-
Program Analysis (an Appetizer)
Authors:
Flemming Nielson,
Hanne Riis Nielson
Abstract:
This book is an introduction to program analysis that is meant to be considerably more elementary than our advanced book Principles of Program Analysis (Springer, 2005). Rather than using flow charts as the model of programs, the book follows our introductory book Formal Methods an Appetizer (Springer, 2019) using program graphs as the model of programs. In our experience this makes the underlying…
▽ More
This book is an introduction to program analysis that is meant to be considerably more elementary than our advanced book Principles of Program Analysis (Springer, 2005). Rather than using flow charts as the model of programs, the book follows our introductory book Formal Methods an Appetizer (Springer, 2019) using program graphs as the model of programs. In our experience this makes the underlying ideas more accessible to our computer science and computer engineering students on the master course 02242: Program Analysis at The Technical University of Denmark. Here we have gradually replaced our use of the more elementary parts of Principles of Program Analysis with material from the current book.
△ Less
Submitted 18 December, 2020;
originally announced December 2020.
-
A Theory of Available-by-Design Communicating Systems
Authors:
Hugo A. López,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
Choreographic programming is a programming-language design approach that drives error-safe protocol development in distributed systems. Starting from a global specification (choreography) one can generate distributed implementations. The advantages of this top-down approach lie in the correctness-by-design principle, where implementations (endpoints) generated from a choreography behave according…
▽ More
Choreographic programming is a programming-language design approach that drives error-safe protocol development in distributed systems. Starting from a global specification (choreography) one can generate distributed implementations. The advantages of this top-down approach lie in the correctness-by-design principle, where implementations (endpoints) generated from a choreography behave according to the strict control flow described in the choreography, and do not deadlock. Motivated by challenging scenarios in Cyber-Physical Systems (CPS), we study how choreographic programming can cater for dynamic infrastructures where not all endpoints are always available. We introduce the Global Quality Calculus ($GC_q$), a variant of choreographic programming for the description of communication systems where some of the components involved in a communication might fail. GCq features novel operators for multiparty, partial and collective communications. This paper studies the nature of failure-aware communication: First, we introduce $GC_q$ syntax, semantics and examples of its use. The interplay between failures and collective communications in a choreography can lead to choreographies that cannot progress due to absence of resources. In our second contribution, we provide a type system that ensures that choreographies can be realized despite changing availability conditions. A specification in $GC_q$ guides the implementation of distributed endpoints when paired with global (session) types. Our third contribution provides an endpoint-projection based methodology for the generation of failure-aware distributed processes. We show the correctness of the projection, and that well-typed choreographies with availability considerations enjoy progress.
△ Less
Submitted 17 November, 2016;
originally announced November 2016.
-
A Coordination Language for Databases
Authors:
Ximeng Li,
Xi Wu,
Alberto Lluch Lafuente,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
We present a coordination language for the modeling of distributed database applications. The language, baptized Klaim-DB, borrows the concepts of localities and nets of the coordination language Klaim but re-incarnates the tuple spaces of Klaim as databases. It provides high-level abstractions and primitives for the access and manipulation of structured data, with integrity and atomicity consider…
▽ More
We present a coordination language for the modeling of distributed database applications. The language, baptized Klaim-DB, borrows the concepts of localities and nets of the coordination language Klaim but re-incarnates the tuple spaces of Klaim as databases. It provides high-level abstractions and primitives for the access and manipulation of structured data, with integrity and atomicity considerations. We present the formal semantics of Klaim-DB and develop a type system that avoids potential runtime errors such as certain evaluation errors and mismatches of data format in tables, which are monitored in the semantics. The use of the language is illustrated in a scenario where the sales from different branches of a chain of department stores are aggregated from their local databases. Raising the abstraction level and encapsulating integrity checks in the language primitives have benefited the modeling task considerably.
△ Less
Submitted 16 March, 2017; v1 submitted 7 October, 2016;
originally announced October 2016.
-
Discovering, quantifying, and displaying attacks
Authors:
Roberto Vigo,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and commu…
▽ More
In the design of software and cyber-physical systems, security is often perceived as a qualitative need, but can only be attained quantitatively. Especially when distributed components are involved, it is hard to predict and confront all possible attacks. A main challenge in the development of complex systems is therefore to discover attacks, quantify them to comprehend their likelihood, and communicate them to non-experts for facilitating the decision process. To address this three-sided challenge we propose a protection analysis over the Quality Calculus that (i) computes all the sets of data required by an attacker to reach a given location in a system, (ii) determines the cheapest set of such attacks for a given notion of cost, and (iii) derives an attack tree that displays the attacks graphically. The protection analysis is first developed in a qualitative setting, and then extended to quantitative settings following an approach applicable to a great many contexts. The quantitative formulation is implemented as an optimisation problem encoded into Satisfiability Modulo Theories, allowing us to deal with complex cost structures. The usefulness of the framework is demonstrated on a national-scale authentication system, studied through a Java implementation of the framework.
△ Less
Submitted 19 October, 2016; v1 submitted 26 July, 2016;
originally announced July 2016.
-
A Framework for Hybrid Systems with Denial-of-Service Security Attack
Authors:
Shuling Wang,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
Hybrid systems are integrations of discrete computation and continuous physical evolution. The physical components of such systems introduce safety requirements, the achievement of which asks for the correct monitoring and control from the discrete controllers. However, due to denial-of-service security attack, the expected information from the controllers is not received and as a consequence the…
▽ More
Hybrid systems are integrations of discrete computation and continuous physical evolution. The physical components of such systems introduce safety requirements, the achievement of which asks for the correct monitoring and control from the discrete controllers. However, due to denial-of-service security attack, the expected information from the controllers is not received and as a consequence the physical systems may fail to behave as expected. This paper proposes a formal framework for expressing denial-of-service security attack in hybrid systems. As a virtue, a physical system is able to plan for reasonable behavior in case the ideal control fails due to unreliable communication, in such a way that the safety of the system upon denial-of-service is still guaranteed. In the context of the modeling language, we develop an inference system for verifying safety of hybrid systems, without putting any assumptions on how the environments behave. Based on the inference system, we implement an interactive theorem prover and have applied it to check an example taken from train control system.
△ Less
Submitted 27 March, 2014; v1 submitted 24 March, 2014;
originally announced March 2014.
-
Pushdown Systems for Monotone Frameworks
Authors:
Michal Terepeta,
Hanne Riis Nielson,
Flemming Nielson
Abstract:
Monotone frameworks is one of the most successful frameworks for intraprocedural data flow analysis extending the traditional class of bitvector frameworks (like live variables and available expressions). Weighted pushdown systems is similarly one of the most general frameworks for interprocedural analysis of programs. However, it makes use of idempotent semirings to represent the sets of properti…
▽ More
Monotone frameworks is one of the most successful frameworks for intraprocedural data flow analysis extending the traditional class of bitvector frameworks (like live variables and available expressions). Weighted pushdown systems is similarly one of the most general frameworks for interprocedural analysis of programs. However, it makes use of idempotent semirings to represent the sets of properties and unfortunately they do not admit analyses whose transfer functions are not strict (e.g., classical bitvector frameworks). This motivates the development of algorithms for backward and forward reachability of pushdown systems using sets of properties forming so-called flow algebras that weaken some of the assumptions of idempotent semirings. In particular they do admit the bitvector frameworks, monotone frameworks, as well as idempotent semirings. We show that the algorithms are sound under mild assumptions on the flow algebras, mainly that the set of properties constitutes a join semi-lattice, and complete provided that the transfer functions are suitably distributive (but not necessarily strict).
△ Less
Submitted 17 July, 2013;
originally announced July 2013.
-
Design-Efficiency in Security
Authors:
Ender Yüksel,
Hanne Riis Nielson,
Flemming Nielson
Abstract:
In this document, we present our applied results on balancing security and performance using a running example, which is based on sensor networks. These results are forming a basis for a new approach to balance security and performance, and therefore provide design-efficiency of key updates.
We employ probabilistic model checking approach and present our modelling and analysis study using PRISM…
▽ More
In this document, we present our applied results on balancing security and performance using a running example, which is based on sensor networks. These results are forming a basis for a new approach to balance security and performance, and therefore provide design-efficiency of key updates.
We employ probabilistic model checking approach and present our modelling and analysis study using PRISM model checker.
△ Less
Submitted 5 February, 2013;
originally announced February 2013.
-
Lattice based Least Fixed Point Logic
Authors:
Piotr Filipiuk,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
As software systems become more complex, there is an increasing need for new static analyses. Thanks to the declarative style, logic programming is an attractive formalism for specifying them. However, prior work on using logic programming for static analysis focused on analyses defined over some powerset domain, which is quite limiting. In this paper we present a logic that lifts this restriction…
▽ More
As software systems become more complex, there is an increasing need for new static analyses. Thanks to the declarative style, logic programming is an attractive formalism for specifying them. However, prior work on using logic programming for static analysis focused on analyses defined over some powerset domain, which is quite limiting. In this paper we present a logic that lifts this restriction, called Lattice based Least Fixed Point Logic (LLFP), that allows interpretations over any complete lattice satisfying Ascending Chain Condition. The main theoretical contribution is a Moore Family result that guarantees that there always is a unique least solution for a given problem. Another contribution is the development of solving algorithm that computes the least model of LLFP formulae guaranteed by the Moore Family result.
△ Less
Submitted 23 July, 2012;
originally announced July 2012.
-
XACML 3.0 in Answer Set Programming
Authors:
Carroline Dewi Puspa Kencana Ramli,
Hanne Riis Nielson,
Flemming Nielson
Abstract:
We present a systematic technique for transforming XACML 3.0 policies in Answer Set Programming (ASP). We show that the resulting logic program has a unique answer set that directly corresponds to our formalisation of the standard semantics of XACML 3.0 from Ramli et. al. We demonstrate how our results make it possible to use off-the-shelf ASP solvers to formally verify properties of access contro…
▽ More
We present a systematic technique for transforming XACML 3.0 policies in Answer Set Programming (ASP). We show that the resulting logic program has a unique answer set that directly corresponds to our formalisation of the standard semantics of XACML 3.0 from Ramli et. al. We demonstrate how our results make it possible to use off-the-shelf ASP solvers to formally verify properties of access control policies represented in XACML, such as checking the completeness of a set of access control policies and verifying policy properties.
△ Less
Submitted 18 February, 2013; v1 submitted 22 June, 2012;
originally announced June 2012.
-
Optimizing ZigBee Security using Stochastic Model Checking
Authors:
Ender Yüksel,
Hanne Riis Nielson,
Flemming Nielson,
Matthias Fruth,
Marta Kwiatkowska
Abstract:
ZigBee is a fairly new but promising wireless sensor network standard that offers the advantages of simple and low resource communication. Nevertheless, security is of great concern to ZigBee, and enhancements are prescribed in the latest ZigBee specication: ZigBee-2007. In this technical report, we identify an important gap in the specification on key updates, and present a methodology for determ…
▽ More
ZigBee is a fairly new but promising wireless sensor network standard that offers the advantages of simple and low resource communication. Nevertheless, security is of great concern to ZigBee, and enhancements are prescribed in the latest ZigBee specication: ZigBee-2007. In this technical report, we identify an important gap in the specification on key updates, and present a methodology for determining optimal key update policies and security parameters. We exploit the stochastic model checking approach using the probabilistic model checker PRISM, and assess the security needs for realistic application scenarios.
△ Less
Submitted 30 May, 2012;
originally announced May 2012.
-
Modelling Chinese Smart Grid: A Stochastic Model Checking Case Study
Authors:
Ender Yüksel,
Hanne Riis Nielson,
Flemming Nielson,
Huibiao Zhu,
Heqing Huang
Abstract:
Cyber-physical systems integrate information and communication technology functions to the physical elements of a system for monitoring and controlling purposes. The conversion of traditional power grid into a smart grid, a fundamental example of a cyber-physical system, raises a number of issues that require novel methods and applications. In this context, an important issue is the verification o…
▽ More
Cyber-physical systems integrate information and communication technology functions to the physical elements of a system for monitoring and controlling purposes. The conversion of traditional power grid into a smart grid, a fundamental example of a cyber-physical system, raises a number of issues that require novel methods and applications. In this context, an important issue is the verification of certain quantitative properties of the system. In this technical report, we consider a specific Chinese Smart Grid implementation and try to address the verification problem for certain quantitative properties including performance and battery consumption. We employ stochastic model checking approach and present our modelling and analysis study using PRISM model checker.
△ Less
Submitted 30 May, 2012;
originally announced May 2012.
-
Layered Fixed Point Logic
Authors:
Piotr Filipiuk,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
We present a logic for the specification of static analysis problems that goes beyond the logics traditionally used. Its most prominent feature is the direct support for both inductive computations of behaviors as well as co-inductive specifications of properties. Two main theoretical contributions are a Moore Family result and a parametrized worst case time complexity result. We show that the log…
▽ More
We present a logic for the specification of static analysis problems that goes beyond the logics traditionally used. Its most prominent feature is the direct support for both inductive computations of behaviors as well as co-inductive specifications of properties. Two main theoretical contributions are a Moore Family result and a parametrized worst case time complexity result. We show that the logic and the associated solver can be used for rapid prototyping and illustrate a wide variety of applications within Static Analysis, Constraint Satisfaction Problems and Model Checking. In all cases the complexity result specializes to the worst case time complexity of the classical methods.
△ Less
Submitted 12 April, 2012;
originally announced April 2012.
-
Secondary use of data in EHR systems
Authors:
Fan Yang,
Chris Hankin,
Flemming Nielson,
Hanne Riis Nielson
Abstract:
We show how to use aspect-oriented programming to separate security and trust issues from the logical design of mobile, distributed systems. The main challenge is how to enforce various types of security policies, in particular predictive access control policies - policies based on the future behavior of a program. A novel feature of our approach is that advice is able to analyze the future use of…
▽ More
We show how to use aspect-oriented programming to separate security and trust issues from the logical design of mobile, distributed systems. The main challenge is how to enforce various types of security policies, in particular predictive access control policies - policies based on the future behavior of a program. A novel feature of our approach is that advice is able to analyze the future use of data. We consider a number of different security policies, concerning both primary and secondary use of data, some of which can only be enforced by analysis of process continuations.
△ Less
Submitted 20 January, 2012;
originally announced January 2012.
-
The Logic of XACML - Extended
Authors:
Carroline Dewi Puspa Kencana Ramli,
Hanne Riis Nielson,
Flemming Nielson
Abstract:
We study the international standard XACML 3.0 for describing security access control policy in a compositional way. Our main contribution is to derive a logic that precisely captures the idea behind the standard and to formally define the semantics of the policy combining algorithms of XACML. To guard against modelling artefacts we provide an alternative way of characterizing the policy combining…
▽ More
We study the international standard XACML 3.0 for describing security access control policy in a compositional way. Our main contribution is to derive a logic that precisely captures the idea behind the standard and to formally define the semantics of the policy combining algorithms of XACML. To guard against modelling artefacts we provide an alternative way of characterizing the policy combining algorithms and we formally prove the equivalence of these approaches. This allows us to pinpoint the shortcoming of previous approaches to formalization based either on Belnap logic or on D-algebra.
△ Less
Submitted 17 October, 2011;
originally announced October 2011.
