Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff - - PowerPoint PPT Presentation

proof methodologies for behavioural equivalence in d
SMART_READER_LITE
LIVE PREVIEW

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff - - PowerPoint PPT Presentation

Dec 19, 2023 26 likes •166 views

Proof Methodologies for Behavioural Equivalence in D Alberto Cia ff aglione 1 , Matthew Hennessy 2 , Julian Rathke 2 1 Dipartimento di Matematica e Informatica, Universit` a di Udine (Italy) 2 Department of Informatics, University

slide-1
SLIDE 1

✬ ✫ ✩ ✪

Proof Methodologies for Behavioural Equivalence in D

Alberto Ciaffaglione1, Matthew Hennessy2, Julian Rathke2

1 Dipartimento di Matematica e Informatica, Universit`

a di Udine (Italy)

2 Department of Informatics, University of Sussex (United Kingdom)

Conference of the Types Project University of Nottingham, United Kingdom April 18-21, 2006

slide-2
SLIDE 2

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Syntax of D [HR02]

M, N ::= Systems lP Located Processes M | N Composition (new e : E) M Name Scoping Termination R, U ::= Processes u!V R Output u?(X) R Input

goto v.T

Migration (newc c : C) R Local channel creation (newloc k : K) R Location creation

if v1 = v2 then R else U

Matching R | U Parallelism ∗R Iteration

stop

Termination

Proof Methodologies for Behavioural Equivalence in D 2

slide-3
SLIDE 3

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Behaviour

A configuration consists of a pair I ⊲ M, where:

  • I is a type environment, associating some type to every free name in M
  • there is a type environment Γ such that Γ ⊢ M and Γ <: I

The behaviour is defined in terms of actions over configurations: I ⊲ M

µ

− − → I′ ⊲ M′, where µ ranges on:

  • τ: an internal action, requiring no participation by the user

e : ˜

E)k.a?V: the input of value V along the channel a, located at the

site k; the bound names in (˜ e) are freshly generated by the user

e : ˜

E)k.a!V: analogous for the output

Proof Methodologies for Behavioural Equivalence in D 3

slide-4
SLIDE 4

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Internal actions

(m-comm)

I1 ⊲ M (˜

e: ˜

E)k.a?V

− − − − − − − − → I′

1 ⊲ M′

I2 ⊲ N (˜

e: ˜

E)k.a!V

− − − − − − − → I′

2 ⊲ N′

I ⊲ M | N

τ

− − → I ⊲ (new e :

E)(M′ | N′)

(m-comm)

I1 ⊲ M (˜

e: ˜

E)k.a!V

− − − − − − − → I′

1 ⊲ M′

I2 ⊲ N (˜

e: ˜

E)k.a?V

− − − − − − − − → I′

2 ⊲ N′

I ⊲ M | N

τ

− − → I ⊲ (new e :

E)(M′ | N′)

(m-split)

I ⊲ kP | Q

τ

− − →β I ⊲ kP | kQ

(m-l.create)

I ⊲ k(newloc l : L) P

τ

− − →β I ⊲ (new l : L) kP

(m-move)

I ⊲ kgoto l.P

τ

− − →β I ⊲ lP

(m-c.create)

I ⊲ k(newc c : C) P

τ

− − →β I ⊲ (new c@k : C) kP

(m-unwind)

I ⊲ k∗P

τ

− − →β I ⊲ k∗P | P

Proof Methodologies for Behavioural Equivalence in D 4

slide-5
SLIDE 5

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

External actions

(m-in)

Iw(k, a) ↓ I ⊢k V : Iw(k, a) I ⊲ ka?(X) R k.a?V − − − − → I ⊲ kR{ |V/

X|

}

(m-out)

Ir(k, a) ↓ I ⊲ ka!V P k.a!V − − − − → I, V : Ir(k, a)@k ⊲ kP

(m-weak)

I, e : E ⊲ M ( ˜

d: ˜

D)k.a?V

− − − − − − − − → I′ ⊲ M′ I ⊲ M (e:E

d:

D)k.a?V

− − − − − − − − − − − → I′ ⊲ M′

bn(e) I

(m-open)

I, e : ⊤ ⊲ M ( ˜

d: ˜

D)k.a!V

− − − − − − − − → I′ ⊲ M′ I ⊲ (new e : E) M (e:E

d:

D)k.a!V

− − − − − − − − − − → I′ ⊲ M′

(m-ctxt)

I ⊲ M

µ

− − → I′ ⊲ M′ I ⊲ M | N

µ

− − → I′ ⊲ M′ | N I ⊲ N | M

µ

− − → I′ ⊲ N | M′

bn(µ) fn(N)

(m-new)

I, e : ⊤ ⊲ M

µ

− − → I′, e : ⊤ ⊲ M′ I ⊲ (new e : E) M

µ

− − → I′ ⊲ (new e : E) M′

bn(e) µ

Proof Methodologies for Behavioural Equivalence in D 5

slide-6
SLIDE 6

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Bisimulation equivalence

A binary relation over configurations is a bisimulation [HMR04] if both it, and its inverse, satisfy the following transfer property: (IM ⊲ M) R (IN ⊲ N) (IM ⊲ M) R (IN ⊲ N) implies (IM′ ⊲ M′) µ ❄ (IM′ ⊲ M′) R (IN′ ⊲ N′) ˆ µ

  • We denote ≈bis the largest bisimulation between configurations, and write:

I |= M ≈bis N This is a relation over systems, parameterised over type environments ⇒ Tractable proof techniques can be developed for it

Proof Methodologies for Behavioural Equivalence in D 6

slide-7
SLIDE 7

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Proof techniques

Theorem 1 (Contextuality) [HMR04] Suppose I |= M ≈bis N. Then:

  • I ⊢ O implies I |= M | O ≈bis N | O
  • I, e : E |= M ≈bis N implies I |= (new e : E) M ≈bis (new e : E) N

Proposition 1 (Structural Equivalence) If M ≡ N, then M ≈bis N. Proposition 2 (β-actions) Suppose I ⊲ M

τ

− − →∗

β N. Then I |= M ≈bis N. Proof Methodologies for Behavioural Equivalence in D 7

slide-8
SLIDE 8

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Proof techniques (cont’d)

A binary relation between configurations is a bisimulation up-to-β if both it, and its inverse, satisfy the following transfer property: (IM ⊲ M) R (IN ⊲ N) (IM ⊲ M) R (IN ⊲ N) implies (IM′ ⊲ M′) µ ❄ (IM′ ⊲ M′) (

τ

− − →∗

β ◦ ≡) ◦ R ◦ ≈bis

(IN′ ⊲ N′) ˆ µ

  • Proposition 3 (Bisimulations up-to–β)

If (I ⊲ M) R (I ⊲ N), where R is a bisimulation up-to-β, then I |= M ≈bis N.

Proof Methodologies for Behavioural Equivalence in D 8

slide-9
SLIDE 9

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Crossing a firewall

Firewall [CG98,CG99,LS00,MN03] as a domain to which access is restricted: F ⇐ (new f : F) fP | ∗goto a.tell!f The existence of the firewall is made known only to a located agent: A ⇐ aR | tell?(x) goto x.Q Then, we prove the equivalence: I |= F | A ≈bis (new f : F)( fP | ∗goto a.tell! f | Q) | aR (1) relative to a restricted environment I, such that: (i) I ⊢max

a

tell : rF

(ii) I ⊢ aR (iii) I ⊢ (new f : F) fP

Proof Methodologies for Behavioural Equivalence in D 9

slide-10
SLIDE 10

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Firewall: the formal proof

Since, up-to-structural equivalence: F | A

τ

− − →β F | atell?(x) goto x.Q | aR by Propositions 1 and 2 it is sufficient to prove: I|= F|atell?(x) goto x.Q|aR ≈bis (new f : F)( fP|∗goto a.tell! f|Q) | aR By Contextuality and assumption (ii) we reduce to: I |= F | atell?(x) goto x.Q ≈bis (new f : F)( fP | ∗goto a.tell! f | Q) Then, by structural equivalence, and again Contextuality, to: I f |= fP | ∗goto a.tell!f | atell?(x) goto x.Q ≈bis fP | ∗goto a.tell! f | Q where I f is a shorthand for I, f : F

Proof Methodologies for Behavioural Equivalence in D 10

slide-11
SLIDE 11

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Firewall: the formal proof (cont’d)

Since:

  • fP | ∗goto a.tell! f | atell?(x) goto x.Q

τ

− − →β fP | f∗goto a.tell! f | atell?(x) goto x.Q

  • fP | ∗goto a.tell! f | Q

τ

− − →∗

β fP | f∗goto a.tell! f | fQ

by Proposition 2, Contextuality and assumption (iii), we reduce finally to: I f |= f∗goto a.tell! f | atell?(x) goto x.Q ≈bis f∗goto a.tell! f | fQ ⇒ We define the parameterised relation R by letting J |= M R N whenever: (a) J ⊲ M is a configuration and N is the same as M (b) or J is I f and

  • M has form f∗goto a.tell! f | atell?(x) goto x.Q | Πn (atell! f)n
  • N has form f∗goto a.tell! f | fQ | Πn (atell! f)n

Proof Methodologies for Behavioural Equivalence in D 11

slide-12
SLIDE 12

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

A server and its clients

Let us consider: S ⇐ s∗req?(x, y@z)goto z.y!isprime(x) | S ′ Ci ⇐ ci(newc r : rwbool) goto s.req!vi, r@ci | C′

i

Then one might want to derive: I|= S |Πi∈[1,n] Ci ≈bis S |Πi∈[1,n] ci(newc r : rwbool) r!isprime(vi)|C′

i

We must require that the computational context can not read on req: (i) I ⊢max

s

req : w int, wbool@loc

(ii) I ⊢ sS ′ (iii) I ⊢ Ci ⇒ The major proof technique we use is Contextuality

Proof Methodologies for Behavioural Equivalence in D 12

slide-13
SLIDE 13

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Metaservers

Memory service: a domain installing the service at a new site. Two versions: S ⇐ s∗setup?(y@z) (newloc m : M) goto m.Mem | goto z.y!m Ci ⇐ ci(newc r : R) goto s.setup!r@ci | r?(x) Pi(x) S ′ ⇐ s′∗setup′?(x, y@z) goto x.Mem | goto z.y! C′

i

⇐ ci(newc t : T) (newloc mi : M) goto s′.setup′!mi, t@ci | t?Pi(mi) where Pi(x), Pi(mi) is parametric code, R = rwM, and T = rwunit The two different kinds of servers S and S ′ lead to equivalent behaviour: I |= S | C1 | C2 ≈bis S ′ | C′

1 | C′ 2

(2) provided the context has neither write nor read access to setup, setup′: I ⊢max

s

setup : ⊤

I ⊢max

s′

setup′ : ⊤

Proof Methodologies for Behavioural Equivalence in D 13

slide-14
SLIDE 14

Ciaffaglione, Hennessy, Rathke Types 2006

✬ ✫ ✩ ✪

Bibliography

[CG98] L. Cardelli, A. D. Gordon. Mobile ambients. In Proc. of FoSSaCS, LNCS 1378, Springer, 1998. [CG99] A. D. Gordon, L. Cardelli. Equational properties of mobile

  • ambients. In Proc. of FoSSaCS, LNCS 1578, Springer, 1999.

[HMR04] M. Hennessy, M. Merro, J. Rathke. Towards a behavioural theory

  • f access and mobility control in distributed systems. TCS 322(3), 2004.

[HR02] M. Hennessy, J. Riely. Resource access control in systems of mobile agents. Information and Computation 173(1), 2002. [LS00] F. Levi, D. Sangiorgi. Controlling interference in ambients. In Proc. of POPL, 2000. [MN03] M. Merro, F. Zappa Nardelli. Bisimulation proof methods for mobile ambients. In Proc. of ICALP, LNCS 2719, Springer, 2003.

Proof Methodologies for Behavioural Equivalence in D 14