear/branching time. When modelling a process, a choice concerning such parameters corresponds to choosing the level of abstraction of the resulting semantics. The classifications are formalized through the medium of category theory. Keywords. Semantics, Concurrency, Models for Concurrency, Categories. Contents 1 Preliminaries 431 2 Deterministic Transition Systems 433 3 Noninterleaving vs. Interleaving Models 436 Synchronization Trees and Labelled Event Structures : : : : : : : : : : : : : : 438 Transition Systems with Independence : : : : : : : : : : : : : : : : : : : : : : 439 4 Behavioural, Linear Time, Noninterleaving Models 441 Semilanguages and Event Structures : : : : : : : : : : : : : : : : : : : : : : : 443 Trace Languages and Event Structures : : : : : : : : : : : : : : : : : : : : : : 446 5 Transition Systems with Independence and Lab...

Marcelo Fiore , Glynn Winskel (1) BRICS , University of Aarhus, Denmark (2) LFCS, University of Edinburgh, Scotland December 1997 Abstract We develop a 2-categorical theory for recursively defined domains.