This paper presents a logical framework derived from the Edinburgh Logical Framework (LF) [5] that can be used to obtain compact representations of proofs and efficient proof checkers. These are essential ingredients of any application that manipulates proofs as first-class objects, such as a Proof-Carrying Code [11] system, in which proofs are used to allow the easy validation of properties of safety-critical or untrusted code. Our framework, which we call LF i , inherits from LF the capability to encode various logics in a natural way. In addition, the LF i framework allows proof representations without the high degree of redundancy that is characteristic of LF representations. The missing parts of LF i proof representations can be reconstructed during proof checking by an efficient reconstruction algorithm. We also describe an algorithm that can be used to strip the unnecessary parts of an LF representation of a proof. The experimental data that we gathered in the context of a Proof...

Abstract not found

Abstract. Type systems and program logics are often conceived to be at opposing ends of the spectrum of formal software analyses. In this paper we show that a flow-sensitive type system ensuring non-interference in a simple while language can be expressed through specialised rules of a program logic. In our framework, the structure of non-interference proofs resembles the corresponding derivations in a recent security type system, meaning that the algorithmic version of the type system can be used as a proof procedure for the logic. We argue that this is important for obtaining uniform proof certificates in a proof-carrying code framework. We discuss in which cases the interleaving of approximative and precise reasoning allows us to deal with delimited information release. Finally, we present ideas on how our results can be extended to encompass features of realistic programming languages like Java. 1

We present a general framework for provably safe mobile code. It relies on a formal definition of a safety policy and explicit evidence for compliance with this policy which is attached to a binary. Concrete realizations of this framework are proofcarrying code (PCC), where the evidence for safety is a formal proof generated by a certifying compiler, and typed assembly language (TAL), where the evidence for safety is given via type annotations propagated throughout the compilation process in typed intermediate languages. Validity of the evidence is established via a small trusted type checker, either directly on the binary or indirectly on proof representations in a logical framework (LF).

Large scale distributed applications combine network access with multiple storage and computational elements. The distributed responsibility for resource control creates new security issues, caused by the complexity of the operating environment. In particular, policies at multiple layers and locations force conventional mechanisms such as firewalls and compartmented file storage into roles where they are clumsy and failure-prone. Our approach relies on two functional divisions. First, we split policy specification and policy enforcement, providing local autonomy within the constraints of the global security policy. Second, we create virtual security domains each with its own security policy. Every domain has an associated set of privileges and permissions restricting it to the resources it needs to use and the services it must perform. Virtual private services ensure security and privacy policies are adhered to through coordinated policy enforcement points.

In this paper, we present a new way of establishing independently-verifiable identities, based on the notion of computationally expensive key generation. We then describe a fully decentralized framework where these identities can be used to assign blame and to construct auditable blacklists of cheaters.

Although electronic commerce is a relatively new concept, it has already become a normal aspect of our daily life. The software agent technology is also relatively new. In the area of electronic commerce, software agents could be used for example to search for the lowest prices and the best services, to buy goods on behalf of a user, etc. These applications involve a number of security issues, such as communications security, system security, and application security, that have to be solved. This paper describes how communications security is added to a lightweight agent framework. Secure agent-based electronic commerce applications require communications security services. Adding these services is a rst basis and an important enabler for the framework in order to be used for secure electronic commerce applications.

While mobile agents approach provides a great flexibility and customizability compared to the traditional client-server approaches, it introduces many serious security problems. These problems are mainly protecting the hosting server and the visiting agent from each other. In this paper we discuss the security issues in the mobile agents technology. Specifically, we describe the techniques used to protect a hosting server from malicious agents roaming the network. We also present mechanisms for protecting a mobile agent during traveling from its source to the designated destination.

(CMC) are established paradigms for certifying the run-time behavior of programs. While PCC allows us to certify low-level binary code against relatively simple (e.g., memory-safety) policies, CMC enables the certification of a richer class of temporal logic policies, but is typically restricted to high-level (e.g., source) descriptions. In this paper, we present an automated approach to generate certified software component binaries from UML Statechart specifications. The proof certificates are constructed using information that is generated via CMC at the specification level and transformed, along with the component, to the binary level. Our technique combines the strengths of PCC and CMC, and demonstrates that formal certification technology is compatible with, and can indeed exploit, model-driven approaches to software development. We describe an implementation of our approach that targets the Pin component technology, and present experimental results on a collection of benchmarks. 1

Abstract. In higher-order process calculi the values exchanged in communications may contain processes. There are only two capabilities for received processes: execution and forwarding. Here we propose a limited form of forwarding: output actions can only communicate the parallel composition of statically known closed processes and processes received through previously executed input actions. We study the expressiveness of a higher-order process calculus featuring this style of communication. Our main result shows that in this calculus termination is decidable while convergence is undecidable. 1