## Theories for Ubiquitous Processes and Data: Platform for 15-year (2002)

Venue: | Grand Challenge.” Workshop on Grand Challenges for Computing Research |

Citations: | 1 - 0 self |

### BibTeX

@INPROCEEDINGS{Milner02theoriesfor,

author = {Robin Milner},

title = {Theories for Ubiquitous Processes and Data: Platform for 15-year},

booktitle = {Grand Challenge.” Workshop on Grand Challenges for Computing Research},

year = {2002}

}

### OpenURL

### Abstract

Overview This paper is written as background for a proposed Grand

### Citations

2146 | A theory of timed automata
- Alur, Dill
- 1994
(Show Context)
Citation Context ...r time when control resides in a given state). A classification of models of hybrid automata along with their theory is introduced in [95, 96]. A subclass of hybrid automata called the timed automata =-=[13]-=-, which admits real-valued clocks that increase at the same rate as time as the only continuous variables, has been applied successfully to model and verify real-time systems. Hybrid and timed automat... |

1205 | A logic of authentication
- Burrows, Abadi, et al.
- 1990
(Show Context)
Citation Context ...Vault [69] from Microsoft Research and Cyclone [112] from AT&T Research and Cornell are examples. 2.3 Security protocols The BAN logic for cryptographic security protocols has been hugely influential =-=[34]-=-; it is one of the most cited articles in computer science. BAN was not the first formalism for security protocols, guarantees very little, and indeed never had a completely satisfactory semantics. No... |

1123 | On the security of public key protocols
- Dolev, Yao
- 1983
(Show Context)
Citation Context ...ery little, and indeed never had a completely satisfactory semantics. Nonetheless, the paper stimulated a wide range of theoreticians to 7sconsider a formal problem properly credited to Dolev and Yao =-=[70]-=-: given that the opponent can monitor and replay network traffic, can encrypt and decrypt messages if it knows the key material, but cannot simply guess unknown keys, can compliant principals still en... |

881 | Decentralized Trust Management
- Blaze, Feigenbaum, et al.
- 1996
(Show Context)
Citation Context ...rol systems. They define languages to express policies of authorisation to access resources, together with evaluation engines to grant or deny requests accordingly. Typical instances are described in =-=[29, 55]-=-. Most of the formal models in the literature are based on logics, as e.g. [163, 35], which can express notions such as ‘belief ’ and ‘authority’ and can, therefore, be used to formulate trust policie... |

846 | Mobile ambients
- Cardelli, Gordon
- 1998
(Show Context)
Citation Context ...ties, those introduced (somewhat like types) to assist the understanding of processes, and concrete localities that can model their actual movement. Mobile ambients, introduced by Cardelli and Gordon =-=[41]-=-, are an important step forward in the latter respect; they model move4sment between regions (which may be physical or administrative), complementing the mobile connectivity modelled by the π-calculus... |

845 |
Design and synthesis of synchronization skeletons using branching-time temporal logic
- Clarke, Emerson
- 1982
(Show Context)
Citation Context ... tools emerged to analyse the behaviour of concurrent systems. A rich tool-kit grew up for Petri nets, exploiting their topographical nature. An essential development was the arrival of modelchecking =-=[53]-=-; it permits a fully automated analysis of whether a finite state system satisfies a certain property expressed (say) in temporal logic. 1.4 Space and mobility All computational models are concerned b... |

819 | A calculus for cryptographic protocols the spi calculus
- Abadi, Gordon
- 1999
(Show Context)
Citation Context ...niques such as model-checking [129] could find defects automatically, but could not guarantee the absence of Dolev-Yao attacks; symbolic techniques such as theoremproving [149] or bisimulation proofs =-=[1]-=- could show the absence of such attacks, but were rather labour intensive. The race was on to eliminate this trade-off and by now we may say that the original Dolev-Yao problem is largely understood; ... |

762 | Symbolic Model Checking without BDDs
- Biere, Cimatti, et al.
- 1999
(Show Context)
Citation Context ... particularly in the context of circuit design. More recently, SAT solvers, their underpinning software technology having substantially advanced recently, were also employed in bounded model checking =-=[26]-=-, a verification method applicable up to a fixed execution depth, in some cases resulting in real-time improvement over symbolic model checking. Unfortunately, these heuristic methods can be unpredict... |

667 | Model checking and abstraction
- Clarke, Grumberg, et al.
- 1994
(Show Context)
Citation Context ...counted for much progress in the last decade, and which we anticipate to yield further advances, are abstraction, compositional reasoning techniques and automated proof support. Predicate abstraction =-=[52]-=- identifies all states that satisfy the same set of predicates, thus reducing the size of the model (which can be infinite) to a finite quotient. The success or failure of model checking on the abstra... |

658 | Counterexampleguided abstraction refinement
- Clarke, Grumberg, et al.
- 2000
(Show Context)
Citation Context ...e success or failure of model checking on the abstract model determines the corresponding property on the concrete system, with possible further abstraction/refinement steps guided by counterexamples =-=[51]-=-. Several data type reduction techniques exist, including symmetry reduction [110] and data independence [123]. Unfortunately, such methods are rarely fully automatic, often requiring much insight int... |

653 | The algorithmic analysis of hybrid systems
- Alur, Courcoubetis, et al.
- 1994
(Show Context)
Citation Context ...ity problem for timed automata equipped with one clock which can be stopped in some states and restarted in others is, in general, undecidable), although some decidability results have been developed =-=[12, 94, 118]-=-. Typically, model 20schecking tools for timed automata, such as UPPAAL and KRONOS, implement decidable algorithms, whereas semi-decidable model checking algorithms are implemented in model checkers o... |

639 | Symbolic Model Checking: 1020 states and beyond
- Burch, Clarke, et al.
- 1992
(Show Context)
Citation Context ...ct to the number of concurrent components 3 . Symbolic model checking, a heuristic approach based on Binary-Decision Diagrams (BDDs) introduced by Bryant and adapted to temporal logic verification in =-=[33]-=-, contributed much to the success of model checking in practice. Symbolic model checking uses BDDs as a compact data structure to represent the state-transition graph that performs well if regularity ... |

603 |
Assigning meanings to programs
- Floyd
- 1967
(Show Context)
Citation Context ... later, there was increasing concern to model programs not only abstractly, but in terms of what laws they obey while running. This took more at least two forms, both based upon logic; program logics =-=[74, 102]-=- with greater emphasis on analysing how particular programs behave, and operational semantics [157, 113, 142] with greater emphasis on defining the meaning of a whole language as a guide to implemente... |

574 |
Data on the Web: From Relations to Semistructured Data and XML
- Abiteboul, Buneman, et al.
- 2000
(Show Context)
Citation Context ...e had to revisit all the work that has been developed for databases – the query languages, type systems, the storage and optimisation techniques – and rework them for this form of semistructured data =-=[4]-=-; still more research is required to provide languages with the elegance of those associated with the relational model. Programming languages for native XML processing are currently being developed, w... |

386 | Hybrid Automata: An Algorithmic Approach to the Specification and Verification of Hybrid Systems
- Alur, Courcoubetis, et al.
- 1993
(Show Context)
Citation Context ...or hybrid systems typically take the form of a finite-state automaton (representing the discrete component) equipped with a finite set of real-valued variables (representing the continuous component) =-=[15]-=-. The underlying model is therefore a state transition system; this differs from control theory which is based on continuous dynamical systems where state variables evolve according to differential eq... |

373 | Prudent engineering practice for cryptographic protocols
- Abadi, Needham
- 1996
(Show Context)
Citation Context ...of the art In parallel with the trend towards ubiquity, informal principles of security engineering are emerging from more than thirty years of experience and are being codified in books and articles =-=[2, 16, 173]-=-. To risk oversimplification, security engineering should be based on analysing the threats—physical, human, legal, and technological—faced 6sby a system, weighing up the costs of prevention, detectio... |

371 | Enforcing high-level protocols in low-level software
- DeLine, Fahndrich
- 2001
(Show Context)
Citation Context ...ch as buffer overruns) in ANSI C programs. The alternative response is to design safe languages that are so close to C that large existing codebases may be ported with only minor modifications. Vault =-=[69]-=- from Microsoft Research and Cyclone [112] from AT&T Research and Cornell are examples. 2.3 Security protocols The BAN logic for cryptographic security protocols has been hugely influential [34]; it i... |

342 | Reconciling two views of cryptography (the computational soundness of formal encryption
- Abadi, Rogaway
- 2002
(Show Context)
Citation Context ...urther connections between the formal logics applied to the Dolev-Yao problem, and the probability- and complexity-theoretic techniques emerging from the cryptography community could usefully be made =-=[3]-=-. 2.4 Mobile code and mobile agents In the mid-90s, there was a lot of theoretical research on mobile code and mobile computation [43, 92, 192], inspired in part by the excitement around Java applets.... |

340 |
The Calculi of Lambda-Conversion
- Church
- 1941
(Show Context)
Citation Context ...0s, Automata theory, originating as a model of brain activity [134], together with a formal language hierarchy, has helped understand the syntax of programming. In the same decade the lambda calculus =-=[49]-=-, dating from the 1940s, fed into McCarthy’s LISP [133], and later predicate calculus fed into logic programming [116]; these are two rare instances of a programming language founded closely on a logi... |

333 |
A relational model for large shared data banks
- Codd
- 1970
(Show Context)
Citation Context ...he tensions between, on the one hand, science seeking tractable concepts, and on the other hand engineering practice in response to application demands. Turning to data, the relational database model =-=[56]-=- in the 1960s led to an upsurge in ways to organise and manipulate large masses of data, and also to a tradition of special programming languages to access such databases [32]. The mutual enrichment o... |

292 | Reactive modules
- Alur, Henzinger
- 1999
(Show Context)
Citation Context ...for manual verification, assume-guarantee was adapted 3 For example, a systems composed of 100 concurrent components each having at most 10 states can have up to 10 100 states 25sto model checking in =-=[14]-=- (tool MOCHA) and [136] (tool Cadence SMV) and its effectiveness demonstrated on large examples. Hierarchical verification combined with refinement checking can improve scalability further. There has ... |

273 | A calculus of mobile agents
- Fournet, Gonthier, et al.
- 1996
(Show Context)
Citation Context ...nous exchanges and nondeterministic composition, and contributed to a shift of focus towards asynchronous calculi [75, 93]. JoCaml [58] is a distributed implementation of the distributed joincalculus =-=[76]-=-; only purely local synchronisation mechanisms are present in such calculus, and this very limitation of synchronisation primitives stresses the distinction between ‘local’ and ‘remote.’ Implementing ... |

249 | A survey of authentication protocol literature: Version 1.0. http://www.cs.york.ac.uk/ jac/papers/drareview.ps.gz
- Clark, Jacob
- 1997
(Show Context)
Citation Context ..., there is a range of tools [27, 57, 180] that with little or no human intervention can either verify or detect defects in suites of abstract protocol descriptions, such as the Clark-Jacob collection =-=[50]-=-. Still, in spite of this substantial progress, significant research questions remain. Properties such as privacy protection and resistance to denial-of-service attacks have risen in prominence, and n... |

236 |
Algebra of communicating processes with abstraction
- Bergstra, Klop
- 1985
(Show Context)
Citation Context ...clear that computer science would contribute modelling concepts across a broad spectrum of human and mechanical activity. In the late 1970s came compositional process calculi such as CSP, CCS and ACP =-=[104, 139, 23]-=-, with semantic models originally inspired by the sequential models already discussed. Around the same time came new logics, such as temporal logic [158], specifically concerned with interactive behav... |

228 | Model checking of probabilistic and nondeterministic systems
- Bianco, Alfaro
- 1995
(Show Context)
Citation Context ...iven specification. The model checking procedure combines traversal of the underlying transition graph with numerical solutions of linear optimisation problems (for Markov decision process 22smodels) =-=[25, 21]-=- and linear equation systems and linear differential equation systems (for DTMC/CTMC models) [88, 18, 20]. Model checking of non-probabilistic systems has developed very quickly from first algorithms ... |

206 | Typed memory management in a calculus of capabilities
- Crary, Walker, et al.
- 1999
(Show Context)
Citation Context ...to control resource usage, and [196, 164, 91] where behavioural and dynamic types account for policies varying over time. Space control has recently been the focus of important research. Crary et al. =-=[60]-=- use a typed intermediate language to control safe deallocation of memory regions. Hofmann [105] introduces a notion of resource type, which can be thought of as an abstract unit of space, and uses a ... |

202 | Full abstraction for PCF
- Abramsky, Jagadeesan, et al.
- 2000
(Show Context)
Citation Context ... type theories, logics, λ-calculi and high-level programming languages, in a way in which process calculi do not (despite the efforts of the present author and others). 5.1 Achievements Game semantics=-=[9, 107]-=- has achieved striking successes in giving precise models for a wide range of logics, type theories, and λ-calculus based programming languages. In particular, it has proved possible to capture exactl... |

189 | KeyNote: Trust management for public-key infrastructures (position paper
- Blaze, Feigenbaum, et al.
- 1550
(Show Context)
Citation Context ... models for trust, trust engines, provide essentially authentication services based on trusted key servers, protocols and system for public-key infrastructures. Among these, PolicyMaker [29], KeyNote =-=[28]-=-, Referee [48]. 3.2 Expected advances over the next three years. Transient resource usage, whereby migrating programs access resources owned by others, lies at the very heart of UC. In a near future s... |

171 |
Yannakakis: The complexity of probabilistic verification
- Courcoubetis, M
- 1995
(Show Context)
Citation Context ...tomatically verify models against specifications. Probabilistic model checking is an extension of model checking techniques to probabilistic systems, first introduced in [90] and further developed in =-=[190, 59]-=-. As in conventional model checking, a model of the probabilistic system, usually in the form of a discrete or continuous time Markov chain (DTMC/CTMC) or a Markov decision process (MDP), is built and... |

162 | Types for mobile ambients
- Cardelli, Gordon
- 1999
(Show Context)
Citation Context ...culi has developed static analysis to control diverse behavioural properties. These include type systems that trace agent behaviour to gain control over ambient mobility, access and boundary crossing =-=[40, 39, 137]-=-. Properties of boundaries and their control have recently been formalised via spatial logics, such as the ambient logic [42], whose connectives and modalities speak of processes’ spatial structure as... |

139 |
Security Engineering
- Anderson
- 2001
(Show Context)
Citation Context ...of the art In parallel with the trend towards ubiquity, informal principles of security engineering are emerging from more than thirty years of experience and are being codified in books and articles =-=[2, 16, 173]-=-. To risk oversimplification, security engineering should be based on analysing the threats—physical, human, legal, and technological—faced 6sby a system, weighing up the costs of prevention, detectio... |

137 | Approximate symbolic model checking of continuous-time Markov chains
- Baier, Katoen, et al.
- 1999
(Show Context)
Citation Context ...h with numerical solutions of linear optimisation problems (for Markov decision process 22smodels) [25, 21] and linear equation systems and linear differential equation systems (for DTMC/CTMC models) =-=[88, 18, 20]-=-. Model checking of non-probabilistic systems has developed very quickly from first algorithms into implementations of industrially relevant software tools. In contrast, model checking of probabilisti... |

126 | Model checking for a probabilistic branching time logic with fairness
- Baier, Kwiatkowska
- 1998
(Show Context)
Citation Context ...iven specification. The model checking procedure combines traversal of the underlying transition graph with numerical solutions of linear optimisation problems (for Markov decision process 22smodels) =-=[25, 21]-=- and linear equation systems and linear differential equation systems (for DTMC/CTMC models) [88, 18, 20]. Model checking of non-probabilistic systems has developed very quickly from first algorithms ... |

122 |
A fully abstract game semantics for general references
- Abramsky, Honda, et al.
- 1998
(Show Context)
Citation Context ... possible to capture exactly which interactive processes are definable using certain computational features, such as: purely (sequential) functional means [10, 106], local state [11], reference types =-=[8]-=-, control operators, exceptions, nondeterminism [89, 131], probabilities [63], . . . and various combinations of these, in terms of which structural constraints are imposed on strategies. Thus for exa... |

122 | REFEREE: Trust Management for Web Applications
- Chu, Feigenbaum, et al.
- 1997
(Show Context)
Citation Context ...ust, trust engines, provide essentially authentication services based on trusted key servers, protocols and system for public-key infrastructures. Among these, PolicyMaker [29], KeyNote [28], Referee =-=[48]-=-. 3.2 Expected advances over the next three years. Transient resource usage, whereby migrating programs access resources owned by others, lies at the very heart of UC. In a near future scenario, devic... |

121 | Streaming queries over streaming data
- Chandrasekharan, Franklin
- 2002
(Show Context)
Citation Context ...p. In practice, it has wide-reaching consequences since data is now mobile: for example, data can move to static queries filtering information of interest, as found in recent work on XML data streams =-=[46, 84]-=-. Developing the analysis techniques, languages and tools for XML is by no means straightforward. We have had to revisit all the work that has been developed for databases – the query languages, type ... |

120 | Resource bound certification
- Crary, Weirich
- 2000
(Show Context)
Citation Context ...gions. Hofmann [105] introduces a notion of resource type, which can be thought of as an abstract unit of space, and uses a linear type system to guarantee linear space consumption. Crary and Weirich =-=[61]-=- guarantee quantitative bounds on time usage using a dependently typed assembly language; [109] puts forward the first general formulation of resource usage analysis. Concerning ambient-based calculi,... |

107 | The reflexive CHAM and the join-calculus
- Fournet, Gonthier
- 1996
(Show Context)
Citation Context ...es of the π-calculus, underlined the implementation difficulties involved with synchronous exchanges and nondeterministic composition, and contributed to a shift of focus towards asynchronous calculi =-=[75, 93]-=-. JoCaml [58] is a distributed implementation of the distributed joincalculus [76]; only purely local synchronisation mechanisms are present in such calculus, and this very limitation of synchronisati... |

102 | A tutorial on EMPA: a theory of concurrent processes with nondeterminism, priorities, probabilities and time
- Bernardo, Gorrieri
- 1998
(Show Context)
Citation Context ... studied by a number of authors, including discrete probabilistic extensions of CCS [189, 87] and CSP [128, 143, 176], as well as those with exponential distributions (PEPA [101], TIPP [165] and EMPA =-=[24]-=-). These have been generalised further with non-determinism [99] and general distributions [65, 30]. Model checking is a state-space exploration method that can be used to automatically verify models ... |

90 | It usually works: The temporal logic of stochastic systems
- Aziz, Singhal, et al.
- 1995
(Show Context)
Citation Context ...h with numerical solutions of linear optimisation problems (for Markov decision process 22smodels) [25, 21] and linear equation systems and linear differential equation systems (for DTMC/CTMC models) =-=[88, 18, 20]-=-. Model checking of non-probabilistic systems has developed very quickly from first algorithms into implementations of industrially relevant software tools. In contrast, model checking of probabilisti... |

85 | Symbolic model checking for probabilistic processes
- Baier, Clarke, et al.
- 1997
(Show Context)
Citation Context ...ds anonymity protocol, etc). As in the case of conventional model checking, state space explosion is a particular difficulty, and has been tackled through an adaptation of symbolic, BDDbased, methods =-=[19, 100]-=- and parallel, distributed, disk-based techniques [114, 68]. Compositionality in the form of assume-guarantee reasoning has proved particularly difficult [67] and is not yet satisfactorily resolved. T... |

84 | SPKI certificate theory
- Ellison, Frantz, et al.
- 1999
(Show Context)
Citation Context ...are their infrastructures, so for example that an employee A of company B can access a resource C belonging to another company D? Much basic theory has been developed over the last five or more years =-=[120, 71, 168]-=-. Still, little has been deployed, and the next step is implementation on top of technologies for e-science (Grid computing [186]), e-business (web services [108]), and the e-home (uPNP [72]). There i... |

80 | BioKleisli: A digital library for biomedical researchers
- Davidson, Overton, et al.
- 1997
(Show Context)
Citation Context ...data sources for new information. Some important scientific discoveries have been made by monitoring the “stream” of genetic sequence data. In addition to challenging conventional database technology =-=[66]-=-, bioinformatics raises new issues that have largely been ignored by database research. One is prove14snance. Given that fragments of data are being copied between databases on an unprecedented scale,... |

73 | Testing Timed Automata
- Springintveld, Vaandrager, et al.
(Show Context)
Citation Context ...l and verify real-time systems. Hybrid and timed automata have also influenced the design of process calculi. Timed extensions of process calculi include those with timed transitions [172] and clocks =-=[64]-=-. A process calculus for hybrid systems (the Φ-calculus) is introduced in [170, 171]. The presence of real-valued variables in formalisms for hybrid systems means that the underlying semantic model of... |

72 | Ambient groups and mobility types
- Cardelli, Ghelli, et al.
- 2000
(Show Context)
Citation Context ...culi has developed static analysis to control diverse behavioural properties. These include type systems that trace agent behaviour to gain control over ambient mobility, access and boundary crossing =-=[40, 39, 137]-=-. Properties of boundaries and their control have recently been formalised via spatial logics, such as the ambient logic [42], whose connectives and modalities speak of processes’ spatial structure as... |

69 | From secrecy to authenticity in security protocols
- Blanchet
- 2002
(Show Context)
Citation Context ...ks, but were rather labour intensive. The race was on to eliminate this trade-off and by now we may say that the original Dolev-Yao problem is largely understood; certainly, there is a range of tools =-=[27, 57, 180]-=- that with little or no human intervention can either verify or detect defects in suites of abstract protocol descriptions, such as the Clark-Jacob collection [50]. Still, in spite of this substantial... |

67 | Retracing some paths in process algebra, in
- Abramsky
- 1996
(Show Context)
Citation Context ...ignficant approach in the semantics of both programming languages and logics. Beyond the study of specific languages, it is an emerging theory of interaction in general. As such, it stands comparison =-=[5]-=- with the theory of concurrent processes — which also forms one of the intellectual and technical ancestors of game semantics. Like process theory, game semantics allows the modelling of systems of in... |

64 | Call-by-value games
- Abramsky, McCusker
- 1998
(Show Context)
Citation Context ...mming languages. In particular, it has proved possible to capture exactly which interactive processes are definable using certain computational features, such as: purely (sequential) functional means =-=[10, 106]-=-, local state [11], reference types [8], control operators, exceptions, nondeterminism [89, 131], probabilities [63], . . . and various combinations of these, in terms of which structural constraints ... |

59 | Decidability of Model-Checking for Infinite-State Concurrent Systems
- Esparza
- 1997
(Show Context)
Citation Context ...ove scalability further. There has been much progress made recently regarding verification of systems with unbounded structures, resulting in decidability and complexity results for push-down systems =-=[73]-=- and their implementation (tool MOPED). Unfortunately, verification of many infinite-state systems is only possible via automated proof support. A suitable combination of deductive verification based ... |

58 |
Performance Analysis of Communication Systems: Modeling with NonMarkovian Stochastic Petri Nets
- German
- 2000
(Show Context)
Citation Context ...ring. The analysis involves building a probabilistic model of the system being considered, typically a continuous time Markov chain (CTMC), but often more general probability distributions are needed =-=[79]-=-. Such models can be derived from high-level descriptions in stochastic process calculi [101] or Petri nets [132]. The model serves as a basis for analytical, simulation-based or numerical calculation... |